[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Mon Sep 8 01:53:04 MDT 2014
The branch, master has been updated
via 01a1881 s3: smbd: smb2-sessionsetup. Fix use after free when the sessionsetup request state is freed before struct smbXsrv_session struct.
via b19750d winbindd: Do not use group_list->out.resume_index after free
via 34cc5bd winbindd: Do not use user_list->out.resume_index after free
via e93affb torture: allow us to correctly use sizeof(buf) in raw.open tests
via cb25480 s3-lib: Do not walk past the end of the dos_to_ntstatus_map array
via b8fc4d4 Use correct size for test string, sizeof() was of the pointer
via c0dfda3 passdb: Avoid use-after-free when setting a plaintext password
via 3cd5e67 s4-auth: Use sizeof() rather than a fixed constant in memcmp() call
via b1b3167 selftest: Show filename or script we had trouble reading
from b760056 torture: fix whitespace/tab mixup in internal_torture_run_test()
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 01a18811cc7e8a7fb81c4656a0c9a426f0b8f8f2
Author: Jeremy Allison <jra at samba.org>
Date: Thu Sep 4 02:08:08 2014 -0700
s3: smbd: smb2-sessionsetup. Fix use after free when the sessionsetup request state is freed before struct smbXsrv_session struct.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Sep 8 09:52:23 CEST 2014 on sn-devel-104
commit b19750dbe97d57d2c0d6d938d10efae48825b959
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 3 10:21:01 2014 +1200
winbindd: Do not use group_list->out.resume_index after free
Found by AddressSanitizer
Change-Id: I59009144b28c390ddb80b7b3fbb4007dfd16db0e
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim at samba.org>
commit 34cc5bd260a9c7139d8d1e822f4e139e9c0ec2c0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 2 17:03:34 2014 +1200
winbindd: Do not use user_list->out.resume_index after free
Found by AddressSanitizer
Change-Id: I9f8b95b65de788994a7404fa8889fce45ccb3a30
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim at samba.org>
commit e93affbe1b4ff32858988bde79d00cdc82729089
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 2 14:28:04 2014 +1200
torture: allow us to correctly use sizeof(buf) in raw.open tests
This changes the sizeof(buf) from sizeof(void *), 8 on 64-bit machines, to sizeof("test") (eg 5).
Found by AddressSanitizer
Andrew Bartlett
Change-Id: I01f18b35c041f3b16be9f6da8ae5d1917d7e24d9
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim at samba.org>
commit cb25480e82cb2e0ef8793fd9c21d710208c822f3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 2 11:25:07 2014 +1200
s3-lib: Do not walk past the end of the dos_to_ntstatus_map array
Found by AddressSanitizer
Change-Id: Ic8b3e2599713c37b11324f9ec2d01891f0f287b9
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim at samba.org>
commit b8fc4d4ab503b0e95738734c1019b9d3430908ba
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 2 10:48:34 2014 +1200
Use correct size for test string, sizeof() was of the pointer
Found by AddressSanitizer
Change-Id: Ifc9883d958f253df903775544010c0228a102f0f
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim at samba.org>
commit c0dfda35f7d94091150b109e8308f2f1f9c0efa7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 2 10:47:57 2014 +1200
passdb: Avoid use-after-free when setting a plaintext password
The issue here is that pdb_set_plaintext_passwd() re-used the memory from pdb_get_pw_history() as input
We need to free this after we copy and set it.
Found by AddressSanitizer
Andrew Bartlett
Change-Id: I4e148e23ccbbe5444c969ff8f91709791c7696bb
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim at samba.org>
commit 3cd5e672264c951d1960e6cefc4ad590a1ea180d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 2 09:48:08 2014 +1200
s4-auth: Use sizeof() rather than a fixed constant in memcmp() call
Change-Id: I2807cf2af9e4c3282e6ff54a6dd8e90f34e9481f
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim at samba.org>
commit b1b3167de96237bc4ae2c870bff7cc1896da664b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 1 17:13:39 2014 +1200
selftest: Show filename or script we had trouble reading
Change-Id: I12c26e807ab0d65031347bc3be609b2e87dcabb5
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim at samba.org>
-----------------------------------------------------------------------
Summary of changes:
selftest/selftest.pl | 2 +-
source3/libsmb/errormap.c | 2 +-
source3/passdb/pdb_get_set.c | 5 +++--
source3/smbd/smb2_sesssetup.c | 6 ++++++
source4/auth/ntlm/auth_sam.c | 3 ++-
source4/lib/registry/tests/registry.c | 2 +-
source4/torture/raw/open.c | 6 +++---
source4/winbind/wb_cmd_setgrent.c | 5 +++--
source4/winbind/wb_cmd_setpwent.c | 7 +++++--
9 files changed, 25 insertions(+), 13 deletions(-)
Changeset truncated at 500 lines:
diff --git a/selftest/selftest.pl b/selftest/selftest.pl
index 8342bfe..f35b063 100755
--- a/selftest/selftest.pl
+++ b/selftest/selftest.pl
@@ -582,7 +582,7 @@ sub read_testlist($)
print;
}
}
- close(IN) or die("Error creating recipe");
+ close(IN) or die("Error creating recipe from $filename");
return @ret;
}
diff --git a/source3/libsmb/errormap.c b/source3/libsmb/errormap.c
index 22daee4..cc25c7e 100644
--- a/source3/libsmb/errormap.c
+++ b/source3/libsmb/errormap.c
@@ -285,7 +285,7 @@ NTSTATUS dos_to_ntstatus(uint8 eclass, uint32 ecode)
{
int i;
if (eclass == 0) return NT_STATUS_OK;
- for (i=0; NT_STATUS_V(dos_to_ntstatus_map[i].ntstatus); i++) {
+ for (i=0; i < ARRAY_SIZE(dos_to_ntstatus_map); i++) {
if (eclass == dos_to_ntstatus_map[i].dos_class &&
ecode == dos_to_ntstatus_map[i].dos_code) {
return dos_to_ntstatus_map[i].ntstatus;
diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c
index a9b22bb..0d7f4cb 100644
--- a/source3/passdb/pdb_get_set.c
+++ b/source3/passdb/pdb_get_set.c
@@ -873,9 +873,10 @@ bool pdb_set_lanman_passwd(struct samu *sampass, const uint8 pwd[LM_HASH_LEN], e
bool pdb_set_pw_history(struct samu *sampass, const uint8 *pwd, uint32_t historyLen, enum pdb_value_state flag)
{
if (historyLen && pwd){
- data_blob_free(&(sampass->nt_pw_his));
+ DATA_BLOB *old_nt_pw_his = &(sampass->nt_pw_his);
sampass->nt_pw_his = data_blob_talloc(sampass,
- pwd, historyLen*PW_HISTORY_ENTRY_LEN);
+ pwd, historyLen*PW_HISTORY_ENTRY_LEN);
+ data_blob_free(old_nt_pw_his);
if (!sampass->nt_pw_his.length) {
DEBUG(0, ("pdb_set_pw_history: data_blob_talloc() failed!\n"));
return False;
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index b31df84..69905c4 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -477,6 +477,12 @@ static int smbd_smb2_session_setup_state_destructor(struct smbd_smb2_session_set
state->smb2req->session = talloc_move(state->smb2req, &state->session);
/*
+ * We own the session now - we don't need the
+ * tag talloced on session that keeps track of session independently.
+ */
+ TALLOC_FREE(state->pp_self_ref);
+
+ /*
* We've made this session owned by the current request.
* Ensure that any outstanding requests don't also refer
* to it.
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 6e2dd44..17f3cfc 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -326,7 +326,8 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
}
/* Skip over all-zero hashes in the history */
- if (memcmp(nt_history_pwd->hash, zero_hash.hash, 16) == 0) {
+ if (memcmp(nt_history_pwd->hash, zero_hash.hash,
+ sizeof(zero_hash.hash)) == 0) {
continue;
}
diff --git a/source4/lib/registry/tests/registry.c b/source4/lib/registry/tests/registry.c
index b9b7c28..b4f4ae8 100644
--- a/source4/lib/registry/tests/registry.c
+++ b/source4/lib/registry/tests/registry.c
@@ -270,7 +270,7 @@ static bool test_query_key(struct torture_context *tctx, void *_data)
torture_assert_int_equal(tctx, num_values, 0, "num values");
error = reg_val_set(subkey, "", REG_SZ,
- data_blob_talloc(tctx, data, sizeof(data)));
+ data_blob_string_const(data));
torture_assert_werr_ok(tctx, error, "set default value");
error = reg_key_get_info(tctx, subkey, &classname,
diff --git a/source4/torture/raw/open.c b/source4/torture/raw/open.c
index 763c718..679a7c2 100644
--- a/source4/torture/raw/open.c
+++ b/source4/torture/raw/open.c
@@ -1363,7 +1363,7 @@ static bool test_chained(struct torture_context *tctx, struct smbcli_state *cli)
NTSTATUS status;
int fnum = -1;
bool ret = true;
- const char *buf = "test";
+ const char buf[] = "test";
char buf2[4];
torture_assert(tctx, torture_setup_dir(cli, BASEDIR), "Failed to setup up test directory: " BASEDIR);
@@ -1420,7 +1420,7 @@ static bool test_no_leading_slash(struct torture_context *tctx, struct smbcli_st
NTSTATUS status;
int fnum = -1;
bool ret = true;
- const char *buf = "test";
+ const char buf[] = "test";
torture_assert(tctx, torture_setup_dir(cli, BASEDIR), "Failed to setup up test directory: " BASEDIR);
@@ -1697,7 +1697,7 @@ static bool test_chained_ntcreatex_readx(struct torture_context *tctx, struct sm
NTSTATUS status;
int fnum = -1;
bool ret = true;
- const char *buf = "test";
+ const char buf[] = "test";
char buf2[4];
torture_assert(tctx, torture_setup_dir(cli, BASEDIR), "Failed to setup up test directory: " BASEDIR);
diff --git a/source4/winbind/wb_cmd_setgrent.c b/source4/winbind/wb_cmd_setgrent.c
index 452d9e7..aed5c70 100644
--- a/source4/winbind/wb_cmd_setgrent.c
+++ b/source4/winbind/wb_cmd_setgrent.c
@@ -115,6 +115,7 @@ static void cmd_setgrent_recv_group_list(struct composite_context *ctx)
group_list);
if (NT_STATUS_IS_OK(state->ctx->status) ||
NT_STATUS_EQUAL(state->ctx->status, STATUS_MORE_ENTRIES)) {
+ uint32_t resume_index = group_list->out.resume_index;
if( state->result->page_index == -1) { /* First run*/
state->result->group_list = group_list;
state->result->page_index = 0;
@@ -130,7 +131,7 @@ static void cmd_setgrent_recv_group_list(struct composite_context *ctx)
tmp[i+state->result->group_list->out.count].groupname = talloc_steal(state->result,group_list->out.groups[i].groupname);
}
state->result->group_list->out.count += group_list->out.count;
- talloc_free(group_list);
+ TALLOC_FREE(group_list);
}
@@ -140,7 +141,7 @@ static void cmd_setgrent_recv_group_list(struct composite_context *ctx)
group_list_send = talloc(state->result, struct libnet_GroupList);
if (composite_nomem(group_list_send, state->ctx)) return;
group_list_send->in.domain_name = talloc_strdup(state, state->domain_name);
- group_list_send->in.resume_index = group_list->out.resume_index;
+ group_list_send->in.resume_index = resume_index;
group_list_send->in.page_size = 128;
ctx = libnet_GroupList_send(state->libnet_ctx, state->result, group_list_send, NULL);
composite_continue(state->ctx, ctx, cmd_setgrent_recv_group_list, state);
diff --git a/source4/winbind/wb_cmd_setpwent.c b/source4/winbind/wb_cmd_setpwent.c
index 8164d6f..ab9fd2e 100644
--- a/source4/winbind/wb_cmd_setpwent.c
+++ b/source4/winbind/wb_cmd_setpwent.c
@@ -115,6 +115,9 @@ static void cmd_setpwent_recv_user_list(struct composite_context *ctx)
user_list);
if (NT_STATUS_IS_OK(state->ctx->status) ||
NT_STATUS_EQUAL(state->ctx->status, STATUS_MORE_ENTRIES)) {
+
+ uint32_t resume_index = user_list->out.resume_index;
+
if (state->result->page_index == -1) { /* First run*/
state->result->user_list = user_list;
state->result->page_index = 0;
@@ -133,7 +136,7 @@ static void cmd_setpwent_recv_user_list(struct composite_context *ctx)
= talloc_strdup(state->result, user_list->out.users[i].username);
}
state->result->user_list->out.count = cnt;
- talloc_free(user_list);
+ TALLOC_FREE(user_list);
}
if (NT_STATUS_IS_OK(state->ctx->status) ) {
@@ -142,7 +145,7 @@ static void cmd_setpwent_recv_user_list(struct composite_context *ctx)
user_list_send = talloc(state->result, struct libnet_UserList);
if (composite_nomem(user_list_send, state->ctx)) return;
user_list_send->in.domain_name = talloc_strdup(state, state->domain_name);
- user_list_send->in.resume_index = user_list->out.resume_index;
+ user_list_send->in.resume_index = resume_index;
user_list_send->in.page_size = 128;
ctx = libnet_UserList_send(state->libnet_ctx, state->result, user_list_send, NULL);
composite_continue(state->ctx, ctx, cmd_setpwent_recv_user_list, state);
--
Samba Shared Repository
More information about the samba-cvs
mailing list