[SCM] Samba Shared Repository - branch v4-9-test updated

Karolin Seeger kseeger at samba.org
Tue Dec 4 16:28:02 UTC 2018


The branch, v4-9-test has been updated
       via  b2ef0e08a9b CVE-2018-16853: fix crash in expired passowrd case
       via  a26e6160b33 CVE-2018-16853: Do not segfault if client is not set
       via  a2f4d49c1c5 CVE-2018-16853: Add a test to verify s4u2self doesn't crash
       via  09f9bb28371 CVE-2018-16853: The ticket in check_policy_as can actually be a TGS
       via  d2a6e3e1bb4 CVE-2018-16853: Fix kinit test on system lacking ldbsearch
       via  2332c99cba7 libcli/smb: don't overwrite status code
       via  739ce2c7335 s4:torture/smb2/session: test smbXcli_session_set_disconnect_expired() works
       via  f678c6f06f0 ldb_controls: Add some talloc error checking for controls
       via  f4105adc285 sync_passwords: Remove dirsync cookie logging for continuous operation
       via  517df6d3da3 dirsync: Allow arbitrary length cookies
       via  a816ca4004a PEP8: fix E231: missing whitespace after ','
      from  b3d376b7d4d VERSION: Bump version up to 4.9.4.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-9-test


- Log -----------------------------------------------------------------
commit b2ef0e08a9beda7231629dce6875a8c37360acf8
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Wed Nov 7 22:53:35 2018 +0200

    CVE-2018-16853: fix crash in expired passowrd case
    
    When calling encode_krb5_padata_sequence() make sure to
    pass a null terminated array as required.
    
    Fixes expired passowrd case in samba4.blackbox.kinit test.
    
    Signed-off-by: Isaac Boukris <iboukris at gmail.com>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User(v4-9-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-9-test): Tue Dec  4 17:27:18 CET 2018 on sn-devel-144

commit a26e6160b3361f02d9d91f04114b8a03adf11780
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Sep 28 07:22:32 2016 +0200

    CVE-2018-16853: Do not segfault if client is not set
    
    This can be triggered with FAST but we don't support this yet.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit a2f4d49c1c545d9a64d34d0413f3e840d8f109f6
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Sat Aug 18 16:01:59 2018 +0300

    CVE-2018-16853: Add a test to verify s4u2self doesn't crash
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
    
    Signed-off-by: Isaac Boukris <iboukris at gmail.com>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 09f9bb2837180ca27085b27aa636bfbae975f294
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Sat Aug 18 00:40:30 2018 +0300

    CVE-2018-16853: The ticket in check_policy_as can actually be a TGS
    
    This happens when we are called from S4U2Self flow, and in that case
    kdcreq->client is NULL.  Use the name from client entry instead.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
    
    Signed-off-by: Isaac Boukris <iboukris at gmail.com>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit d2a6e3e1bb4609224fc9316abaaa156b3f71cb34
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Sat Aug 18 15:32:43 2018 +0300

    CVE-2018-16853: Fix kinit test on system lacking ldbsearch
    
    By fixing bindir variable name.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
    
    Signed-off-by: Isaac Boukris <iboukris at gmail.com>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 2332c99cba77bea1113014011d840b2005a4a75f
Author: Ralph Boehme <slow at samba.org>
Date:   Wed Nov 7 14:00:25 2018 +0100

    libcli/smb: don't overwrite status code
    
    The original commit c5cd22b5bbce724dcd68fe94320382b3f772cabf from bug
    9175 never worked, as the preceeding signing check overwrote the status
    variable.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=9175
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Ralph Böhme <slow at samba.org>
    Autobuild-Date(master): Tue Nov 13 17:28:45 CET 2018 on sn-devel-144
    
    (cherry picked from commit 5a8583ed701be97c33a20b2a20f6bbb8ac2f8e99)

commit 739ce2c733521fe53a74927f9c801ba503cc1586
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Nov 13 12:08:10 2018 +0100

    s4:torture/smb2/session: test smbXcli_session_set_disconnect_expired() works
    
    This adds a simple test that verifies that after having set
    smbXcli_session_set_disconnect_expired() a session gets disconnected
    when it expires.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=9175
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit a5d1bb5c5b5a57a2d7710dc5ab962683fe5c8e68)

commit f678c6f06f03b81cec1ea38ee1a4f4c67c38dcfe
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Wed Nov 14 10:29:01 2018 +1300

    ldb_controls: Add some talloc error checking for controls
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit ad8bb6fcd08be28c40f2522d640333e9e69b7852)

commit f4105adc285f8414aaaacd3bfd80973737327608
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Mon Nov 19 11:05:59 2018 +1300

    sync_passwords: Remove dirsync cookie logging for continuous operation
    
    Under normal operation, users shouldn't see giant cookies in their logs.
    We still log the initial cookie retrieved from the cache database, which
    should still be helpful for identifying corrupt cookies.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit ac90c9faa783fc133229e7c163471d96440ff30e)

commit 517df6d3da3ee988d1da96cbba20cbf401ead04e
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Fri Oct 26 13:38:02 2018 +1300

    dirsync: Allow arbitrary length cookies
    
    The length of the cookie is proportional to the number of DCs ever in
    the domain (as it stores the uptodateness vector which has stale
    invocationID).
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit b7a0d3b110697923a31e353905d3b1bd9385ea9b)

commit a816ca4004a784a423ef5e4cf195361554f24412
Author: Joe Guo <joeg at catalyst.net.nz>
Date:   Mon Jul 30 18:19:05 2018 +1200

    PEP8: fix E231: missing whitespace after ','
    
    Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    
    (part of commit 12d3fbe15cb58b57c60499103101e3a845378859 from master
    cherry-picked to v4-9-test)

-----------------------------------------------------------------------

Summary of changes:
 lib/ldb/common/ldb_controls.c            | 108 ++++++++++++++++++++++++++++--
 libcli/smb/smbXcli_base.c                |  12 ++--
 python/samba/netcmd/user.py              |   9 +--
 source4/kdc/mit-kdb/kdb_samba_policies.c |  24 ++++++-
 source4/kdc/mit_samba.c                  |   7 +-
 source4/torture/smb2/session.c           | 110 +++++++++++++++++++++++++++++++
 testprogs/blackbox/test_kinit_mit.sh     |  20 ++++--
 7 files changed, 265 insertions(+), 25 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/ldb/common/ldb_controls.c b/lib/ldb/common/ldb_controls.c
index a83768a352c..e0f0eb48f3a 100644
--- a/lib/ldb/common/ldb_controls.c
+++ b/lib/ldb/common/ldb_controls.c
@@ -520,6 +520,7 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO
 							   control->ctxid_len);
 			if (control->contextId == NULL) {
 				ldb_oom(ldb);
+				talloc_free(ctrl);
 				return NULL;
 			}
 		} else {
@@ -534,13 +535,20 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO
 	if (LDB_CONTROL_CMP(control_strings, LDB_CONTROL_DIRSYNC_NAME) == 0) {
 		struct ldb_dirsync_control *control;
 		const char *p;
-		char cookie[1024];
+		char *cookie = NULL;
 		int crit, max_attrs, ret;
 		uint32_t flags;
 
-		cookie[0] = '\0';
+		cookie = talloc_zero_array(ctrl, char,
+					   strlen(control_strings) + 1);
+		if (cookie == NULL) {
+			ldb_oom(ldb);
+			talloc_free(ctrl);
+			return NULL;
+		}
+
 		p = &(control_strings[sizeof(LDB_CONTROL_DIRSYNC_NAME)]);
-		ret = sscanf(p, "%d:%u:%d:%1023[^$]", &crit, &flags, &max_attrs, cookie);
+		ret = sscanf(p, "%d:%u:%d:%[^$]", &crit, &flags, &max_attrs, cookie);
 
 		if ((ret < 3) || (crit < 0) || (crit > 1) || (max_attrs < 0)) {
 			ldb_set_errstring(ldb,
@@ -561,6 +569,11 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO
 		ctrl->oid = LDB_CONTROL_DIRSYNC_OID;
 		ctrl->critical = crit;
 		control = talloc(ctrl, struct ldb_dirsync_control);
+		if (control == NULL) {
+			ldb_oom(ldb);
+			talloc_free(ctrl);
+			return NULL;
+		}
 		control->flags = flags;
 		control->max_attributes = max_attrs;
 		if (*cookie) {
@@ -575,6 +588,7 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO
 			control->cookie = (char *)talloc_memdup(control, cookie, control->cookie_len);
 			if (control->cookie == NULL) {
 				ldb_oom(ldb);
+				talloc_free(ctrl);
 				return NULL;
 			}
 		} else {
@@ -582,17 +596,25 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO
 			control->cookie_len = 0;
 		}
 		ctrl->data = control;
+		TALLOC_FREE(cookie);
 
 		return ctrl;
 	}
 	if (LDB_CONTROL_CMP(control_strings, LDB_CONTROL_DIRSYNC_EX_NAME) == 0) {
 		struct ldb_dirsync_control *control;
 		const char *p;
-		char cookie[1024];
+		char *cookie = NULL;
 		int crit, max_attrs, ret;
 		uint32_t flags;
 
-		cookie[0] = '\0';
+		cookie = talloc_zero_array(ctrl, char,
+					   strlen(control_strings) + 1);
+		if (cookie == NULL) {
+			ldb_oom(ldb);
+			talloc_free(ctrl);
+			return NULL;
+		}
+
 		p = &(control_strings[sizeof(LDB_CONTROL_DIRSYNC_EX_NAME)]);
 		ret = sscanf(p, "%d:%u:%d:%1023[^$]", &crit, &flags, &max_attrs, cookie);
 
@@ -615,6 +637,11 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO
 		ctrl->oid = LDB_CONTROL_DIRSYNC_EX_OID;
 		ctrl->critical = crit;
 		control = talloc(ctrl, struct ldb_dirsync_control);
+		if (control == NULL) {
+			ldb_oom(ldb);
+			talloc_free(ctrl);
+			return NULL;
+		}
 		control->flags = flags;
 		control->max_attributes = max_attrs;
 		if (*cookie) {
@@ -630,6 +657,7 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO
 			control->cookie = (char *)talloc_memdup(control, cookie, control->cookie_len);
 			if (control->cookie == NULL) {
 				ldb_oom(ldb);
+				talloc_free(ctrl);
 				return NULL;
 			}
 		} else {
@@ -637,6 +665,7 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO
 			control->cookie_len = 0;
 		}
 		ctrl->data = control;
+		TALLOC_FREE(cookie);
 
 		return ctrl;
 	}
@@ -662,6 +691,11 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO
 		ctrl->oid = LDB_CONTROL_ASQ_OID;
 		ctrl->critical = crit;
 		control = talloc(ctrl, struct ldb_asq_control);
+		if (control == NULL) {
+			ldb_oom(ldb);
+			talloc_free(ctrl);
+			return NULL;
+		}
 		control->request = 1;
 		control->source_attribute = talloc_strdup(control, attr);
 		control->src_attr_len = strlen(attr);
@@ -693,6 +727,11 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO
 			control = NULL;
 		} else {
 			control = talloc(ctrl, struct ldb_extended_dn_control);
+			if (control == NULL) {
+				ldb_oom(ldb);
+				talloc_free(ctrl);
+				return NULL;
+			}
 			control->type = type;
 		}
 
@@ -723,6 +762,12 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO
 		ctrl->oid = LDB_CONTROL_SD_FLAGS_OID;
 		ctrl->critical = crit;
 		control = talloc(ctrl, struct ldb_sd_flags_control);
+		if (control == NULL) {
+			ldb_oom(ldb);
+			talloc_free(ctrl);
+			return NULL;
+		}
+
 		control->secinfo_flags = secinfo_flags;
 		ctrl->data = control;
 
@@ -749,6 +794,12 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO
 		ctrl->oid = LDB_CONTROL_SEARCH_OPTIONS_OID;
 		ctrl->critical = crit;
 		control = talloc(ctrl, struct ldb_search_options_control);
+		if (control == NULL) {
+			ldb_oom(ldb);
+			talloc_free(ctrl);
+			return NULL;
+		}
+
 		control->search_options = search_options;
 		ctrl->data = control;
 
@@ -865,6 +916,12 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO
 		ctrl->oid = LDB_CONTROL_PAGED_RESULTS_OID;
 		ctrl->critical = crit;
 		control = talloc(ctrl, struct ldb_paged_control);
+		if (control == NULL) {
+			ldb_oom(ldb);
+			talloc_free(ctrl);
+			return NULL;
+		}
+
 		control->size = size;
 		if (cookie[0] != '\0') {
 			int len = ldb_base64_decode(cookie);
@@ -879,6 +936,7 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO
 			control->cookie = talloc_memdup(control, cookie, control->cookie_len);
 			if (control->cookie == NULL) {
 				ldb_oom(ldb);
+				talloc_free(ctrl);
 				return NULL;
 			}
 		} else {
@@ -912,12 +970,36 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO
 		ctrl->oid = LDB_CONTROL_SERVER_SORT_OID;
 		ctrl->critical = crit;
 		control = talloc_array(ctrl, struct ldb_server_sort_control *, 2);
+		if (control == NULL) {
+			ldb_oom(ldb);
+			talloc_free(ctrl);
+			return NULL;
+		}
+
 		control[0] = talloc(control, struct ldb_server_sort_control);
+		if (control[0] == NULL) {
+			ldb_oom(ldb);
+			talloc_free(ctrl);
+			return NULL;
+		}
+
 		control[0]->attributeName = talloc_strdup(control, attr);
-		if (rule[0])
+		if (control[0]->attributeName == NULL) {
+			ldb_oom(ldb);
+			talloc_free(ctrl);
+			return NULL;
+		}
+
+		if (rule[0]) {
 			control[0]->orderingRule = talloc_strdup(control, rule);
-		else
+			if (control[0]->orderingRule == NULL) {
+				ldb_oom(ldb);
+				talloc_free(ctrl);
+				return NULL;
+			}
+		} else {
 			control[0]->orderingRule = NULL;
+		}
 		control[0]->reverse = rev;
 		control[1] = NULL;
 		ctrl->data = control;
@@ -1179,7 +1261,19 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO
 		ctrl->oid = LDB_CONTROL_VERIFY_NAME_OID;
 		ctrl->critical = crit;
 		control = talloc(ctrl, struct ldb_verify_name_control);
+		if (control == NULL) {
+			ldb_oom(ldb);
+			talloc_free(ctrl);
+			return NULL;
+		}
+
 		control->gc = talloc_strdup(control, gc);
+		if (control->gc == NULL) {
+			ldb_oom(ldb);
+			talloc_free(ctrl);
+			return NULL;
+		}
+
 		control->gc_len = strlen(gc);
 		control->flags = flags;
 		ctrl->data = control;
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index d0cc33b8b05..40480c83aa0 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -3908,15 +3908,17 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
 		}
 
 		if (signing_key) {
-			status = smb2_signing_check_pdu(*signing_key,
-							state->conn->protocol,
-							&cur[1], 3);
-			if (!NT_STATUS_IS_OK(status)) {
+			NTSTATUS signing_status;
+
+			signing_status = smb2_signing_check_pdu(*signing_key,
+								state->conn->protocol,
+								&cur[1], 3);
+			if (!NT_STATUS_IS_OK(signing_status)) {
 				/*
 				 * If the signing check fails, we disconnect
 				 * the connection.
 				 */
-				return status;
+				return signing_status;
 			}
 		}
 
diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py
index cc43c08a824..5af76c9be7d 100644
--- a/python/samba/netcmd/user.py
+++ b/python/samba/netcmd/user.py
@@ -1881,7 +1881,7 @@ samba-tool user syncpasswords --terminate \\
                 self.samdb_url = H
                 self.dirsync_filter = dirsync_filter
                 self.dirsync_attrs = dirsync_attrs
-                self.dirsync_controls = ["dirsync:1:0:0","extended_dn:1:0"];
+                self.dirsync_controls = ["dirsync:1:0:0", "extended_dn:1:0"];
                 self.password_attrs = password_attrs
                 self.decrypt_samba_gpg = decrypt_samba_gpg
                 self.sync_command = sync_command
@@ -1905,7 +1905,7 @@ samba-tool user syncpasswords --terminate \\
                 self.current_pid = None
                 self.outf.write("Initialized cache_ldb[%s]\n" % (cache_ldb))
                 msgs = self.cache.parse_ldif(add_ldif)
-                changetype,msg = next(msgs)
+                changetype, msg = next(msgs)
                 ldif = self.cache.write_ldif(msg, ldb.CHANGETYPE_NONE)
                 self.outf.write("%s" % ldif)
             else:
@@ -2103,8 +2103,9 @@ samba-tool user syncpasswords --terminate \\
             assert len(res_controls) > 0
             assert res_controls[0].oid == "1.2.840.113556.1.4.841"
             res_controls[0].critical = True
-            self.dirsync_controls = [str(res_controls[0]),"extended_dn:1:0"]
-            log_msg("dirsyncControls: %r\n" % self.dirsync_controls)
+            self.dirsync_controls = [str(res_controls[0]), "extended_dn:1:0"]
+            # This cookie can be extremely long
+            # log_msg("dirsyncControls: %r\n" % self.dirsync_controls)
 
             modify_ldif =  "dn: %s\n" % (self.cache_dn)
             modify_ldif += "changetype: modify\n"
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index de5813bde2f..fc80329f221 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -81,6 +81,7 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
 	char *netbios_name = NULL;
 	char *realm = NULL;
 	bool password_change = false;
+	krb5_const_principal client_princ;
 	DATA_BLOB int_data = { NULL, 0 };
 	krb5_data d;
 	krb5_pa_data **e_data;
@@ -90,7 +91,10 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
 		return KRB5_KDB_DBNOTINITED;
 	}
 
-	if (ks_is_kadmin(context, kdcreq->client)) {
+	/* Prefer canonicalised name from client entry */
+	client_princ = client ? client->princ : kdcreq->client;
+
+	if (client_princ == NULL || ks_is_kadmin(context, client_princ)) {
 		return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
 	}
 
@@ -111,7 +115,7 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
 		goto done;
 	}
 
-	code = krb5_unparse_name(context, kdcreq->client, &client_name);
+	code = krb5_unparse_name(context, client_princ, &client_name);
 	if (code) {
 		goto done;
 	}
@@ -457,6 +461,14 @@ void kdb_samba_db_audit_as_req(krb5_context context,
 			       krb5_timestamp authtime,
 			       krb5_error_code error_code)
 {
+	/*
+	 * FIXME: This segfaulted with a FAST test
+	 * FIND_FAST: <unknown client> for <unknown server>, Unknown FAST armor type 0
+	 */
+	if (client == NULL) {
+		return;
+	}
+
 	samba_bad_password_count(client, error_code);
 
 	/* TODO: perform proper audit logging for addresses */
@@ -469,6 +481,14 @@ void kdb_samba_db_audit_as_req(krb5_context context,
 			       krb5_timestamp authtime,
 			       krb5_error_code error_code)
 {
+	/*
+	 * FIXME: This segfaulted with a FAST test
+	 * FIND_FAST: <unknown client> for <unknown server>, Unknown FAST armor type 0
+	 */
+	if (client == NULL) {
+		return;
+	}
+
 	samba_bad_password_count(client, error_code);
 }
 #endif
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 414e67c6a98..eacca0903ec 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -865,7 +865,7 @@ krb5_error_code encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data
 static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data)
 {
 	krb5_error_code ret = 0;
-	krb5_pa_data pa, *ppa = NULL;
+	krb5_pa_data pa, *ppa[2];
 	krb5_data *d = NULL;
 
 	if (!e_data)
@@ -886,9 +886,10 @@ static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data)
 	SIVAL(pa.contents, 4, 0);
 	SIVAL(pa.contents, 8, 1);
 
-	ppa = &pa;
+	ppa[0] = &pa;
+	ppa[1] = NULL;
 
-	ret = encode_krb5_padata_sequence(&ppa, &d);
+	ret = encode_krb5_padata_sequence(ppa, &d);
 	free(pa.contents);
 	if (ret) {
 		return;
diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c
index 57a5addcfcc..3917e0c09c4 100644
--- a/source4/torture/smb2/session.c
+++ b/source4/torture/smb2/session.c
@@ -1596,6 +1596,114 @@ static bool test_session_expire2e(struct torture_context *tctx)
 				     true); /* force_encryption */
 }
 
+static bool test_session_expire_disconnect(struct torture_context *tctx)
+{
+	NTSTATUS status;
+	bool ret = false;
+	struct smbcli_options options;
+	const char *host = torture_setting_string(tctx, "host", NULL);
+	const char *share = torture_setting_string(tctx, "share", NULL);
+	struct cli_credentials *credentials = popt_get_cmdline_credentials();
+	struct smb2_tree *tree = NULL;
+	enum credentials_use_kerberos use_kerberos;
+	char fname[256];
+	struct smb2_handle _h1;
+	struct smb2_handle *h1 = NULL;
+	struct smb2_create io1;
+	union smb_fileinfo qfinfo;
+	bool connected;
+
+	use_kerberos = cli_credentials_get_kerberos_state(credentials);
+	if (use_kerberos != CRED_MUST_USE_KERBEROS) {
+		torture_warning(tctx, "smb2.session.expire1 requires -k yes!");
+		torture_skip(tctx, "smb2.session.expire1 requires -k yes!");
+	}
+
+	cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
+	lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
+	lpcfg_smbcli_options(tctx->lp_ctx, &options);
+	options.signing = SMB_SIGNING_REQUIRED;
+
+	status = smb2_connect(tctx,
+			      host,
+			      lpcfg_smb_ports(tctx->lp_ctx),
+			      share,
+			      lpcfg_resolve_context(tctx->lp_ctx),
+			      credentials,
+			      &tree,
+			      tctx->ev,
+			      &options,
+			      lpcfg_socket_options(tctx->lp_ctx),
+			      lpcfg_gensec_settings(tctx, tctx->lp_ctx)
+			      );
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_connect failed");
+
+	smbXcli_session_set_disconnect_expired(tree->session->smbXcli);
+
+	/* Add some random component to the file name. */
+	snprintf(fname, sizeof(fname), "session_expire1_%s.dat",
+		 generate_random_str(tctx, 8));
+
+	smb2_util_unlink(tree, fname);
+
+	smb2_oplock_create_share(&io1, fname,
+				 smb2_util_share_access(""),
+				 smb2_util_oplock_level("b"));
+	io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
+
+	status = smb2_create(tree, tctx, &io1);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_create failed");
+	_h1 = io1.out.file.handle;
+	h1 = &_h1;
+	CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+	torture_assert_int_equal(tctx, io1.out.oplock_level,
+					smb2_util_oplock_level("b"),
+					"oplock_level incorrect");
+
+	/* get the security descriptor */
+
+	ZERO_STRUCT(qfinfo);
+
+	qfinfo.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION;
+	qfinfo.access_information.in.file.handle = _h1;
+
+	torture_comment(tctx, "query info => OK\n");
+
+	ZERO_STRUCT(qfinfo.access_information.out);
+	status = smb2_getinfo_file(tree, tctx, &qfinfo);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_getinfo_file failed");
+
+	torture_comment(tctx, "sleep 10 seconds\n");
+	smb_msleep(10*1000);
+
+	torture_comment(tctx, "query info => EXPIRED\n");
+	ZERO_STRUCT(qfinfo.access_information.out);
+	status = smb2_getinfo_file(tree, tctx, &qfinfo);
+	torture_assert_ntstatus_equal_goto(tctx, status,
+					   NT_STATUS_NETWORK_SESSION_EXPIRED,
+					   ret, done, "smb2_getinfo_file "
+					   "returned unexpected status");
+
+	connected = smbXcli_conn_is_connected(tree->session->transport->conn);
+	torture_assert_goto(tctx, !connected, ret, done, "connected\n");
+
+	ret = true;
+done:
+	cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
+	if (h1 != NULL) {


-- 
Samba Shared Repository



More information about the samba-cvs mailing list