lib:ldb:tools: Do not leak memory in ldb_cmdline_process_internal()
If add_control() hasn't been called before, it will be NULL. Use ret as
the context to allocate memory on.
Direct leak of 110 byte(s) in 1 object(s) allocated from:
#0 0x7fc1b5921c2b in malloc (/lib64/libasan.so.8+0x121c2b) (BuildId: 388ee9ac193f74c177c6f52988d2d0dab110de41)
#1 0x7fc1b56ed6a0 in __talloc_with_prefix ../../lib/talloc/talloc.c:783
#2 0x7fc1b56ee9e8 in __talloc ../../lib/talloc/talloc.c:825
#3 0x7fc1b56ee9e8 in __talloc_strlendup ../../lib/talloc/talloc.c:2454
#4 0x7fc1b56ee9e8 in talloc_strdup ../../lib/talloc/talloc.c:2470
#5 0x7fc1b5f1ad18 in ldb_cmdline_process_internal ../../lib/ldb/tools/cmdline.c:389
#6 0x7fc1b5f1b53c in ldb_cmdline_process ../../lib/ldb/tools/cmdline.c:544
#7 0x000000202a19 in main ../../lib/ldb/tools/ldbdel.c:97
#8 0x7fc1b542b2fa in __libc_start_call_main (/lib64/libc.so.6+0x2b2fa) (BuildId: 8523b213e7586a93ab00f6dd476418b1e521e62c)
#9 0x7ffdced96847 ([stack]+0x38847)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Oct 22 09:25:35 UTC 2025 on atb-devel-224
Direct leak of 376 byte(s) in 1 object(s) allocated from:
#0 0x7ff48b520b4b (/lib64/libasan.so.8+0x120b4b) (BuildId: 388ee9ac193f74c177c6f52988d2d0dab110de41)
#1 0x7ff48bb079d3 in _talloc_realloc ../../lib/talloc/talloc.c:2035
#2 0x7ff48bb0824c in _talloc_realloc_array ../../lib/talloc/talloc.c:2810
#3 0x00000021ab91 in wbinfo_xids_to_sids ../../nsswitch/wbinfo.c:1122
#4 0x00000021ab91 in main ../../nsswitch/wbinfo.c:3065
#5 0x7ff48842b2fa in __libc_start_call_main (/lib64/libc.so.6+0x2b2fa) (BuildId: 8523b213e7586a93ab00f6dd476418b1e521e62c)
#6 0x7ffd3dc6866e ([stack]+0x2066e)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Noel Power <npower@samba.org>
lib:replace: Implement setproctitle() based on PRCTL_MM_MAP
This should work on Linux. It requires CAP_SYS_RESOURCE, but our daemons
run as root anyway.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Oct 22 08:03:35 UTC 2025 on atb-devel-224
Douglas Bagnall [Wed, 3 Sep 2025 02:20:24 +0000 (14:20 +1200)]
CVE-2025-10230: s4:wins: restrict names fed to shell
If the "wins hook" smb.conf parameter is set, the WINS server will
attempt to execute that value in a shell command line when a client
asks to modify a name. The WINS system is a trusting one, and clients
can claim any NETBIOS name they wish.
With the source3 nmbd WINS server (since the 1999 commit now called 3db52feb1f3b2c07ce0b06ad4a7099fa6efe3fc7) the wins hook will not be
run for names that contain shell metacharacters. This restriction has
not been present on the source4 nbt WINS server, which is the WINS
server that will be used in the event that an Active Directory Domain
Controller is also running WINS.
This allowed an unauthenticated client to execute arbitrary commands
on the server.
This commit brings the nmbd check into the nbt WINS server, so that
the wins hook will only be run for names that contain only letters,
digits, hyphens, underscores and periods. This matches the behaviour
described in the smb.conf man page.
The source3 nmbd WINS server has another layer of protection, in that
it uses the smb_run() exec wrapper that tries to escape arguments. We
don't do that here.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Tue Oct 21 19:43:25 UTC 2025 on atb-devel-224
Douglas Bagnall [Tue, 9 Sep 2025 01:36:16 +0000 (13:36 +1200)]
CVE-2025-10230: s4/tests: check that wins hook sanitizes names
An smb.conf can contain a 'wins hook' parameter, which names a script
to run when a WINS name is changed. The man page says
The second argument is the NetBIOS name. If the name is not a
legal name then the wins hook is not called. Legal names contain
only letters, digits, hyphens, underscores and periods.
but it turns out the legality check is not performed if the WINS
server in question is the source4 nbt one. It is not expected that
people will run this server, but they can. This is bad because the
name is passed unescaped into a shell command line, allowing command
injection.
For this test we don't care whether the WINS server is returning an
error code, just whether it is running the wins hook. The tests show
it often runs the hook it shouldn't, though some characters are
incidentally blocked because the name has to fit in a DN before it
gets to the hook, and DNs have a few syntactic restrictions (e.g.,
blocking '<', '>', and ';').
The source3 WINS server that is used by Samba when not run as a DC is
not affected and not here tested.
We don't really need "fsp" and "smb_fname_src" arguments anymore
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Oct 21 18:35:59 UTC 2025 on atb-devel-224
With SMB_VFS_RENAME_STREAM and the src parent fsp and src relname
available, we can save a lot of string handling in
rename_internals_fsp(). Subsequent patches will remove a lot of code
that's no longer used after this patch.
Better look at the result than the patch for review.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
[MS-FSA] 2.1.5.15.12.1 Algorithm for Performing Stream Rename
is simpler and diffent enough from renaming a file or directory that I
believe a separate VFS operation is justified instead of tunneling it
through the renameat call. For example it's only possible to rename
streams within a file, so only one stream open fsp and a newname which
is guaranteed to be a stream name is necessary.
Add stub implementations to our streams modules, to be filled later.
Signed-off-by: Volker Lendecke <vl@samba.org>
vfs_streams_xattr: rename_streams Reviewed-by: Ralph Boehme <slow@samba.org>
Avoid calling parent_pathref() in hardlink_internals. All but one
callers have the required information anyway. Unfortunately the one
that does not have it is the SMB2 one. So for SMB2+ this is not a real
optimization, but in some distant future we might have a dirfsp
attached to every fsp, so this might at some point also solve itself.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
We call filename_convert_dirfsp() on the old name. Use the parsing
done there, we don't need to scan for a ":" in reply_ntrename() where
filename_convert_dirfsp() already does it.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
See the comment at the top of this patch for a description of the data
format.
The lowerlevel xattr_multi routines now take the raw stream name
instead of the xattr name because they have to build up the real xattr
name attached to the file themselves.
The patch is a bit larger than I would like it, but the mechanics in
the _multi() routines don't make sense in isolation, and the rest is
mostly handling the raw_stream_name instead of the xattr_name.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
streams_xattr always appends a '\0'. We'll start to add meaning to
that byte and check it soon, so make the hand-crafted stream follow
that convention.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Oct 20 10:59:03 UTC 2025 on atb-devel-224
in a Spotlight query produces the following log message:
map_fts: Mapping fts [757378800] unexpected op [~]
However, when
elasticsearch:ignore unknown attribute = yes
is set, the parser will ignore the failed expression and continue
parsing given the expression is part of a larger expression like
"subexpression1 OR subexpression2". Avoid spamming the log and reduce
the loglevel when we hit this case.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Fri Oct 17 12:16:23 UTC 2025 on atb-devel-224
Martin Schwenke [Thu, 16 Oct 2025 02:54:22 +0000 (13:54 +1100)]
ctdb-scripts: Avoid failing updateip when IP is not assigned
There is no use failing this when it could behave more like takeip.
Use old interface of "__none__" as a hint that ctdbd doesn't think the
IP is assigned either. In this case print a warning instead of an
error. Take some care to avoid spurious errors in updateip.
After commit 0536d7a98b832fc00d26b09c26bf14fb63dbf5fb (which improves
IP address state checking), this will almost certainly not occur on
platforms with getifaddrs(3) (e.g. Linux). This means it is only
likely to occur in 4.21 when net.ipv4.ip_nonlocal_bind=1.
Reported-by: Bailey Allison <ballison@45drives.com> Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Fri Oct 17 06:28:30 UTC 2025 on atb-devel-224
Martin Schwenke [Wed, 15 Oct 2025 23:42:22 +0000 (10:42 +1100)]
ctdb-tests: Add an event script unit test for updateip
This illustrates the current failure where an unassigned public IP
address causes updateip to fail.
After commit 0536d7a98b832fc00d26b09c26bf14fb63dbf5fb (which improves
IP address state checking), this will almost certainly not occur on
platforms with getifaddrs(3) (e.g. Linux). This means it is only
likely to occur in 4.21 when net.ipv4.ip_nonlocal_bind=1.
Martin Schwenke [Wed, 15 Oct 2025 21:17:44 +0000 (08:17 +1100)]
ctdb-daemon: Fix a crash due to a failed updateip
This should really be a takeip. However, CTDB's weak check of the IP
address state (using bind(2)) incorrectly indicates that the IP
address is assigned to an interface so it is converted to an updateip.
After commit 0536d7a98b832fc00d26b09c26bf14fb63dbf5fb (which improves
IP address state checking), this will almost certainly not occur on
platforms with getifaddrs(3) (e.g. Linux). This means it is only
likely to occur in 4.21 when net.ipv4.ip_nonlocal_bind=1.
This commit fixes a situation in which vfs_streams_xattr could
write unitialized memory into alternate data streams if the
user writes to an offset that is beyond the current end of file
to insert a hole in it.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Oct 16 18:42:05 UTC 2025 on atb-devel-224
If AddressSanitizer is loaded it will detect alignment issues. The tool
is not ours, so ignore it.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Thu Oct 16 09:34:58 UTC 2025 on atb-devel-224
Martin Schwenke [Sat, 11 Oct 2025 06:52:32 +0000 (17:52 +1100)]
ctdb-tests: Don't hard code creation of $CTDB_BASE/events/legacy/
setup_ctdb_base() should always create from etc-ctdb/. That directory
may be changed to not include the legacy/ component subdirectory, so
don't hard-code this particular subdirectory.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Oct 14 17:57:49 UTC 2025 on atb-devel-224
Martin Schwenke [Tue, 7 Oct 2025 11:27:06 +0000 (22:27 +1100)]
ctdb-tests: Improve setup_ctdb_base() to fix local_daemons.sh bug
$ ctdb/tests/local_daemons.sh foo onnode 0 ctdb event script list legacy
Unable to find event script installation directory: foo/node.0/share/events/legacy
This happens if the $CTDB_BASE/share/events/legacy/ directory does not
exist. This directory is (theoretically) for installed but not
necessarily enabled event scripts. ctdb/tests/etc-ctdb/ contains
events/legacy/ but setup_ctdb_base() currently does not ensure
creation of the corresponding directory under $CTDB_BASE/share/.
Ensure that an event script component installation subdirectory exists
for each corresponding configuration subdirectory.
An alternative would be to continue to allow the existing failure, but
create directory ctdb/tests/etc-ctdb/share/events/legacy/ specifically
to make local_daemons.sh work. However, it took 5 years to find the
current bug, so this may be too subtle for other users of
local_daemons.sh. Anyone wanting to test the failure case can remove
unwanted subdirectories after "local_daemons.sh setup".
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Ralph Boehme <slow@samba.org>
0x7d2f14452360 is located 736 bytes inside of 861-byte region [0x7d2f14452080,0x7d2f144523dd)
freed by thread T0 here:
#0 0x7faf16d208eb (/lib64/libasan.so.8+0x1208eb) (BuildId: 61b31c4760766f5f2552c32e175755894d8f6565)
#1 0x7faf14560a72 in _tc_free_poolmem ../../lib/talloc/talloc.c:1080
#2 0x7faf1455f71b in _tc_free_internal ../../lib/talloc/talloc.c:1215
#3 0x7faf1455ee1b in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
#4 0x7faf1455ee1b in _tc_free_internal ../../lib/talloc/talloc.c:1184
#5 0x7faf14560315 in _talloc_free_internal ../../lib/talloc/talloc.c:1248
#6 0x7faf14560315 in _talloc_free ../../lib/talloc/talloc.c:1792
#7 0x7baf0a5c3883 in py_cli_notify_get_changes ../../source3/libsmb/pylibsmb.c:2274
#8 0x7faf165ba239 (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x1ba239) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Oct 14 12:35:37 UTC 2025 on atb-devel-224
Volker Lendecke [Mon, 13 Oct 2025 09:18:35 +0000 (11:18 +0200)]
vfs_fake_acls: Fix error path return in fake_acls_fstatat()
Thanks to Jeremy for pointing this out to me!
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Oct 14 08:27:39 UTC 2025 on atb-devel-224
Gary Lockyer [Sun, 12 Oct 2025 20:46:16 +0000 (09:46 +1300)]
s4:torture:vfs:fruit fix Clang compilation issue
Fix:
[4176/4995] Compiling source4/torture/vfs/fruit.c
../../source4/torture/vfs/fruit.c:7900:2: error: variable 'h' is used
uninitialized whenever 'if' condition is true
[-Werror,-Wsometimes-uninitialized]
7900 | CHECK_STATUS(status, NT_STATUS_OK);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Mon Oct 13 04:42:16 UTC 2025 on atb-devel-224
Ralph Boehme [Sat, 27 Sep 2025 11:01:32 +0000 (13:01 +0200)]
smbtorture: add test "smb2.lease.lease-epoch"
Verifies the lease epoch is not incremented by the server (returns what the
client sent in the request) if a lease was not granted ie lease_level=NONE.
Test passes against Windows 2025.
From MS-SMB2 3.3.5.9.11 "Handling the SMB2_CREATE_REQUEST_LEASE_V2 Create
Context":
If the object store succeeds this request, Lease.LeaseState MUST be set to the
new caching state. The server MUST increment Lease.Epoch by 1.
Ralph Boehme [Fri, 28 Feb 2025 05:15:26 +0000 (06:15 +0100)]
smbtorture: correctly handle scale-out shares in smb2.durable-v2-open.create-blob
On a share with SMB2_SHARE_CAP_SCALEOUT capability the cluster doesn't
grant batch oplocks, at most level-II oplocks and it also doesn't
grant durable-handles (v1 or v2) as they require an RWH-lease.
With this change the test passes against Windows Server 2025.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
Ralph Boehme [Wed, 9 May 2018 06:25:51 +0000 (08:25 +0200)]
smbtorture: fix smb2.durable-v2-open.open-lease and smb2.durable-v2-open.persistent-open-lease
Only check the resulting lease state if we actually requested a lease and
correctly deal with SMB2_SHARE_CAP_SCALEOUT shares where the server grants at
most R leases and no Durable Handles.
With this change the test passes against Windows Server 2025.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
projects / thirdparty / samba.git / log
