[SCM] Samba Shared Repository - branch v4-1-stable updated
Karolin Seeger
kseeger at samba.org
Wed Dec 16 11:26:34 UTC 2015
The branch, v4-1-stable has been updated
via cd89c83 VERSION: Disable git snapshots for the 4.1.22 release.
via 219533c WHATSNEW: Add release notes for Samba 4.1.22.
via bf13cbd CVE-2015-8467: samdb: Match MS15-096 behaviour for userAccountControl
via c634a14 CVE-2015-5296: libcli/smb: make sure we require signing when we demand encryption on a session
via 4c3a492 CVE-2015-5296: s3:libsmb: force signing when requiring encryption in SMBC_server_internal()
via d9e943e CVE-2015-5296: s3:libsmb: force signing when requiring encryption in do_connect()
via fa77778 CVE-2015-5299: s3-shadow-copy2: fix missing access check on snapdir
via f0cb216 CVE-2015-5252: s3: smbd: Fix symlink verification (file access outside the share).
via 9d989c9 CVE-2015-7540: lib: util: Check *every* asn1 return call and early return.
via 530d50a CVE-2015-7540: s4: libcli: ldap message - Ensure all asn1_XX returns are checked.
via 582d0e7 ldb: bump version of the required system ldb to 1.1.24
via 83f1d39 CVE-2015-5330: ldb_dn_explode: copy strings by length, not terminators
via f07626d CVE-2015-5330: next_codepoint_handle_ext: don't short-circuit UTF16 low bytes
via a561ae6 CVE-2015-5330: strupper_talloc_n_handle(): properly count characters
via 5f3c754 CVE-2015-5330: Fix handling of unicode near string endings
via 7bcac23 CVE-2015-5330: ldb_dn_escape_value: use known string length, not strlen()
via 1aef718 CVE-2015-5330: ldb_dn: simplify and fix ldb_dn_escape_internal()
via bb1b783 CVE-2015-3223: lib: ldb: Use memmem binary search, not strstr text search.
via fb45695 CVE-2015-3223: lib: ldb: Cope with canonicalise_fn returning string "", length 0.
via 776eb21 VERSION: Bump version up to 4.1.22...
from 6397681 VERSION: Disable git snapshots for the 4.1.21 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-1-stable
- Log -----------------------------------------------------------------
commit cd89c8372cbc5868f23094a9b7481be21a89a7e9
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Dec 10 12:45:56 2015 +0100
VERSION: Disable git snapshots for the 4.1.22 release.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 219533c28f8d15465b0faea4624a640255b71801
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Dec 10 12:09:38 2015 +0100
WHATSNEW: Add release notes for Samba 4.1.22.
This is a security to address CVE-2015-7540, CVE-2015-3223,
CVE-2015-5252, CVE-2015-5299, CVE-2015-5296, CVE-2015-8467,
CVE-2015-5330.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit bf13cbd3f33c31483b172fc094b0e5946e899bc4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Nov 18 17:36:21 2015 +1300
CVE-2015-8467: samdb: Match MS15-096 behaviour for userAccountControl
Swapping between account types is now restricted
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11552
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit c634a143a876bd5a724d830c54fe12ef6d68d5fd
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 30 21:23:25 2015 +0200
CVE-2015-5296: libcli/smb: make sure we require signing when we demand encryption on a session
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 4c3a492259ceefe3d02df690d4369291627883a2
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 30 21:17:02 2015 +0200
CVE-2015-5296: s3:libsmb: force signing when requiring encryption in SMBC_server_internal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d9e943e351a752ba627314da7fb8d2f6f1eb44b3
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 30 21:17:02 2015 +0200
CVE-2015-5296: s3:libsmb: force signing when requiring encryption in do_connect()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit fa777786d75272e3190dcbd32eeff9b3e4f03bde
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 23 14:54:31 2015 -0700
CVE-2015-5299: s3-shadow-copy2: fix missing access check on snapdir
Fix originally from <partha at exablox.com>
https://bugzilla.samba.org/show_bug.cgi?id=11529
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: David Disseldorp <ddiss at samba.org>
commit f0cb216f6385460d4d3c728257baaaa26a95c5d1
Author: Jeremy Allison <jra at samba.org>
Date: Thu Jul 9 10:58:11 2015 -0700
CVE-2015-5252: s3: smbd: Fix symlink verification (file access outside the share).
Ensure matching component ends in '/' or '\0'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit 9d989c9dd7a5b92d0c5d65287935471b83b6e884
Author: Jeremy Allison <jra at samba.org>
Date: Thu Sep 18 13:58:45 2014 -0700
CVE-2015-7540: lib: util: Check *every* asn1 return call and early return.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9187
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <Volker.Lendecke at SerNet.DE>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Sep 19 01:29:00 CEST 2014 on sn-devel-104
(cherry picked from commit b9d3fd4cc551df78a7b066ee8ce43bbaa3ff994a)
commit 530d50a1abdcdf4d1775652d4c456c1274d83d8d
Author: Jeremy Allison <jra at samba.org>
Date: Mon Sep 22 16:08:26 2014 -0700
CVE-2015-7540: s4: libcli: ldap message - Ensure all asn1_XX returns are checked.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9187
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ronnie Sahlberg <ronniesahlberg at gmail.com>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Sep 26 03:15:00 CEST 2014 on sn-devel-104
(cherry picked from commit 69a7e3cfdc8dbba9c8dcfdfae82d2894c7247e15)
commit 582d0e7b7549008c908cb30878a1db0bbe4d21bb
Author: Ralph Boehme <slow at samba.org>
Date: Tue Dec 8 10:55:42 2015 +0100
ldb: bump version of the required system ldb to 1.1.24
This is needed to ensure we build against a system ldb library that
contains the fixes for CVE-2015-5330 and CVE-2015-3223.
autobuild must still be able to build against the older version
1.1.17 including the patches.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11325
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11636
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 83f1d39cd9ab9b8b548602f9ee806a994fca9d0c
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Nov 26 11:17:11 2015 +1300
CVE-2015-5330: ldb_dn_explode: copy strings by length, not terminators
That is, memdup(), not strdup(). The terminators might not be there.
But, we have to make sure we put the terminator on, because we tend to
assume the terminator is there in other places.
Use talloc_set_name_const() on the resulting chunk so talloc_report()
remains unchanged.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Pair-programmed-with: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Pair-programmed-with: Stefan Metzmacher <metze at samba.org>
Pair-programmed-with: Ralph Boehme <slow at samba.org>
commit f07626d0297ed6bd21623409e1ea1ae1138d23a8
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Nov 24 13:54:09 2015 +1300
CVE-2015-5330: next_codepoint_handle_ext: don't short-circuit UTF16 low bytes
UTF16 contains zero bytes when it is encoding ASCII (for example), so we
can't assume the absense of the 0x80 bit means a one byte encoding. No
current callers use UTF16.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Pair-programmed-with: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit a561ae6294fa926bf3a15b9aaf3d18d25d5e971f
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Nov 24 13:49:09 2015 +1300
CVE-2015-5330: strupper_talloc_n_handle(): properly count characters
When a codepoint eats more than one byte we really want to know,
especially if the string is not NUL terminated.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Pair-programmed-with: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 5f3c7541c2f10ac2174538288f6569af587d69f0
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Nov 24 13:47:16 2015 +1300
CVE-2015-5330: Fix handling of unicode near string endings
Until now next_codepoint_ext() and next_codepoint_handle_ext() were
using strnlen(str, 5) to determine how much string they should try to
decode. This ended up looking past the end of the string when it was not
null terminated and the final character looked like a multi-byte encoding.
The fix is to let the caller say how long the string can be.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Pair-programmed-with: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 7bcac237656083e67bbac9b50be9b319bb2d7eb8
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Nov 24 13:09:36 2015 +1300
CVE-2015-5330: ldb_dn_escape_value: use known string length, not strlen()
ldb_dn_escape_internal() reports the number of bytes it copied, so
lets use that number, rather than using strlen() and hoping a zero got
in the right place.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Pair-programmed-with: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 1aef718f3cc175d90d40202a333042a38ba382b1
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Nov 24 13:07:23 2015 +1300
CVE-2015-5330: ldb_dn: simplify and fix ldb_dn_escape_internal()
Previously we relied on NUL terminated strings and jumped back and
forth between copying escaped bytes and memcpy()ing un-escaped chunks.
This simple version is easier to reason about and works with
unterminated strings. It may also be faster as it avoids reading the
string twice (first with strcspn, then with memcpy).
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Pair-programmed-with: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit bb1b783ee9d7259cfc6a1fe882f22189747f8684
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jun 9 14:00:01 2015 -0700
CVE-2015-3223: lib: ldb: Use memmem binary search, not strstr text search.
Values might have embedded zeros.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11325
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit fb456954f332c07a645226d59b3b00ec252f8b26
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jun 9 12:42:10 2015 -0700
CVE-2015-3223: lib: ldb: Cope with canonicalise_fn returning string "", length 0.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11325
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 162 ++++++-
lib/ldb/common/ldb_dn.c | 67 ++-
lib/ldb/common/ldb_match.c | 33 +-
lib/ldb/wscript | 5 +-
lib/util/asn1.c | 106 ++---
lib/util/charset/charset.h | 9 +-
lib/util/charset/codepoints.c | 29 +-
lib/util/charset/util_str.c | 3 +-
lib/util/charset/util_unistr.c | 6 +-
libcli/ldap/ldap_message.c | 786 ++++++++++++++++----------------
libcli/ldap/ldap_message.h | 2 +-
libcli/smb/smbXcli_base.c | 11 +
script/autobuild.py | 2 +-
source3/libsmb/clidfs.c | 7 +-
source3/libsmb/libsmb_server.c | 15 +-
source3/modules/vfs_shadow_copy2.c | 45 ++
source3/smbd/vfs.c | 13 +-
source4/dsdb/samdb/ldb_modules/samldb.c | 24 +-
source4/libcli/ldap/ldap_controls.c | 8 +-
20 files changed, 808 insertions(+), 527 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 06ca3ff..873257e 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=1
-SAMBA_VERSION_RELEASE=21
+SAMBA_VERSION_RELEASE=22
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 1c01e2b..2cd1a20 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,162 @@
==============================
+ Release Notes for Samba 4.1.22
+ December 16, 2015
+ ==============================
+
+
+This is a security release in order to address the following CVEs:
+
+o CVE-2015-7540 (Remote DoS in Samba (AD) LDAP server)
+o CVE-2015-3223 (Denial of service in Samba Active Directory
+ server)
+o CVE-2015-5252 (Insufficient symlink verification in smbd)
+o CVE-2015-5299 (Missing access control check in shadow copy
+ code)
+o CVE-2015-5296 (Samba client requesting encryption vulnerable
+ to downgrade attack)
+o CVE-2015-8467 (Denial of service attack against Windows
+ Active Directory server)
+o CVE-2015-5330 (Remote memory read in Samba LDAP server)
+
+Please note that if building against a system libldb, the required
+version has been bumped to ldb-1.1.24. This is needed to ensure
+we build against a system ldb library that contains the fixes
+for CVE-2015-5330 and CVE-2015-3223.
+
+=======
+Details
+=======
+
+o CVE-2015-7540:
+ All versions of Samba from 4.0.0 to 4.1.21 inclusive are vulnerable to
+ an anonymous memory exhaustion attack in the samba daemon LDAP server.
+
+ A malicious client can send packets that cause the LDAP server provided
+ by the AD DC in the samba daemon process to consume unlimited memory
+ and be terminated.
+
+o CVE-2015-3223:
+ All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
+ ldb versions up to 1.1.23 inclusive) are vulnerable to
+ a denial of service attack in the samba daemon LDAP server.
+
+ A malicious client can send packets that cause the LDAP server in the
+ samba daemon process to become unresponsive, preventing the server
+ from servicing any other requests.
+
+ This flaw is not exploitable beyond causing the code to loop expending
+ CPU resources.
+
+o CVE-2015-5252:
+ All versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to
+ a bug in symlink verification, which under certain circumstances could
+ allow client access to files outside the exported share path.
+
+ If a Samba share is configured with a path that shares a common path
+ prefix with another directory on the file system, the smbd daemon may
+ allow the client to follow a symlink pointing to a file or directory
+ in that other directory, even if the share parameter "wide links" is
+ set to "no" (the default).
+
+o CVE-2015-5299:
+ All versions of Samba from 3.2.0 to 4.3.2 inclusive are vulnerable to
+ a missing access control check in the vfs_shadow_copy2 module. When
+ looking for the shadow copy directory under the share path the current
+ accessing user should have DIRECTORY_LIST access rights in order to
+ view the current snapshots.
+
+ This was not being checked in the affected versions of Samba.
+
+o CVE-2015-5296:
+ Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that
+ signing is negotiated when creating an encrypted client connection to
+ a server.
+
+ Without this a man-in-the-middle attack could downgrade the connection
+ and connect using the supplied credentials as an unsigned, unencrypted
+ connection.
+
+o CVE-2015-8467:
+ Samba, operating as an AD DC, is sometimes operated in a domain with a
+ mix of Samba and Windows Active Directory Domain Controllers.
+
+ All versions of Samba from 4.0.0 to 4.3.2 inclusive, when deployed as
+ an AD DC in the same domain with Windows DCs, could be used to
+ override the protection against the MS15-096 / CVE-2015-2535 security
+ issue in Windows.
+
+ Prior to MS16-096 it was possible to bypass the quota of machine
+ accounts a non-administrative user could create. Pure Samba domains
+ are not impacted, as Samba does not implement the
+ SeMachineAccountPrivilege functionality to allow non-administrator
+ users to create new computer objects.
+
+o CVE-2015-5330:
+ All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
+ ldb versions up to 1.1.23 inclusive) are vulnerable to
+ a remote memory read attack in the samba daemon LDAP server.
+
+ A malicious client can send packets that cause the LDAP server in the
+ samba daemon process to return heap memory beyond the length of the
+ requested value.
+
+ This memory may contain data that the client should not be allowed to
+ see, allowing compromise of the server.
+
+ The memory may either be returned to the client in an error string, or
+ stored in the database by a suitabily privileged user. If untrusted
+ users can create objects in your database, please confirm that all DN
+ and name attributes are reasonable.
+
+
+Changes since 4.1.21:
+---------------------
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 11552: CVE-2015-8467: samdb: Match MS15-096 behaviour for
+ userAccountControl.
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 9187: CVE-2015-7540: Bogus LDAP request cause samba to use all the
+ memory and be ookilled.
+ * BUG 11325: CVE-2015-3223: Fix LDAP \00 search expression attack DoS.
+ * BUG 11395: CVE-2015-5252: Fix insufficient symlink verification (file
+ access outside the share).
+ * BUG 11529: CVE-2015-5299: s3-shadow-copy2: Fix missing access check on
+ snapdir.
+
+o Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+ * BUG 11599: CVE-2015-5330: Fix remote read memory exploit in LDB.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 11536: CVE-2015-5296: Add man in the middle protection when forcing
+ smb encryption on the client side.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ ==============================
Release Notes for Samba 4.1.21
October 13, 2015
==============================
@@ -35,10 +193,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
-======================================================================
==============================
Release Notes for Samba 4.1.20
diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c
index 6b6f90c..cd17cda 100644
--- a/lib/ldb/common/ldb_dn.c
+++ b/lib/ldb/common/ldb_dn.c
@@ -189,33 +189,23 @@ struct ldb_dn *ldb_dn_new_fmt(TALLOC_CTX *mem_ctx,
/* see RFC2253 section 2.4 */
static int ldb_dn_escape_internal(char *dst, const char *src, int len)
{
- const char *p, *s;
+ char c;
char *d;
- size_t l;
-
- p = s = src;
+ int i;
d = dst;
- while (p - src < len) {
- p += strcspn(p, ",=\n\r+<>#;\\\" ");
-
- if (p - src == len) /* found no escapable chars */
- break;
-
- /* copy the part of the string before the stop */
- memcpy(d, s, p - s);
- d += (p - s); /* move to current position */
-
- switch (*p) {
+ for (i = 0; i < len; i++){
+ c = src[i];
+ switch (c) {
case ' ':
- if (p == src || (p-src)==(len-1)) {
+ if (i == 0 || i == len - 1) {
/* if at the beginning or end
* of the string then escape */
*d++ = '\\';
- *d++ = *p++;
+ *d++ = c;
} else {
/* otherwise don't escape */
- *d++ = *p++;
+ *d++ = c;
}
break;
@@ -231,36 +221,36 @@ static int ldb_dn_escape_internal(char *dst, const char *src, int len)
case '?':
/* these must be escaped using \c form */
*d++ = '\\';
- *d++ = *p++;
+ *d++ = c;
break;
- default: {
+ case ';':
+ case '\r':
+ case '\n':
+ case '=':
+ case '\0': {
/* any others get \XX form */
unsigned char v;
const char *hexbytes = "0123456789ABCDEF";
- v = *(const unsigned char *)p;
+ v = (const unsigned char)c;
*d++ = '\\';
*d++ = hexbytes[v>>4];
*d++ = hexbytes[v&0xF];
- p++;
break;
}
+ default:
+ *d++ = c;
}
- s = p; /* move forward */
}
- /* copy the last part (with zero) and return */
- l = len - (s - src);
- memcpy(d, s, l + 1);
-
/* return the length of the resulting string */
- return (l + (d - dst));
+ return (d - dst);
}
char *ldb_dn_escape_value(TALLOC_CTX *mem_ctx, struct ldb_val value)
{
char *dst;
-
+ size_t len;
if (!value.length)
return NULL;
@@ -271,10 +261,14 @@ char *ldb_dn_escape_value(TALLOC_CTX *mem_ctx, struct ldb_val value)
return NULL;
}
- ldb_dn_escape_internal(dst, (const char *)value.data, value.length);
-
- dst = talloc_realloc(mem_ctx, dst, char, strlen(dst) + 1);
+ len = ldb_dn_escape_internal(dst, (const char *)value.data, value.length);
+ dst = talloc_realloc(mem_ctx, dst, char, len + 1);
+ if ( ! dst) {
+ talloc_free(dst);
+ return NULL;
+ }
+ dst[len] = '\0';
return dst;
}
@@ -592,12 +586,15 @@ static bool ldb_dn_explode(struct ldb_dn *dn)
p++;
*d++ = '\0';
- dn->components[dn->comp_num].value.data = (uint8_t *)talloc_strdup(dn->components, dt);
+ dn->components[dn->comp_num].value.data = \
+ (uint8_t *)talloc_memdup(dn->components, dt, l + 1);
dn->components[dn->comp_num].value.length = l;
if ( ! dn->components[dn->comp_num].value.data) {
/* ouch ! */
goto failed;
}
+ talloc_set_name_const(dn->components[dn->comp_num].value.data,
+ (const char *)dn->components[dn->comp_num].value.data);
dt = d;
@@ -713,11 +710,13 @@ static bool ldb_dn_explode(struct ldb_dn *dn)
*d++ = '\0';
dn->components[dn->comp_num].value.length = l;
dn->components[dn->comp_num].value.data =
- (uint8_t *)talloc_strdup(dn->components, dt);
+ (uint8_t *)talloc_memdup(dn->components, dt, l + 1);
if ( ! dn->components[dn->comp_num].value.data) {
/* ouch */
goto failed;
}
+ talloc_set_name_const(dn->components[dn->comp_num].value.data,
+ (const char *)dn->components[dn->comp_num].value.data);
dn->comp_num++;
diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c
index 7918aec..0f5c5b5 100644
--- a/lib/ldb/common/ldb_match.c
+++ b/lib/ldb/common/ldb_match.c
@@ -240,7 +240,6 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
struct ldb_val val;
struct ldb_val cnk;
struct ldb_val *chunk;
- char *p, *g;
uint8_t *save_p = NULL;
unsigned int c = 0;
@@ -270,6 +269,14 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
if (cnk.length > val.length) {
goto mismatch;
}
+ /*
+ * Empty strings are returned as length 0. Ensure
+ * we can cope with this.
+ */
+ if (cnk.length == 0) {
+ goto mismatch;
+ }
+
if (memcmp((char *)val.data, (char *)cnk.data, cnk.length) != 0) goto mismatch;
val.length -= cnk.length;
val.data += cnk.length;
@@ -279,20 +286,36 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
}
while (tree->u.substring.chunks[c]) {
+ uint8_t *p;
chunk = tree->u.substring.chunks[c];
if(a->syntax->canonicalise_fn(ldb, ldb, chunk, &cnk) != 0) goto mismatch;
- /* FIXME: case of embedded nulls */
- p = strstr((char *)val.data, (char *)cnk.data);
+ /*
+ * Empty strings are returned as length 0. Ensure
+ * we can cope with this.
+ */
+ if (cnk.length == 0) {
+ goto mismatch;
+ }
+ /*
+ * Values might be binary blobs. Don't use string
+ * search, but memory search instead.
+ */
+ p = memmem((const void *)val.data,val.length,
+ (const void *)cnk.data, cnk.length);
if (p == NULL) goto mismatch;
if ( (! tree->u.substring.chunks[c + 1]) && (! tree->u.substring.end_with_wildcard) ) {
+ uint8_t *g;
do { /* greedy */
- g = strstr((char *)p + cnk.length, (char *)cnk.data);
+ g = memmem(p + cnk.length,
+ val.length - (p - val.data),
+ (const uint8_t *)cnk.data,
+ cnk.length);
if (g) p = g;
} while(g);
}
- val.length = val.length - (p - (char *)(val.data)) - cnk.length;
+ val.length = val.length - (p - (uint8_t *)(val.data)) - cnk.length;
val.data = (uint8_t *)(p + cnk.length);
c++;
talloc_free(cnk.data);
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index fb32ecd..794d6db 100755
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -2,6 +2,7 @@
APPNAME = 'ldb'
VERSION = '1.1.17'
+SYSTEM_VERSION = '1.1.24'
blddir = 'bin'
@@ -46,11 +47,11 @@ def configure(conf):
conf.env.standalone_ldb = conf.IN_LAUNCH_DIR()
if not conf.env.standalone_ldb:
- if conf.CHECK_BUNDLED_SYSTEM_PKG('ldb', minversion=VERSION,
+ if conf.CHECK_BUNDLED_SYSTEM_PKG('ldb', minversion=SYSTEM_VERSION,
onlyif='talloc tdb tevent',
implied_deps='replace talloc tdb tevent'):
conf.define('USING_SYSTEM_LDB', 1)
- if conf.CHECK_BUNDLED_SYSTEM_PKG('pyldb-util', minversion=VERSION,
+ if conf.CHECK_BUNDLED_SYSTEM_PKG('pyldb-util', minversion=SYSTEM_VERSION,
onlyif='talloc tdb tevent ldb',
implied_deps='replace talloc tdb tevent ldb'):
conf.define('USING_SYSTEM_PYLDB_UTIL', 1)
diff --git a/lib/util/asn1.c b/lib/util/asn1.c
index 70637a3..ec29450 100644
--- a/lib/util/asn1.c
+++ b/lib/util/asn1.c
@@ -326,87 +326,76 @@ bool asn1_write_OID(struct asn1_data *data, const char *OID)
/* write an octet string */
bool asn1_write_OctetString(struct asn1_data *data, const void *p, size_t length)
{
- asn1_push_tag(data, ASN1_OCTET_STRING);
- asn1_write(data, p, length);
- asn1_pop_tag(data);
- return !data->has_error;
+ if (!asn1_push_tag(data, ASN1_OCTET_STRING)) return false;
+ if (!asn1_write(data, p, length)) return false;
+ return asn1_pop_tag(data);
}
/* write a LDAP string */
bool asn1_write_LDAPString(struct asn1_data *data, const char *s)
{
- asn1_write(data, s, strlen(s));
- return !data->has_error;
+ return asn1_write(data, s, strlen(s));
}
/* write a LDAP string from a DATA_BLOB */
bool asn1_write_DATA_BLOB_LDAPString(struct asn1_data *data, const DATA_BLOB *s)
{
- asn1_write(data, s->data, s->length);
- return !data->has_error;
+ return asn1_write(data, s->data, s->length);
}
/* write a general string */
bool asn1_write_GeneralString(struct asn1_data *data, const char *s)
{
- asn1_push_tag(data, ASN1_GENERAL_STRING);
- asn1_write_LDAPString(data, s);
- asn1_pop_tag(data);
- return !data->has_error;
+ if (!asn1_push_tag(data, ASN1_GENERAL_STRING)) return false;
+ if (!asn1_write_LDAPString(data, s)) return false;
+ return asn1_pop_tag(data);
}
bool asn1_write_ContextSimple(struct asn1_data *data, uint8_t num, DATA_BLOB *blob)
{
- asn1_push_tag(data, ASN1_CONTEXT_SIMPLE(num));
- asn1_write(data, blob->data, blob->length);
- asn1_pop_tag(data);
- return !data->has_error;
+ if (!asn1_push_tag(data, ASN1_CONTEXT_SIMPLE(num))) return false;
+ if (!asn1_write(data, blob->data, blob->length)) return false;
+ return asn1_pop_tag(data);
}
/* write a BOOLEAN */
bool asn1_write_BOOLEAN(struct asn1_data *data, bool v)
{
- asn1_push_tag(data, ASN1_BOOLEAN);
- asn1_write_uint8(data, v ? 0xFF : 0);
- asn1_pop_tag(data);
- return !data->has_error;
+ if (!asn1_push_tag(data, ASN1_BOOLEAN)) return false;
+ if (!asn1_write_uint8(data, v ? 0xFF : 0)) return false;
+ return asn1_pop_tag(data);
}
bool asn1_read_BOOLEAN(struct asn1_data *data, bool *v)
{
--
Samba Shared Repository
More information about the samba-cvs
mailing list