[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Thu Jun 30 19:55:03 MDT 2011


The branch, master has been updated
       via  f3c3768 s4-dsdb guard principalName parse for invalid inputs
       via  f1b1a66 s4-dsdb Allow a servicePrincipalName of machine$
      from  1053a24 Part of fix for bug 8276 - FD_SET out of bounds access crash.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit f3c3768d30410de8b0cc8b2ef078640bdc0864d4
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Jun 30 14:21:51 2011 +1000

    s4-dsdb guard principalName parse for invalid inputs
    
    We need to ensure that if this parses name.name_string as just one
    val, then we don't read uninitialised and possibly unallocated memory.
    Found by Adam Thorn <alt36 at cam.ac.uk>
    
    While we are checking that, we need to fix the strncasecmp() check to
    first check if the string is the expected length, then check for a
    match against sAMAccountName-without-doller, as otherwise we will
    permit a string such as machinefoo to match a sAMAccountName of
    machine.
    
    Andrew Bartlett
    
    Autobuild-User: Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date: Fri Jul  1 03:55:00 CEST 2011 on sn-devel-104

commit f1b1a66615bfceb4d53c11140aceba2412d0ec37
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Jun 30 14:20:22 2011 +1000

    s4-dsdb Allow a servicePrincipalName of machine$
    
    This is pointless, but MacOS X (version 10.6.8 was tested) apparently
    sets machine$ into this field.
    
    Andrew Bartlett

-----------------------------------------------------------------------

Summary of changes:
 source4/dsdb/samdb/ldb_modules/acl.c |   13 ++++++++++++-
 1 files changed, 12 insertions(+), 1 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index b6eb563..49152d4 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -457,6 +457,12 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
 	bool is_dc = (userAccountControl & UF_SERVER_TRUST_ACCOUNT) ||
 		(userAccountControl & UF_PARTIAL_SECRETS_ACCOUNT);
 
+	if (strcasecmp_m(spn_value, samAccountName) == 0) {
+		/* MacOS X sets this value, and setting an SPN of your
+		 * own samAccountName is both pointless and safe */
+		return LDB_SUCCESS;
+	}
+
 	kerr = smb_krb5_init_context_basic(mem_ctx,
 					   lp_ctx,
 					   &krb_ctx);
@@ -471,6 +477,10 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
 		return LDB_ERR_CONSTRAINT_VIOLATION;
 	}
 
+	if (principal->name.name_string.len < 2) {
+		goto fail;
+	}
+
 	instanceName = principal->name.name_string.val[1];
 	serviceType = principal->name.name_string.val[0];
 	realm = krb5_principal_get_realm(krb_ctx, principal);
@@ -503,7 +513,8 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
 	}
 	/* instanceName can be samAccountName without $ or dnsHostName
 	 * or "ntds_guid._msdcs.forest_domain for DC objects */
-	if (strncasecmp(instanceName, samAccountName, strlen(samAccountName) - 1) == 0) {
+	if (strlen(instanceName) == (strlen(samAccountName) - 1)
+	    && strncasecmp(instanceName, samAccountName, strlen(samAccountName) - 1) == 0) {
 		goto success;
 	} else if (strcasecmp(instanceName, dnsHostName) == 0) {
 		goto success;


-- 
Samba Shared Repository


More information about the samba-cvs mailing list