[SCM] Samba Shared Repository - branch v4-2-stable updated

Karolin Seeger kseeger at samba.org
Wed Dec 16 11:25:41 UTC 2015


The branch, v4-2-stable has been updated
       via  add4fe9 VERSION: Disable git snapshots for the 4.2.7 release.
       via  e59d852 WHATSNEW: Add release notes for Samba 4.2.7.
       via  2483d66 CVE-2015-8467: samdb: Match MS15-096 behaviour for userAccountControl
       via  41e1e8b CVE-2015-5296: libcli/smb: make sure we require signing when we demand encryption on a session
       via  3e8f112 CVE-2015-5296: s3:libsmb: force signing when requiring encryption in SMBC_server_internal()
       via  05d09fb CVE-2015-5296: s3:libsmb: force signing when requiring encryption in do_connect()
       via  1d8efe6 CVE-2015-5299: s3-shadow-copy2: fix missing access check on snapdir
       via  79e5023 CVE-2015-5252: s3: smbd: Fix symlink verification (file access outside the share).
       via  6dc18a6 ldb: bump version of the required system ldb to 1.1.24
       via  aa68bd3 CVE-2015-5330: ldb_dn_explode: copy strings by length, not terminators
       via  75b3ce6 CVE-2015-5330: next_codepoint_handle_ext: don't short-circuit UTF16 low bytes
       via  9c06833 CVE-2015-5330: strupper_talloc_n_handle(): properly count characters
       via  405170b CVE-2015-5330: Fix handling of unicode near string endings
       via  06f2d95 CVE-2015-5330: ldb_dn_escape_value: use known string length, not strlen()
       via  813ecea CVE-2015-5330: ldb_dn: simplify and fix ldb_dn_escape_internal()
       via  3c68b50 CVE-2015-3223: lib: ldb: Use memmem binary search, not strstr text search.
       via  9c7e988 CVE-2015-3223: lib: ldb: Cope with canonicalise_fn returning string "", length 0.
       via  5f9d311 VERSION: Bump version up to 4.2.7...
      from  0a7b693 VERSION: Disable git snapshots for the 4.2.6 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-2-stable


- Log -----------------------------------------------------------------
commit add4fe9079dda8fb0bfd9763da85d65ed0063523
Author: Karolin Seeger <kseeger at samba.org>
Date:   Thu Dec 10 12:49:10 2015 +0100

    VERSION: Disable git snapshots for the 4.2.7 release.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit e59d852d7dbc828ca810180a62189c96d68d8104
Author: Karolin Seeger <kseeger at samba.org>
Date:   Thu Dec 10 12:24:44 2015 +0100

    WHATSNEW: Add release notes for Samba 4.2.7.
    
    This is a security to address CVE-2015-3223, CVE-2015-5252,
    CVE-2015-5299, CVE-2015-5296, CVE-2015-8467, CVE-2015-5330.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit 2483d66af2a298e1722dbe45ccadddf609817d67
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Nov 18 17:36:21 2015 +1300

    CVE-2015-8467: samdb: Match MS15-096 behaviour for userAccountControl
    
    Swapping between account types is now restricted
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=11552
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 41e1e8b9a25ef1052258f4355e2d2c2f41e29b14
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Sep 30 21:23:25 2015 +0200

    CVE-2015-5296: libcli/smb: make sure we require signing when we demand encryption on a session
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit 3e8f1123b2f89951b498d3d9a9af7f8dd68038c9
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Sep 30 21:17:02 2015 +0200

    CVE-2015-5296: s3:libsmb: force signing when requiring encryption in SMBC_server_internal()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit 05d09fb2415f386ce9f2a3f4a86d10ef1abca020
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Sep 30 21:17:02 2015 +0200

    CVE-2015-5296: s3:libsmb: force signing when requiring encryption in do_connect()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit 1d8efe6abf1c98f62f07c4c4b869d8169d6904b4
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Oct 23 14:54:31 2015 -0700

    CVE-2015-5299: s3-shadow-copy2: fix missing access check on snapdir
    
    Fix originally from <partha at exablox.com>
    
    https://bugzilla.samba.org/show_bug.cgi?id=11529
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: David Disseldorp <ddiss at samba.org>

commit 79e5023a77b851b60a3a3e723013539f1e39b99b
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Jul 9 10:58:11 2015 -0700

    CVE-2015-5252: s3: smbd: Fix symlink verification (file access outside the share).
    
    Ensure matching component ends in '/' or '\0'.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

commit 6dc18a68a0581c33eb9005ebca84631fff176975
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Dec 8 10:55:42 2015 +0100

    ldb: bump version of the required system ldb to 1.1.24
    
    This is needed to ensure we build against a system ldb library that
    contains the fixes for CVE-2015-5330 and CVE-2015-3223.
    
    autobuild must still be able to build against the older version
    1.1.20 including the patches.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=11325
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=11636
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit aa68bd3430c421b83b24135d6ea4e7b6cd47d79f
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Thu Nov 26 11:17:11 2015 +1300

    CVE-2015-5330: ldb_dn_explode: copy strings by length, not terminators
    
    That is, memdup(), not strdup(). The terminators might not be there.
    
    But, we have to make sure we put the terminator on, because we tend to
    assume the terminator is there in other places.
    
    Use talloc_set_name_const() on the resulting chunk so talloc_report()
    remains unchanged.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Pair-programmed-with: Andrew Bartlett <abartlet at samba.org>
    Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
    Pair-programmed-with: Stefan Metzmacher <metze at samba.org>
    Pair-programmed-with: Ralph Boehme <slow at samba.org>

commit 75b3ce698912fa15a63078ed6325d50caec3717b
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Tue Nov 24 13:54:09 2015 +1300

    CVE-2015-5330: next_codepoint_handle_ext: don't short-circuit UTF16 low bytes
    
    UTF16 contains zero bytes when it is encoding ASCII (for example), so we
    can't assume the absense of the 0x80 bit means a one byte encoding. No
    current callers use UTF16.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Pair-programmed-with: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 9c068332f0dd03d7cc00fadc50a5707d4d53a09f
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Tue Nov 24 13:49:09 2015 +1300

    CVE-2015-5330: strupper_talloc_n_handle(): properly count characters
    
    When a codepoint eats more than one byte we really want to know,
    especially if the string is not NUL terminated.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Pair-programmed-with: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 405170bd75c38b34c2dd635e7dc3ed90225a1776
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Tue Nov 24 13:47:16 2015 +1300

    CVE-2015-5330: Fix handling of unicode near string endings
    
    Until now next_codepoint_ext() and next_codepoint_handle_ext() were
    using strnlen(str, 5) to determine how much string they should try to
    decode. This ended up looking past the end of the string when it was not
    null terminated and the final character looked like a multi-byte encoding.
    The fix is to let the caller say how long the string can be.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Pair-programmed-with: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 06f2d959478c20cdfe33361e727c1ce055cc62cf
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Tue Nov 24 13:09:36 2015 +1300

    CVE-2015-5330: ldb_dn_escape_value: use known string length, not strlen()
    
    ldb_dn_escape_internal() reports the number of bytes it copied, so
    lets use that number, rather than using strlen() and hoping a zero got
    in the right place.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Pair-programmed-with: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 813eceafcada3a2ce260499d8792a943426bdac9
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Tue Nov 24 13:07:23 2015 +1300

    CVE-2015-5330: ldb_dn: simplify and fix ldb_dn_escape_internal()
    
    Previously we relied on NUL terminated strings and jumped back and
    forth between copying escaped bytes and memcpy()ing un-escaped chunks.
    This simple version is easier to reason about and works with
    unterminated strings. It may also be faster as it avoids reading the
    string twice (first with strcspn, then with memcpy).
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Pair-programmed-with: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 3c68b500a7beca60559dc073f53cc1aa1f9a8ba1
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jun 9 14:00:01 2015 -0700

    CVE-2015-3223: lib: ldb: Use memmem binary search, not strstr text search.
    
    Values might have embedded zeros.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11325
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 9c7e988969f5d80454d62c1d2154810b3976b818
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jun 9 12:42:10 2015 -0700

    CVE-2015-3223: lib: ldb: Cope with canonicalise_fn returning string "", length 0.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11325
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 VERSION                                 |   2 +-
 WHATSNEW.txt                            | 151 +++++++++++++++++++++++++++++++-
 lib/ldb/common/ldb_dn.c                 |  67 +++++++-------
 lib/ldb/common/ldb_match.c              |  33 +++++--
 lib/ldb/wscript                         |   5 +-
 lib/util/charset/charset.h              |   9 +-
 lib/util/charset/codepoints.c           |  29 ++++--
 lib/util/charset/util_str.c             |   3 +-
 lib/util/charset/util_unistr.c          |   6 +-
 libcli/smb/smbXcli_base.c               |  11 +++
 script/autobuild.py                     |   2 +-
 source3/libsmb/clidfs.c                 |   7 +-
 source3/libsmb/libsmb_server.c          |  15 +++-
 source3/modules/vfs_shadow_copy2.c      |  45 ++++++++++
 source3/smbd/vfs.c                      |  13 ++-
 source4/dsdb/samdb/ldb_modules/samldb.c |  24 ++++-
 16 files changed, 351 insertions(+), 71 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 3d49de5..ee42829 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=2
-SAMBA_VERSION_RELEASE=6
+SAMBA_VERSION_RELEASE=7
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a13c837..055f03f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,151 @@
                    =============================
+                   Release Notes for Samba 4.2.7
+                         December 16, 2015
+                   =============================
+
+
+This is a security release in order to address the following CVEs:
+
+o  CVE-2015-3223 (Denial of service in Samba Active Directory
+		  server)
+o  CVE-2015-5252 (Insufficient symlink verification in smbd)
+o  CVE-2015-5299 (Missing access control check in shadow copy
+		  code)
+o  CVE-2015-5296 (Samba client requesting encryption vulnerable
+		  to downgrade attack)
+o  CVE-2015-8467 (Denial of service attack against Windows
+		  Active Directory server)
+o  CVE-2015-5330 (Remote memory read in Samba LDAP server)
+
+Please note that if building against a system libldb, the required
+version has been bumped to ldb-1.1.24.  This is needed to ensure
+we build against a system ldb library that contains the fixes
+for CVE-2015-5330 and CVE-2015-3223.
+
+=======
+Details
+=======
+
+o  CVE-2015-3223:
+   All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
+   ldb versions up to 1.1.23 inclusive) are vulnerable to
+   a denial of service attack in the samba daemon LDAP server.
+
+   A malicious client can send packets that cause the LDAP server in the
+   samba daemon process to become unresponsive, preventing the server
+   from servicing any other requests.
+
+   This flaw is not exploitable beyond causing the code to loop expending
+   CPU resources.
+
+o  CVE-2015-5252:
+   All versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to
+   a bug in symlink verification, which under certain circumstances could
+   allow client access to files outside the exported share path.
+
+   If a Samba share is configured with a path that shares a common path
+   prefix with another directory on the file system, the smbd daemon may
+   allow the client to follow a symlink pointing to a file or directory
+   in that other directory, even if the share parameter "wide links" is
+   set to "no" (the default).
+
+o  CVE-2015-5299:
+   All versions of Samba from 3.2.0 to 4.3.2 inclusive are vulnerable to
+   a missing access control check in the vfs_shadow_copy2 module. When
+   looking for the shadow copy directory under the share path the current
+   accessing user should have DIRECTORY_LIST access rights in order to
+   view the current snapshots.
+
+   This was not being checked in the affected versions of Samba.
+
+o  CVE-2015-5296:
+   Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that
+   signing is negotiated when creating an encrypted client connection to
+   a server.
+
+   Without this a man-in-the-middle attack could downgrade the connection
+   and connect using the supplied credentials as an unsigned, unencrypted
+   connection.
+
+o  CVE-2015-8467:
+   Samba, operating as an AD DC, is sometimes operated in a domain with a
+   mix of Samba and Windows Active Directory Domain Controllers.
+
+   All versions of Samba from 4.0.0 to 4.3.2 inclusive, when deployed as
+   an AD DC in the same domain with Windows DCs, could be used to
+   override the protection against the MS15-096 / CVE-2015-2535 security
+   issue in Windows.
+
+   Prior to MS16-096 it was possible to bypass the quota of machine
+   accounts a non-administrative user could create.  Pure Samba domains
+   are not impacted, as Samba does not implement the
+   SeMachineAccountPrivilege functionality to allow non-administrator
+   users to create new computer objects.
+
+o  CVE-2015-5330:
+   All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
+   ldb versions up to 1.1.23 inclusive) are vulnerable to
+   a remote memory read attack in the samba daemon LDAP server.
+
+   A malicious client can send packets that cause the LDAP server in the
+   samba daemon process to return heap memory beyond the length of the
+   requested value.
+
+   This memory may contain data that the client should not be allowed to
+   see, allowing compromise of the server.
+
+   The memory may either be returned to the client in an error string, or
+   stored in the database by a suitabily privileged user.  If untrusted
+   users can create objects in your database, please confirm that all DN
+   and name attributes are reasonable.
+
+
+Changes since 4.2.6:
+--------------------
+
+o  Andrew Bartlett <abartlet at samba.org>
+   * BUG 11552: CVE-2015-8467: samdb: Match MS15-096 behaviour for
+     userAccountControl.
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 11325: CVE-2015-3223: Fix LDAP \00 search expression attack DoS.
+   * BUG 11395: CVE-2015-5252: Fix insufficient symlink verification (file
+     access outside the share).
+   * BUG 11529: CVE-2015-5299: s3-shadow-copy2: Fix missing access check on
+     snapdir.
+
+o  Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+   * BUG 11599: CVE-2015-5330: Fix remote read memory exploit in LDB.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 11536: CVE-2015-5296: Add man in the middle protection when forcing
+     smb encryption on the client side.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+                   =============================
                    Release Notes for Samba 4.2.6
                          December 08, 2015
                    =============================
@@ -80,10 +227,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
 
-======================================================================
 
                    =============================
                    Release Notes for Samba 4.2.5
diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c
index 6b6f90c..cd17cda 100644
--- a/lib/ldb/common/ldb_dn.c
+++ b/lib/ldb/common/ldb_dn.c
@@ -189,33 +189,23 @@ struct ldb_dn *ldb_dn_new_fmt(TALLOC_CTX *mem_ctx,
 /* see RFC2253 section 2.4 */
 static int ldb_dn_escape_internal(char *dst, const char *src, int len)
 {
-	const char *p, *s;
+	char c;
 	char *d;
-	size_t l;
-
-	p = s = src;
+	int i;
 	d = dst;
 
-	while (p - src < len) {
-		p += strcspn(p, ",=\n\r+<>#;\\\" ");
-
-		if (p - src == len) /* found no escapable chars */
-			break;
-
-		/* copy the part of the string before the stop */
-		memcpy(d, s, p - s);
-		d += (p - s); /* move to current position */
-		
-		switch (*p) {
+	for (i = 0; i < len; i++){
+		c = src[i];
+		switch (c) {
 		case ' ':
-			if (p == src || (p-src)==(len-1)) {
+			if (i == 0 || i == len - 1) {
 				/* if at the beginning or end
 				 * of the string then escape */
 				*d++ = '\\';
-				*d++ = *p++;					 
+				*d++ = c;
 			} else {
 				/* otherwise don't escape */
-				*d++ = *p++;
+				*d++ = c;
 			}
 			break;
 
@@ -231,36 +221,36 @@ static int ldb_dn_escape_internal(char *dst, const char *src, int len)
 		case '?':
 			/* these must be escaped using \c form */
 			*d++ = '\\';
-			*d++ = *p++;
+			*d++ = c;
 			break;
 
-		default: {
+		case ';':
+		case '\r':
+		case '\n':
+		case '=':
+		case '\0': {
 			/* any others get \XX form */
 			unsigned char v;
 			const char *hexbytes = "0123456789ABCDEF";
-			v = *(const unsigned char *)p;
+			v = (const unsigned char)c;
 			*d++ = '\\';
 			*d++ = hexbytes[v>>4];
 			*d++ = hexbytes[v&0xF];
-			p++;
 			break;
 		}
+		default:
+			*d++ = c;
 		}
-		s = p; /* move forward */
 	}
 
-	/* copy the last part (with zero) and return */
-	l = len - (s - src);
-	memcpy(d, s, l + 1);
-
 	/* return the length of the resulting string */
-	return (l + (d - dst));
+	return (d - dst);
 }
 
 char *ldb_dn_escape_value(TALLOC_CTX *mem_ctx, struct ldb_val value)
 {
 	char *dst;
-
+	size_t len;
 	if (!value.length)
 		return NULL;
 
@@ -271,10 +261,14 @@ char *ldb_dn_escape_value(TALLOC_CTX *mem_ctx, struct ldb_val value)
 		return NULL;
 	}
 
-	ldb_dn_escape_internal(dst, (const char *)value.data, value.length);
-
-	dst = talloc_realloc(mem_ctx, dst, char, strlen(dst) + 1);
+	len = ldb_dn_escape_internal(dst, (const char *)value.data, value.length);
 
+	dst = talloc_realloc(mem_ctx, dst, char, len + 1);
+	if ( ! dst) {
+		talloc_free(dst);
+		return NULL;
+	}
+	dst[len] = '\0';
 	return dst;
 }
 
@@ -592,12 +586,15 @@ static bool ldb_dn_explode(struct ldb_dn *dn)
 
 				p++;
 				*d++ = '\0';
-				dn->components[dn->comp_num].value.data = (uint8_t *)talloc_strdup(dn->components, dt);
+				dn->components[dn->comp_num].value.data = \
+					(uint8_t *)talloc_memdup(dn->components, dt, l + 1);
 				dn->components[dn->comp_num].value.length = l;
 				if ( ! dn->components[dn->comp_num].value.data) {
 					/* ouch ! */
 					goto failed;
 				}
+				talloc_set_name_const(dn->components[dn->comp_num].value.data,
+						      (const char *)dn->components[dn->comp_num].value.data);
 
 				dt = d;
 
@@ -713,11 +710,13 @@ static bool ldb_dn_explode(struct ldb_dn *dn)
 	*d++ = '\0';
 	dn->components[dn->comp_num].value.length = l;
 	dn->components[dn->comp_num].value.data =
-				(uint8_t *)talloc_strdup(dn->components, dt);
+		(uint8_t *)talloc_memdup(dn->components, dt, l + 1);
 	if ( ! dn->components[dn->comp_num].value.data) {
 		/* ouch */
 		goto failed;
 	}
+	talloc_set_name_const(dn->components[dn->comp_num].value.data,
+			      (const char *)dn->components[dn->comp_num].value.data);
 
 	dn->comp_num++;
 
diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c
index a493dae..182c6ce 100644
--- a/lib/ldb/common/ldb_match.c
+++ b/lib/ldb/common/ldb_match.c
@@ -241,7 +241,6 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
 	struct ldb_val val;
 	struct ldb_val cnk;
 	struct ldb_val *chunk;
-	char *p, *g;
 	uint8_t *save_p = NULL;
 	unsigned int c = 0;
 
@@ -271,6 +270,14 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
 		if (cnk.length > val.length) {
 			goto mismatch;
 		}
+		/*
+		 * Empty strings are returned as length 0. Ensure
+		 * we can cope with this.
+		 */
+		if (cnk.length == 0) {
+			goto mismatch;
+		}
+
 		if (memcmp((char *)val.data, (char *)cnk.data, cnk.length) != 0) goto mismatch;
 		val.length -= cnk.length;
 		val.data += cnk.length;
@@ -280,20 +287,36 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
 	}
 
 	while (tree->u.substring.chunks[c]) {
+		uint8_t *p;
 
 		chunk = tree->u.substring.chunks[c];
 		if(a->syntax->canonicalise_fn(ldb, ldb, chunk, &cnk) != 0) goto mismatch;
 
-		/* FIXME: case of embedded nulls */
-		p = strstr((char *)val.data, (char *)cnk.data);
+		/*
+		 * Empty strings are returned as length 0. Ensure
+		 * we can cope with this.
+		 */
+		if (cnk.length == 0) {
+			goto mismatch;
+		}
+		/*
+		 * Values might be binary blobs. Don't use string
+		 * search, but memory search instead.
+		 */
+		p = memmem((const void *)val.data,val.length,
+			   (const void *)cnk.data, cnk.length);
 		if (p == NULL) goto mismatch;
 		if ( (! tree->u.substring.chunks[c + 1]) && (! tree->u.substring.end_with_wildcard) ) {
+			uint8_t *g;
 			do { /* greedy */
-				g = strstr((char *)p + cnk.length, (char *)cnk.data);
+				g = memmem(p + cnk.length,
+					val.length - (p - val.data),
+					(const uint8_t *)cnk.data,
+					cnk.length);
 				if (g) p = g;
 			} while(g);
 		}
-		val.length = val.length - (p - (char *)(val.data)) - cnk.length;
+		val.length = val.length - (p - (uint8_t *)(val.data)) - cnk.length;
 		val.data = (uint8_t *)(p + cnk.length);
 		c++;
 		talloc_free(cnk.data);
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index 6391e74..18e315b 100755
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -2,6 +2,7 @@
 
 APPNAME = 'ldb'
 VERSION = '1.1.20'
+SYSTEM_VERSION = '1.1.24'
 
 blddir = 'bin'
 
@@ -55,11 +56,11 @@ def configure(conf):
     conf.env.standalone_ldb = conf.IN_LAUNCH_DIR()
 
     if not conf.env.standalone_ldb:
-        if conf.CHECK_BUNDLED_SYSTEM_PKG('ldb', minversion=VERSION,
+        if conf.CHECK_BUNDLED_SYSTEM_PKG('ldb', minversion=SYSTEM_VERSION,
                                      onlyif='talloc tdb tevent',
                                      implied_deps='replace talloc tdb tevent'):
             conf.define('USING_SYSTEM_LDB', 1)
-        if conf.CHECK_BUNDLED_SYSTEM_PKG('pyldb-util', minversion=VERSION,
+        if conf.CHECK_BUNDLED_SYSTEM_PKG('pyldb-util', minversion=SYSTEM_VERSION,
                                      onlyif='talloc tdb tevent ldb',
                                      implied_deps='replace talloc tdb tevent ldb'):
             conf.define('USING_SYSTEM_PYLDB_UTIL', 1)
diff --git a/lib/util/charset/charset.h b/lib/util/charset/charset.h
index e4297e4..060f1cf 100644
--- a/lib/util/charset/charset.h
+++ b/lib/util/charset/charset.h
@@ -171,15 +171,16 @@ smb_iconv_t get_conv_handle(struct smb_iconv_handle *ic,
 			    charset_t from, charset_t to);
 const char *charset_name(struct smb_iconv_handle *ic, charset_t ch);
 
-codepoint_t next_codepoint_ext(const char *str, charset_t src_charset,
-			       size_t *size);
+codepoint_t next_codepoint_ext(const char *str, size_t len,
+			       charset_t src_charset, size_t *size);
 codepoint_t next_codepoint(const char *str, size_t *size);
 ssize_t push_codepoint(char *str, codepoint_t c);
 
 /* codepoints */
 codepoint_t next_codepoint_handle_ext(struct smb_iconv_handle *ic,
-			    const char *str, charset_t src_charset,
-			    size_t *size);
+				      const char *str, size_t len,
+				      charset_t src_charset,
+				      size_t *size);
 codepoint_t next_codepoint_handle(struct smb_iconv_handle *ic,
 			    const char *str, size_t *size);
 ssize_t push_codepoint_handle(struct smb_iconv_handle *ic,
diff --git a/lib/util/charset/codepoints.c b/lib/util/charset/codepoints.c
index 0984164..19d084f 100644
--- a/lib/util/charset/codepoints.c
+++ b/lib/util/charset/codepoints.c
@@ -319,7 +319,8 @@ smb_iconv_t get_conv_handle(struct smb_iconv_handle *ic,
  */
 _PUBLIC_ codepoint_t next_codepoint_handle_ext(
 			struct smb_iconv_handle *ic,
-			const char *str, charset_t src_charset,
+			const char *str, size_t len,
+			charset_t src_charset,
 			size_t *bytes_consumed)
 {
 	/* it cannot occupy more than 4 bytes in UTF16 format */
@@ -330,7 +331,10 @@ _PUBLIC_ codepoint_t next_codepoint_handle_ext(
 	size_t olen;
 	char *outbuf;
 
-	if ((str[0] & 0x80) == 0) {
+
+	if (((str[0] & 0x80) == 0) && (src_charset == CH_DOS ||
+				       src_charset == CH_UNIX ||
+				       src_charset == CH_UTF8)) {
 		*bytes_consumed = 1;
 		return (codepoint_t)str[0];
 	}
@@ -339,7 +343,7 @@ _PUBLIC_ codepoint_t next_codepoint_handle_ext(
 	 * we assume that no multi-byte character can take more than 5 bytes.
 	 * This is OK as we only support codepoints up to 1M (U+100000)
 	 */
-	ilen_orig = strnlen(str, 5);
+	ilen_orig = MIN(len, 5);
 	ilen = ilen_orig;
 
 	descriptor = get_conv_handle(ic, src_charset, CH_UTF16);
@@ -395,9 +399,16 @@ _PUBLIC_ codepoint_t next_codepoint_handle_ext(
   return INVALID_CODEPOINT if the next character cannot be converted
 */
 _PUBLIC_ codepoint_t next_codepoint_handle(struct smb_iconv_handle *ic,
-				    const char *str, size_t *size)
+					   const char *str, size_t *size)
 {
-	return next_codepoint_handle_ext(ic, str, CH_UNIX, size);
+	/*
+	 * We assume that no multi-byte character can take more than 5 bytes
+	 * thus avoiding walking all the way down a long string. This is OK as
+	 * Unicode codepoints only go up to (U+10ffff), which can always be
+	 * encoded in 4 bytes or less.
+	 */
+	return next_codepoint_handle_ext(ic, str, strnlen(str, 5), CH_UNIX,
+					 size);
 }
 
 /*
@@ -459,11 +470,11 @@ _PUBLIC_ ssize_t push_codepoint_handle(struct smb_iconv_handle *ic,
 	return 5 - olen;


-- 
Samba Shared Repository



More information about the samba-cvs mailing list