From 9ee38afc666d95a576d5263a759e110909bdf4d9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 4 Jan 2016 12:12:37 +1300 Subject: [PATCH 01/13] ldb: Be strict about talloc_memdup() and passed in buffers in ldb_dn_set_component() This ensures we do not over-read the source buffer, but still NUL terminate. This may be related to debuain bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808769 Signed-off-by: Andrew Bartlett --- lib/ldb/common/ldb_dn.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c index dfd3b58..1e83f5a 100644 --- a/lib/ldb/common/ldb_dn.c +++ b/lib/ldb/common/ldb_dn.c @@ -1907,11 +1907,23 @@ int ldb_dn_set_component(struct ldb_dn *dn, int num, } v.length = val.length; - v.data = (uint8_t *)talloc_memdup(dn, val.data, v.length+1); + + /* + * This is like talloc_memdup(dn, v.data, v.length + 1), but + * avoids the over-read + */ + v.data = (uint8_t *)talloc_size(dn, v.length+1); if ( ! v.data) { talloc_free(n); return LDB_ERR_OTHER; } + memcpy(v.data, val.data, val.length); + + /* + * Enforce NUL termination outside the stated length, as is + * traditional in LDB + */ + v.data[v.length] = '\0'; talloc_free(dn->components[num].name); talloc_free(dn->components[num].value.data); From b44c5077ec81a72d55045f37510cbdf156ba753f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 4 Jan 2016 12:13:04 +1300 Subject: [PATCH 02/13] ldb: Explain why this use of talloc_memdup() is safe Signed-off-by: Andrew Bartlett --- lib/ldb/common/ldb_dn.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c index 1e83f5a..a912fdb 100644 --- a/lib/ldb/common/ldb_dn.c +++ b/lib/ldb/common/ldb_dn.c @@ -586,6 +586,12 @@ static bool ldb_dn_explode(struct ldb_dn *dn) p++; *d++ = '\0'; + + /* + * This talloc_memdup() is OK with the + * +1 because *d has been set to '\0' + * just above + */ dn->components[dn->comp_num].value.data = \ (uint8_t *)talloc_memdup(dn->components, dt, l + 1); dn->components[dn->comp_num].value.length = l; @@ -708,6 +714,11 @@ static bool ldb_dn_explode(struct ldb_dn *dn) } *d++ = '\0'; + /* + * This talloc_memdup() is OK with the + * +1 because *d has been set to '\0' + * just above. + */ dn->components[dn->comp_num].value.length = l; dn->components[dn->comp_num].value.data = (uint8_t *)talloc_memdup(dn->components, dt, l + 1); From d3057e41c6d1e471df8cbf96ed3f5515ad5264c3 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 4 Jan 2016 12:13:40 +1300 Subject: [PATCH 03/13] ldb: validate ldb_dn_set_component input parameters even more strictly Signed-off-by: Andrew Bartlett --- lib/ldb/common/ldb_dn.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c index a912fdb..5bf72ac 100644 --- a/lib/ldb/common/ldb_dn.c +++ b/lib/ldb/common/ldb_dn.c @@ -1912,6 +1912,14 @@ int ldb_dn_set_component(struct ldb_dn *dn, int num, return LDB_ERR_OTHER; } + if (num < 0) { + return LDB_ERR_OTHER; + } + + if (v.length > v.length + 1) { + return LDB_ERR_OTHER; + } + n = talloc_strdup(dn, name); if ( ! n) { return LDB_ERR_OTHER; From 54a8f2a90ddb849e916b262757f464afe7221c90 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 6 Jan 2016 11:57:39 +1300 Subject: [PATCH 04/13] python: Assert that we use Py_ssize_t consistently for PyParseArgs*() Signed-off-by: Andrew Bartlett --- buildtools/wafsamba/samba_python.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/buildtools/wafsamba/samba_python.py b/buildtools/wafsamba/samba_python.py index 8075381..8ce1b43 100644 --- a/buildtools/wafsamba/samba_python.py +++ b/buildtools/wafsamba/samba_python.py @@ -99,6 +99,17 @@ def SAMBA_PYTHON(bld, name, if init_function_sentinel is not None: cflags += '-DSTATIC_LIBPYTHON_MODULES=%s' % init_function_sentinel + # From https://docs.python.org/2/c-api/arg.html: + # Starting with Python 2.5 the type of the length argument to + # PyArg_ParseTuple(), PyArg_ParseTupleAndKeywords() and PyArg_Parse() + # can be controlled by defining the macro PY_SSIZE_T_CLEAN before + # including Python.h. If the macro is defined, length is a Py_ssize_t + # rather than an int. + + # Because if often included before includes.h/config.h + # This must be in the -D compiler options + cflags += ' -DPY_SSIZE_T_CLEAN=1' + source = bld.EXPAND_VARIABLES(source, vars=vars) if realname is not None: From c3e6101c0345c8148079a4bc9f168b54f1fb98d2 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 4 Jan 2016 12:42:06 +1300 Subject: [PATCH 05/13] ldb: Adjust to PY_SSIZE_T_CLEAN and use Py_ssize_t consistently with PyArg_ParseTuple*() This was inconsistent after dd7baa2ae2f98d5c1e82fa97f223925025da5ca0, and may be the cause of test errors on s390x. (The change to py_ldb_dn_set_component() kept the Py_ssize_t type for 'size' without setting the PY_SSIZE_T_CLEAN macro to have PyArg_ParseTuple() expect a Py_ssize_t. Instead, PyArg_ParseTuple() expected an int. See in particular debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808769 Signed-off-by: Andrew Bartlett --- lib/ldb/pyldb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c index fff1fee..3daed96 100644 --- a/lib/ldb/pyldb.c +++ b/lib/ldb/pyldb.c @@ -489,7 +489,7 @@ static PyObject *py_ldb_dn_set_extended_component(PyLdbDnObject *self, PyObject char *name; int err; uint8_t *value; - int size = 0; + Py_ssize_t size = 0; if (!PyArg_ParseTuple(args, "sz#", &name, (const char**)&value, &size)) return NULL; @@ -3642,7 +3642,7 @@ static PyObject *py_valid_attr_name(PyObject *self, PyObject *args) static PyObject *py_binary_encode(PyObject *self, PyObject *args) { char *str, *encoded; - int size = 0; + Py_ssize_t size = 0; struct ldb_val val; PyObject *ret; From a75bdf970c4c61d423d8df8dea03a32cad3bc852 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 4 Jan 2016 13:03:39 +1300 Subject: [PATCH 06/13] pidl: Use PY_SSIZE_T_CLEAN This changes the type used for # arguments to PyArg_ParseTupleAndKeywords Signed-off-by: Andrew Bartlett --- pidl/lib/Parse/Pidl/Samba4/Python.pm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pidl/lib/Parse/Pidl/Samba4/Python.pm b/pidl/lib/Parse/Pidl/Samba4/Python.pm index 180b6b2..82f9219 100644 --- a/pidl/lib/Parse/Pidl/Samba4/Python.pm +++ b/pidl/lib/Parse/Pidl/Samba4/Python.pm @@ -282,7 +282,7 @@ sub PythonStruct($$$$$$) $self->indent; $self->pidl("$cname *object = ($cname *)pytalloc_get_ptr(py_obj);"); $self->pidl("DATA_BLOB blob;"); - $self->pidl("int blob_length = 0;"); + $self->pidl("Py_ssize_t blob_length = 0;"); $self->pidl("enum ndr_err_code err;"); $self->pidl("const char * const kwnames[] = { \"data_blob\", \"allow_remaining\", NULL };"); $self->pidl("PyObject *allow_remaining_obj = NULL;"); @@ -1490,6 +1490,7 @@ sub Parse($$$$$) $self->pidl_hdr(" /* Python wrapper functions auto-generated by pidl */ +#define PY_SSIZE_T_CLEAN 1 /* We use Py_ssize_t for PyArg_ParseTupleAndKeywords */ #include #include \"includes.h\" #include From dacdc9d1980df3cf4622aa30f36daa96d4e6bc9a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 4 Jan 2016 13:04:46 +1300 Subject: [PATCH 07/13] pylibsmb: Adjust to use of PY_SSIZE_T_CLEAN This changes the type used for # arguments to PyArg_ParseTupleAndKeywords Signed-off-by: Andrew Bartlett --- source3/libsmb/pylibsmb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c index 2d6853a..0c5d7e9 100644 --- a/source3/libsmb/pylibsmb.c +++ b/source3/libsmb/pylibsmb.c @@ -650,7 +650,7 @@ static PyObject *py_cli_write(struct py_cli_state *self, PyObject *args, int fnum; unsigned mode = 0; char *buf; - int buflen; + Py_ssize_t buflen; unsigned long long offset; struct tevent_req *req; NTSTATUS status; From 3c07bb16bf2a60cc29dd0eaf4b5ae4fce817d9e3 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 4 Jan 2016 13:05:44 +1300 Subject: [PATCH 08/13] pymessaging: Adjust to use of PY_SSIZE_T_CLEAN This changes the type used for # arguments to PyArg_ParseTupleAndKeywords Signed-off-by: Andrew Bartlett --- source4/lib/messaging/pymessaging.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/lib/messaging/pymessaging.c b/source4/lib/messaging/pymessaging.c index 199532f..0eca139 100644 --- a/source4/lib/messaging/pymessaging.c +++ b/source4/lib/messaging/pymessaging.c @@ -147,7 +147,7 @@ static PyObject *py_imessaging_send(PyObject *self, PyObject *args, PyObject *kw NTSTATUS status; struct server_id server; const char *kwnames[] = { "target", "msg_type", "data", NULL }; - int length; + Py_ssize_t length; if (!PyArg_ParseTupleAndKeywords(args, kwargs, "Ois#:send", discard_const_p(char *, kwnames), &target, &msg_type, &data.data, &length)) { From fb7894047ac38d06c6182642aa841d5901c41bd9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 4 Jan 2016 13:06:31 +1300 Subject: [PATCH 09/13] pyregistry: Adjust to use of PY_SSIZE_T_CLEAN This changes the type used for # arguments to PyArg_ParseTuple Signed-off-by: Andrew Bartlett --- source4/lib/registry/pyregistry.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/lib/registry/pyregistry.c b/source4/lib/registry/pyregistry.c index 8f96710..7b7fdf3 100644 --- a/source4/lib/registry/pyregistry.c +++ b/source4/lib/registry/pyregistry.c @@ -212,7 +212,7 @@ static PyObject *py_hive_key_set_value(PyObject *self, PyObject *args) char *name; uint32_t type; DATA_BLOB value; - int value_length = 0; + Py_ssize_t value_length = 0; WERROR result; struct hive_key *key = PyHiveKey_AsHiveKey(self); From c30a7d93f2c83c540d03f1237773a5e1adc6fe32 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 4 Jan 2016 13:07:08 +1300 Subject: [PATCH 10/13] pyrpc: Adjust to use of PY_SSIZE_T_CLEAN This changes the type used for # arguments to PyArg_ParseTupleAndKeywords Signed-off-by: Andrew Bartlett --- source4/librpc/rpc/pyrpc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/librpc/rpc/pyrpc.c b/source4/librpc/rpc/pyrpc.c index 243e96b..f1bfc88 100644 --- a/source4/librpc/rpc/pyrpc.c +++ b/source4/librpc/rpc/pyrpc.c @@ -200,7 +200,7 @@ static PyObject *py_iface_request(PyObject *self, PyObject *args, PyObject *kwar DATA_BLOB data_in, data_out; NTSTATUS status; char *in_data; - int in_length; + Py_ssize_t in_length; PyObject *ret; PyObject *object = NULL; struct GUID object_guid; From 2c329ca174d13209d32f26f73c31e73e42725c6f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 4 Jan 2016 13:07:49 +1300 Subject: [PATCH 11/13] ntvfs/python: Adjust to use of PY_SSIZE_T_CLEAN This changes the type used for # arguments to PyArg_ParseTuple Signed-off-by: Andrew Bartlett --- source4/ntvfs/posix/python/pyposix_eadb.c | 2 +- source4/ntvfs/posix/python/pyxattr_native.c | 2 +- source4/ntvfs/posix/python/pyxattr_tdb.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/source4/ntvfs/posix/python/pyposix_eadb.c b/source4/ntvfs/posix/python/pyposix_eadb.c index db62baf..a94440b 100644 --- a/source4/ntvfs/posix/python/pyposix_eadb.c +++ b/source4/ntvfs/posix/python/pyposix_eadb.c @@ -39,7 +39,7 @@ static PyObject *py_wrap_setxattr(PyObject *self, PyObject *args) { char *filename, *attribute, *tdbname; DATA_BLOB blob; - int blobsize; + Py_ssize_t blobsize; NTSTATUS status; TALLOC_CTX *mem_ctx; struct tdb_wrap *eadb; diff --git a/source4/ntvfs/posix/python/pyxattr_native.c b/source4/ntvfs/posix/python/pyxattr_native.c index 6ddfe08..8dd98d2 100644 --- a/source4/ntvfs/posix/python/pyxattr_native.c +++ b/source4/ntvfs/posix/python/pyxattr_native.c @@ -38,7 +38,7 @@ static PyObject *py_wrap_setxattr(PyObject *self, PyObject *args) { char *filename, *attribute; int ret = 0; - int blobsize; + Py_ssize_t blobsize; DATA_BLOB blob; if (!PyArg_ParseTuple(args, "sss#", &filename, &attribute, &blob.data, diff --git a/source4/ntvfs/posix/python/pyxattr_tdb.c b/source4/ntvfs/posix/python/pyxattr_tdb.c index ef3401c..56beedb 100644 --- a/source4/ntvfs/posix/python/pyxattr_tdb.c +++ b/source4/ntvfs/posix/python/pyxattr_tdb.c @@ -43,7 +43,7 @@ static PyObject *py_wrap_setxattr(PyObject *self, PyObject *args) { char *filename, *attribute, *tdbname; DATA_BLOB blob; - int blobsize; + Py_ssize_t blobsize; int ret; TALLOC_CTX *mem_ctx; struct loadparm_context *lp_ctx; From 09cec297dab78c07a1873214ede5f83088f92287 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 4 Jan 2016 13:23:50 +1300 Subject: [PATCH 12/13] python: Remove Python 2.4 support macros We require Python 2.6 Signed-off-by: Andrew Bartlett --- source3/passdb/py_passdb.c | 7 ------- source4/auth/pyauth.c | 7 ------- source4/dsdb/pydsdb.c | 7 ------- source4/param/pyparam.c | 6 ------ source4/web_server/wsgi.c | 7 ------- 5 files changed, 34 deletions(-) diff --git a/source3/passdb/py_passdb.c b/source3/passdb/py_passdb.c index ca43f70..0d4ca3b 100644 --- a/source3/passdb/py_passdb.c +++ b/source3/passdb/py_passdb.c @@ -27,13 +27,6 @@ #include "secrets.h" #include "idmap.h" -/* There's no Py_ssize_t in 2.4, apparently */ -#if PY_MAJOR_VERSION == 2 && PY_MINOR_VERSION < 5 -typedef int Py_ssize_t; -typedef inquiry lenfunc; -typedef intargfunc ssizeargfunc; -#endif - #ifndef Py_TYPE /* Py_TYPE is only available on Python > 2.6 */ #define Py_TYPE(ob) (((PyObject*)(ob))->ob_type) #endif diff --git a/source4/auth/pyauth.c b/source4/auth/pyauth.c index d79d417..37f19fa 100644 --- a/source4/auth/pyauth.c +++ b/source4/auth/pyauth.c @@ -36,13 +36,6 @@ void initauth(void); staticforward PyTypeObject PyAuthContext; -/* There's no Py_ssize_t in 2.4, apparently */ -#if PY_MAJOR_VERSION == 2 && PY_MINOR_VERSION < 5 -typedef int Py_ssize_t; -typedef inquiry lenfunc; -typedef intargfunc ssizeargfunc; -#endif - static PyObject *PyAuthSession_FromSession(struct auth_session_info *session) { return py_return_ndr_struct("samba.dcerpc.auth", "session_info", session, session); diff --git a/source4/dsdb/pydsdb.c b/source4/dsdb/pydsdb.c index 0a11e7b..8f36e8a 100644 --- a/source4/dsdb/pydsdb.c +++ b/source4/dsdb/pydsdb.c @@ -31,13 +31,6 @@ void initdsdb(void); -/* There's no Py_ssize_t in 2.4, apparently */ -#if PY_MAJOR_VERSION == 2 && PY_MINOR_VERSION < 5 -typedef int Py_ssize_t; -typedef inquiry lenfunc; -typedef intargfunc ssizeargfunc; -#endif - /* FIXME: These should be in a header file somewhere */ #define PyErr_LDB_OR_RAISE(py_ldb, ldb) \ if (!py_check_dcerpc_type(py_ldb, "ldb", "Ldb")) { \ diff --git a/source4/param/pyparam.c b/source4/param/pyparam.c index 14ffb2d..d1ba009 100644 --- a/source4/param/pyparam.c +++ b/source4/param/pyparam.c @@ -26,12 +26,6 @@ void initparam(void); -/* There's no Py_ssize_t in 2.4, apparently */ -#if PY_MAJOR_VERSION == 2 && PY_MINOR_VERSION < 5 -typedef int Py_ssize_t; -typedef inquiry lenfunc; -#endif - #define PyLoadparmContext_AsLoadparmContext(obj) pytalloc_get_type(obj, struct loadparm_context) #define PyLoadparmService_AsLoadparmService(obj) pytalloc_get_type(obj, struct loadparm_service) diff --git a/source4/web_server/wsgi.c b/source4/web_server/wsgi.c index f0e7bd5..0b1c5d2 100644 --- a/source4/web_server/wsgi.c +++ b/source4/web_server/wsgi.c @@ -28,13 +28,6 @@ #include "lib/tsocket/tsocket.h" #include "python/modules.h" -/* There's no Py_ssize_t in 2.4, apparently */ -#if PY_MAJOR_VERSION == 2 && PY_MINOR_VERSION < 5 -typedef int Py_ssize_t; -typedef inquiry lenfunc; -typedef intargfunc ssizeargfunc; -#endif - typedef struct { PyObject_HEAD struct websrv_context *web; From 98532c72ae1041ee5a35c388ff9635ea2217de99 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 6 Jan 2016 12:28:44 +1300 Subject: [PATCH 13/13] build: Add space before -D option This ensures that it is not concatonated with the previous option Signed-off-by: Andrew Bartlett --- buildtools/wafsamba/samba_python.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildtools/wafsamba/samba_python.py b/buildtools/wafsamba/samba_python.py index 8ce1b43..057a017 100644 --- a/buildtools/wafsamba/samba_python.py +++ b/buildtools/wafsamba/samba_python.py @@ -97,7 +97,7 @@ def SAMBA_PYTHON(bld, name, # when we support static python modules we'll need to gather # the list from all the SAMBA_PYTHON() targets if init_function_sentinel is not None: - cflags += '-DSTATIC_LIBPYTHON_MODULES=%s' % init_function_sentinel + cflags += ' -DSTATIC_LIBPYTHON_MODULES=%s' % init_function_sentinel # From https://docs.python.org/2/c-api/arg.html: # Starting with Python 2.5 the type of the length argument to