[SCM] Samba Shared Repository - branch master updated

Mon May 27 14:30:01 UTC 2019

The branch, master has been updated
       via  e09053faf45 registry: add a missing include
       via  a1f95ba5db6 s3: winbind: Fix crash when invoking winbind idmap scripts.
      from  412afb2aef1 Fix ubsan null pointer passed as argument 2

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit e09053faf457f69ad9b5e6a34be43c947503575f
Author: Ralph Boehme <slow at samba.org>
Date:   Thu May 16 16:05:31 2019 +0200

    registry: add a missing include
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13840
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    
    Autobuild-User(master): Ralph Böhme <slow at samba.org>
    Autobuild-Date(master): Mon May 27 14:29:36 UTC 2019 on sn-devel-184

commit a1f95ba5db6fc017fad35377fbf76c048f2dd8ab
Author: Jeremy Allison <jra at samba.org>
Date:   Thu May 23 13:33:21 2019 -0700

    s3: winbind: Fix crash when invoking winbind idmap scripts.
    
    Previously the private context was caching a pointer to
    a string returned from lp_XXX(). This string can change
    on config file reload. Ensure the string is talloc_strup'ed
    onto the owning context instead.
    
    Reported by Heinrich Mislik <Heinrich.Mislik at univie.ac.at>
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13956
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/registry/tests/test_regfio.c |  1 +
 source3/winbindd/idmap_script.c      | 20 ++++++++++++++++----
 source3/winbindd/idmap_tdb2.c        | 22 +++++++++++++++++-----
 3 files changed, 34 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/registry/tests/test_regfio.c b/source3/registry/tests/test_regfio.c
index f945e653708..e835e65e0df 100644
--- a/source3/registry/tests/test_regfio.c
+++ b/source3/registry/tests/test_regfio.c
@@ -31,6 +31,7 @@
 
 #include "includes.h"
 #include "lib/replace/replace.h"
+#include "system/filesys.h"
 #include "lib/util/samba_util.h"
 #include "registry/regfio.h"
 
diff --git a/source3/winbindd/idmap_script.c b/source3/winbindd/idmap_script.c
index 7ad6b806fb8..f382f896b35 100644
--- a/source3/winbindd/idmap_script.c
+++ b/source3/winbindd/idmap_script.c
@@ -615,6 +615,7 @@ static NTSTATUS idmap_script_db_init(struct idmap_domain *dom)
 	NTSTATUS ret;
 	struct idmap_script_context *ctx;
 	const char * idmap_script = NULL;
+	const char *ctx_script = NULL;
 
 	DEBUG(10, ("%s called ...\n", __func__));
 
@@ -625,7 +626,7 @@ static NTSTATUS idmap_script_db_init(struct idmap_domain *dom)
 		goto failed;
 	}
 
-	ctx->script = idmap_config_const_string(dom->name, "script", NULL);
+	ctx_script = idmap_config_const_string(dom->name, "script", NULL);
 
 	/* Do we even need to handle this? */
 	idmap_script = lp_parm_const_string(-1, "idmap", "script", NULL);
@@ -634,13 +635,24 @@ static NTSTATUS idmap_script_db_init(struct idmap_domain *dom)
 			  " Please use 'idmap config * : script' instead!\n"));
 	}
 
-	if (strequal(dom->name, "*") && ctx->script == NULL) {
+	if (strequal(dom->name, "*") && ctx_script == NULL) {
 		/* fall back to idmap:script for backwards compatibility */
-		ctx->script = idmap_script;
+		ctx_script = idmap_script;
 	}
 
-	if (ctx->script) {
+	if (ctx_script) {
 		DEBUG(1, ("using idmap script '%s'\n", ctx->script));
+		/*
+		 * We must ensure this memory is owned by ctx.
+		 * The ctx_script const pointer is a pointer into
+		 * the config file data and may become invalid
+		 * on config file reload. BUG: 13956
+		 */
+		ctx->script = talloc_strdup(ctx, ctx_script);
+		if (ctx->script == NULL) {
+			ret = NT_STATUS_NO_MEMORY;
+			goto failed;
+		}
 	}
 
 	dom->private_data = ctx;
diff --git a/source3/winbindd/idmap_tdb2.c b/source3/winbindd/idmap_tdb2.c
index b784546bb33..eceab9c0784 100644
--- a/source3/winbindd/idmap_tdb2.c
+++ b/source3/winbindd/idmap_tdb2.c
@@ -522,6 +522,7 @@ static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom)
 	struct idmap_tdb_common_context *commonctx;
 	struct idmap_tdb2_context *ctx;
 	const char * idmap_script = NULL;
+	const char *ctx_script = NULL;
 
 	commonctx = talloc_zero(dom, struct idmap_tdb_common_context);
 	if(!commonctx) {
@@ -543,7 +544,7 @@ static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom)
 		goto failed;
 	}
 
-	ctx->script = idmap_config_const_string(dom->name, "script", NULL);
+	ctx_script = idmap_config_const_string(dom->name, "script", NULL);
 
 	idmap_script = lp_parm_const_string(-1, "idmap", "script", NULL);
 	if (idmap_script != NULL) {
@@ -551,13 +552,24 @@ static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom)
 			  " Please use 'idmap config * : script' instead!\n"));
 	}
 
-	if (strequal(dom->name, "*") && ctx->script == NULL) {
+	if (strequal(dom->name, "*") && ctx_script == NULL) {
 		/* fall back to idmap:script for backwards compatibility */
-		ctx->script = idmap_script;
+		ctx_script = idmap_script;
 	}
 
-	if (ctx->script) {
-		DEBUG(1, ("using idmap script '%s'\n", ctx->script));
+	if (ctx_script) {
+		DEBUG(1, ("using idmap script '%s'\n", ctx_script));
+		/*
+		 * We must ensure this memory is owned by ctx.
+		 * The ctx_script const pointer is a pointer into
+		 * the config file data and may become invalid
+		 * on config file reload. BUG: 13956
+		 */
+		ctx->script = talloc_strdup(ctx, ctx_script);
+		if (ctx->script == NULL) {
+			ret = NT_STATUS_NO_MEMORY;
+			goto failed;
+		}
 	}
 
 	commonctx->max_id = dom->high_id;


-- 
Samba Shared Repository

