[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu Jun 30 19:55:03 MDT 2011
The branch, master has been updated
via f3c3768 s4-dsdb guard principalName parse for invalid inputs
via f1b1a66 s4-dsdb Allow a servicePrincipalName of machine$
from 1053a24 Part of fix for bug 8276 - FD_SET out of bounds access crash.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit f3c3768d30410de8b0cc8b2ef078640bdc0864d4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 30 14:21:51 2011 +1000
s4-dsdb guard principalName parse for invalid inputs
We need to ensure that if this parses name.name_string as just one
val, then we don't read uninitialised and possibly unallocated memory.
Found by Adam Thorn <alt36 at cam.ac.uk>
While we are checking that, we need to fix the strncasecmp() check to
first check if the string is the expected length, then check for a
match against sAMAccountName-without-doller, as otherwise we will
permit a string such as machinefoo to match a sAMAccountName of
machine.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet at samba.org>
Autobuild-Date: Fri Jul 1 03:55:00 CEST 2011 on sn-devel-104
commit f1b1a66615bfceb4d53c11140aceba2412d0ec37
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 30 14:20:22 2011 +1000
s4-dsdb Allow a servicePrincipalName of machine$
This is pointless, but MacOS X (version 10.6.8 was tested) apparently
sets machine$ into this field.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/acl.c | 13 ++++++++++++-
1 files changed, 12 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index b6eb563..49152d4 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -457,6 +457,12 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
bool is_dc = (userAccountControl & UF_SERVER_TRUST_ACCOUNT) ||
(userAccountControl & UF_PARTIAL_SECRETS_ACCOUNT);
+ if (strcasecmp_m(spn_value, samAccountName) == 0) {
+ /* MacOS X sets this value, and setting an SPN of your
+ * own samAccountName is both pointless and safe */
+ return LDB_SUCCESS;
+ }
+
kerr = smb_krb5_init_context_basic(mem_ctx,
lp_ctx,
&krb_ctx);
@@ -471,6 +477,10 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
return LDB_ERR_CONSTRAINT_VIOLATION;
}
+ if (principal->name.name_string.len < 2) {
+ goto fail;
+ }
+
instanceName = principal->name.name_string.val[1];
serviceType = principal->name.name_string.val[0];
realm = krb5_principal_get_realm(krb_ctx, principal);
@@ -503,7 +513,8 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
}
/* instanceName can be samAccountName without $ or dnsHostName
* or "ntds_guid._msdcs.forest_domain for DC objects */
- if (strncasecmp(instanceName, samAccountName, strlen(samAccountName) - 1) == 0) {
+ if (strlen(instanceName) == (strlen(samAccountName) - 1)
+ && strncasecmp(instanceName, samAccountName, strlen(samAccountName) - 1) == 0) {
goto success;
} else if (strcasecmp(instanceName, dnsHostName) == 0) {
goto success;
--
Samba Shared Repository
More information about the samba-cvs
mailing list