svn commit: samba r15589 - branches/SAMBA_3_0/source/libsmb branches/SAMBA_3_0/source/smbd trunk/source/libsmb trunk/source/smbd

Sat May 13 23:05:55 GMT 2006

Author: vlendec
Date: 2006-05-13 23:05:53 +0000 (Sat, 13 May 2006)
New Revision: 15589

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=15589

Log:
While trying to understand the vuid code I found that security=share is broken
right now. r14112 broke it, in 3.0.22 register_vuid for security=share returns
UID_FIELD_INVALID which in current 3_0 is turned into an error condition. This
makes sure that we only call register_vuid if sec!=share and meanwhile also
fixes a little memleak.

Then I also found a crash in smbclient with sec=share and hostmsdfs=yes.

There's another crash with sec=share when coming from w2k3, but I need sleep
now.

Someone (jerry,jra?) please review the sesssetup.c change.

Thanks,

Volker

Modified:
   branches/SAMBA_3_0/source/libsmb/cliconnect.c
   branches/SAMBA_3_0/source/smbd/password.c
   branches/SAMBA_3_0/source/smbd/sesssetup.c
   trunk/source/libsmb/cliconnect.c
   trunk/source/smbd/password.c
   trunk/source/smbd/sesssetup.c


Changeset:
Modified: branches/SAMBA_3_0/source/libsmb/cliconnect.c
===================================================================

--- branches/SAMBA_3_0/source/libsmb/cliconnect.c	2006-05-13 22:17:58 UTC (rev 15588)
+++ branches/SAMBA_3_0/source/libsmb/cliconnect.c	2006-05-13 23:05:53 UTC (rev 15589)
@@ -221,6 +221,7 @@
 	
 	fstr_sprintf( lanman, "Samba %s", SAMBA_VERSION_STRING);
 
+	memset(cli->outbuf, '\0', smb_size);
 	set_message(cli->outbuf,13,0,True);
 	SCVAL(cli->outbuf,smb_com,SMBsesssetupX);
 	cli_setup_packet(cli);
@@ -937,7 +938,8 @@
 		pass = "";
 	}
 
-	if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && *pass && passlen != 24) {
+	if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) &&
+	    pass && *pass && passlen != 24) {
 		if (!lp_client_lanman_auth()) {
 			DEBUG(1, ("Server requested LANMAN password (share-level security) but 'client use lanman auth'"
 				  " is disabled\n"));

Modified: branches/SAMBA_3_0/source/smbd/password.c
===================================================================
--- branches/SAMBA_3_0/source/smbd/password.c	2006-05-13 22:17:58 UTC (rev 15588)
+++ branches/SAMBA_3_0/source/smbd/password.c	2006-05-13 23:05:53 UTC (rev 15589)
@@ -155,10 +155,9 @@
 {
 	user_struct *vuser = NULL;
 
-	/* Ensure no vuid gets registered in share level security. */
+	/* Paranoia check. */
 	if(lp_security() == SEC_SHARE) {
-		data_blob_free(&session_key);
-		return UID_FIELD_INVALID;
+		smb_panic("Tried to register uid in security=share\n");
 	}
 
 	/* Limit allowed vuids to 16bits - VUID_OFFSET. */

Modified: branches/SAMBA_3_0/source/smbd/sesssetup.c
===================================================================
--- branches/SAMBA_3_0/source/smbd/sesssetup.c	2006-05-13 22:17:58 UTC (rev 15588)
+++ branches/SAMBA_3_0/source/smbd/sesssetup.c	2006-05-13 23:05:53 UTC (rev 15589)
@@ -1127,20 +1127,30 @@
 	/* register the name and uid as being validated, so further connections
 	   to a uid can get through without a password, on the same VC */
 
-	/* register_vuid keeps the server info */
-	sess_vuid = register_vuid(server_info, session_key, nt_resp.data ? nt_resp : lm_resp, sub_user);
-	data_blob_free(&nt_resp);
-	data_blob_free(&lm_resp);
+	if (lp_security() == SEC_SHARE) {
+		sess_vuid = UID_FIELD_INVALID;
+		data_blob_free(&session_key);
+		TALLOC_FREE(server_info);
+	} else {
+		/* register_vuid keeps the server info */
+		sess_vuid = register_vuid(server_info, session_key,
+					  nt_resp.data ? nt_resp : lm_resp,
+					  sub_user);
+		if (sess_vuid == UID_FIELD_INVALID) {
+			data_blob_free(&nt_resp);
+			data_blob_free(&lm_resp);
+			return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
+		}
 
-	if (sess_vuid == UID_FIELD_INVALID) {
-		return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
+		/* current_user_info is changed on new vuid */
+		reload_services( True );
+
+		sessionsetup_start_signing_engine(server_info, inbuf);
 	}
 
-	/* current_user_info is changed on new vuid */
-	reload_services( True );
-
-	sessionsetup_start_signing_engine(server_info, inbuf);
-
+	data_blob_free(&nt_resp);
+	data_blob_free(&lm_resp);
+	
 	SSVAL(outbuf,smb_uid,sess_vuid);
 	SSVAL(inbuf,smb_uid,sess_vuid);
 	

Modified: trunk/source/libsmb/cliconnect.c
===================================================================
--- trunk/source/libsmb/cliconnect.c	2006-05-13 22:17:58 UTC (rev 15588)
+++ trunk/source/libsmb/cliconnect.c	2006-05-13 23:05:53 UTC (rev 15589)
@@ -221,6 +221,7 @@
 	
 	fstr_sprintf( lanman, "Samba %s", SAMBA_VERSION_STRING);
 
+	memset(cli->outbuf, '\0', smb_size);
 	set_message(cli->outbuf,13,0,True);
 	SCVAL(cli->outbuf,smb_com,SMBsesssetupX);
 	cli_setup_packet(cli);
@@ -937,7 +938,8 @@
 		pass = "";
 	}
 
-	if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && *pass && passlen != 24) {
+	if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) &&
+	    pass && *pass && passlen != 24) {
 		if (!lp_client_lanman_auth()) {
 			DEBUG(1, ("Server requested LANMAN password (share-level security) but 'client use lanman auth'"
 				  " is disabled\n"));

Modified: trunk/source/smbd/password.c
===================================================================
--- trunk/source/smbd/password.c	2006-05-13 22:17:58 UTC (rev 15588)
+++ trunk/source/smbd/password.c	2006-05-13 23:05:53 UTC (rev 15589)
@@ -155,10 +155,9 @@
 {
 	user_struct *vuser = NULL;
 
-	/* Ensure no vuid gets registered in share level security. */
+	/* Paranoia check. */
 	if(lp_security() == SEC_SHARE) {
-		data_blob_free(&session_key);
-		return UID_FIELD_INVALID;
+		smb_panic("Tried to register uid in security=share\n");
 	}
 
 	/* Limit allowed vuids to 16bits - VUID_OFFSET. */

Modified: trunk/source/smbd/sesssetup.c
===================================================================
--- trunk/source/smbd/sesssetup.c	2006-05-13 22:17:58 UTC (rev 15588)
+++ trunk/source/smbd/sesssetup.c	2006-05-13 23:05:53 UTC (rev 15589)
@@ -1127,20 +1127,30 @@
 	/* register the name and uid as being validated, so further connections
 	   to a uid can get through without a password, on the same VC */
 
-	/* register_vuid keeps the server info */
-	sess_vuid = register_vuid(server_info, session_key, nt_resp.data ? nt_resp : lm_resp, sub_user);
-	data_blob_free(&nt_resp);
-	data_blob_free(&lm_resp);
+	if (lp_security() == SEC_SHARE) {
+		sess_vuid = UID_FIELD_INVALID;
+		data_blob_free(&session_key);
+		TALLOC_FREE(server_info);
+	} else {
+		/* register_vuid keeps the server info */
+		sess_vuid = register_vuid(server_info, session_key,
+					  nt_resp.data ? nt_resp : lm_resp,
+					  sub_user);
+		if (sess_vuid == UID_FIELD_INVALID) {
+			data_blob_free(&nt_resp);
+			data_blob_free(&lm_resp);
+			return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
+		}
 
-	if (sess_vuid == UID_FIELD_INVALID) {
-		return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
+		/* current_user_info is changed on new vuid */
+		reload_services( True );
+
+		sessionsetup_start_signing_engine(server_info, inbuf);
 	}
 
-	/* current_user_info is changed on new vuid */
-	reload_services( True );
-
-	sessionsetup_start_signing_engine(server_info, inbuf);
-
+	data_blob_free(&nt_resp);
+	data_blob_free(&lm_resp);
+	
 	SSVAL(outbuf,smb_uid,sess_vuid);
 	SSVAL(inbuf,smb_uid,sess_vuid);
 	

