[SCM] Samba Shared Repository - branch v4-11-stable updated
Karolin Seeger
kseeger at samba.org
Thu Jul 2 07:50:30 UTC 2020
The branch, v4-11-stable has been updated
via c9fa9874747 VERSION: Disable GIT_SNAPSHOT for the 4.11.11 release.
via 1fa951943b5 Add release notes for Samba 4.11.11.
via df599b6b790 CVE-2020-10760 dsdb: Add tests for paged_results and VLV over the Global Catalog port
via 4def2dc5547 CVE-2020-10760 dsdb: Ensure a proper talloc tree for saved controls
via 153c8db09b2 CVE-2020-14303: s4 nbt: fix busy loop on empty UDP packet
via 11034ea33fc CVE-2020-14303 Ensure an empty packet will not DoS the NBT server
via 23e9eb71052 CVE-2020-10745: ndr/dns-utils: prepare for NBT compatibility
via 83b00656ea0 CVE-2020-10745: dns_util/push: forbid names longer than 255 bytes
via 507503f80e8 CVE-2020-10745: ndr_dns: do not allow consecutive dots
via b687813ac36 CVE-2020-10745: ndr/dns_utils: correct a comment
via 37cacb8f41b CVE-2020-10745: ndr_dns: move ndr_push_dns_string core into sharable function
via ddeabf87957 CVE-2020-10745: librpc/tests: cmocka tests of dns and ndr strings
via ddd3ed7ce2e CVE-2020-10745: pytests: hand-rolled invalid dns/nbt packet tests
via c9fd1dbb131 ldb: Bump version to 2.0.12
via 303947c58ab CVE-2020-10730: lib ldb: Check if ldb_lock_backend_callback called twice
via ae6e9445ac8 CVE-2020-10730: s4 dsdb vlv_pagination: Prevent repeat call of ldb_module_done
via dcf713038ff CVE-2020-10730: s4 dsdb paged_results: Prevent repeat call of ldb_module_done
via 0c8cd0a9fbd CVE-2020-10730: dsdb: Ban the combination of paged_results and VLV
via c7608e43c93 CVE-2020-10730: dsdb: Fix crash when vlv and paged_results are combined
via 01cce3d1fc6 CVE-2020-10730: selftest: Add test to show that VLV and paged_results are incompatible
via 3fd7ce69761 CVE-2020-10730: vlv: Another workaround for mixing ASQ and VLV
via cf10f9b9a9a CVE-2020-10730: selftest: Add test to confirm VLV interaction with ASQ
via 2041c05d9b4 CVE-2020-10730: vlv: Do not re-ASQ search the results of an ASQ search with VLV
via b8628cb4476 CVE-2020-10730: vlv: Use strcmp(), not strncmp() checking the NULL terminated control OIDs
via a29be4ffa3b VERSION: Bump version up to 4.11.11...
from a905508e09e VERSION: Disable GIT_SNAPSHOT for the 4.11.10 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-11-stable
- Log -----------------------------------------------------------------
commit c9fa9874747bac838f60b320d201be2f6175ba8b
Author: Karolin Seeger <kseeger at samba.org>
Date: Wed Jul 1 10:14:05 2020 +0200
VERSION: Disable GIT_SNAPSHOT for the 4.11.11 release.
This is a security release in order to address the following CVEs:
o CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC
LDAP Server with ASQ, VLV and paged_results.
o CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
excessive CPU.
o CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with
paged_results and VLV.
o CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 1fa951943b512c20e2c71b09aa01cdadd4d563a4
Author: Karolin Seeger <kseeger at samba.org>
Date: Wed Jul 1 10:13:42 2020 +0200
Add release notes for Samba 4.11.11.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit df599b6b79010759279eb7f52486f1d0a59d06d3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jun 8 16:32:14 2020 +1200
CVE-2020-10760 dsdb: Add tests for paged_results and VLV over the Global Catalog port
This should avoid a regression.
(backported from master patch)
[abartlet at samba.org: sort=True parameter on test_paged_delete_during_search
is not in 4.11]
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 4def2dc554754033174c60f5860f51b46d8502c1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jun 5 22:14:48 2020 +1200
CVE-2020-10760 dsdb: Ensure a proper talloc tree for saved controls
Otherwise a paged search on the GC port will fail as the ->data was
not kept around for the second page of searches.
An example command to produce this is
bin/ldbsearch --paged -H ldap://$SERVER:3268 -U$USERNAME%$PASSWORD
This shows up later in the partition module as:
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00151ef20 at pc 0x7fec3f801aac bp 0x7ffe8472c270 sp 0x7ffe8472c260
READ of size 4 at 0x60b00151ef20 thread T0 (ldap(0))
#0 0x7fec3f801aab in talloc_chunk_from_ptr ../../lib/talloc/talloc.c:526
#1 0x7fec3f801aab in __talloc_get_name ../../lib/talloc/talloc.c:1559
#2 0x7fec3f801aab in talloc_check_name ../../lib/talloc/talloc.c:1582
#3 0x7fec1b86b2e1 in partition_search ../../source4/dsdb/samdb/ldb_modules/partition.c:780
or
smb_panic_default: PANIC (pid 13287): Bad talloc magic value - unknown value
(from source4/dsdb/samdb/ldb_modules/partition.c:780)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14402
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 153c8db09b26455aa9802ff95943dd8a75f31893
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Wed Jun 24 14:27:08 2020 +1200
CVE-2020-14303: s4 nbt: fix busy loop on empty UDP packet
An empty UDP packet put the nbt server into a busy loop that consumes
100% of a cpu.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14417
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 11034ea33fca9b8a1c2e14480e70069b55fca6a2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 25 11:59:54 2020 +1200
CVE-2020-14303 Ensure an empty packet will not DoS the NBT server
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 23e9eb71052e02aecf726609db0256c0d93e0b57
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri May 15 10:52:45 2020 +1200
CVE-2020-10745: ndr/dns-utils: prepare for NBT compatibility
NBT has a funny thing where it sometimes needs to send a trailing dot as
part of the last component, because the string representation is a user
name. In DNS, "example.com", and "example.com." are the same, both
having three components ("example", "com", ""); in NBT, we want to treat
them differently, with the second form having the three components
("example", "com.", "").
This retains the logic of e6e2ec0001fe3c010445e26cc0efddbc1f73416b.
Also DNS compression cannot be turned off for NBT.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 83b00656ea0e8cfdce8a9c1cef71e41477e8e6f0
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri May 15 00:06:08 2020 +1200
CVE-2020-10745: dns_util/push: forbid names longer than 255 bytes
As per RFC 1035.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 507503f80e8913450364dcd8ab080f3211b6f855
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sat Apr 25 11:10:18 2020 +1200
CVE-2020-10745: ndr_dns: do not allow consecutive dots
The empty subdomain component is reserved for the root domain, which we
should only (and always) see at the end of the list. That is, we expect
"example.com.", but never "example..com".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit b687813ac362ff71085d192a4b7821235345feea
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sat Apr 25 11:03:30 2020 +1200
CVE-2020-10745: ndr/dns_utils: correct a comment
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 37cacb8f41b9b2ea19a9c1bbfade4ea250dced46
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sat Apr 25 11:02:08 2020 +1200
CVE-2020-10745: ndr_dns: move ndr_push_dns_string core into sharable function
This is because ndr_nbt.c does almost exactly the same thing with
almost exactly the same code, and they both do it wrong. Soon they
will both be using the better version that this will become. Though in
this patch we just move the code, not fix it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit ddeabf87957ce73e12030977948418c93436a05c
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Jun 12 14:26:38 2020 +1200
CVE-2020-10745: librpc/tests: cmocka tests of dns and ndr strings
These time the push and pull function in isolation.
Timing should be under 0.0001 seconds on even quite old hardware; we
assert it must be under 0.2 seconds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
(backported from master commit)
[abartlet at samba.org: backported due to differences in pre-existing
tests - eg test_ndr - mentioned in wscript_build and tests.py]
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit ddd3ed7ce2e2776839c463010bd975f01dd0977d
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Jun 11 17:38:51 2020 +1200
CVE-2020-10745: pytests: hand-rolled invalid dns/nbt packet tests
The client libraries don't allow us to make packets that are broken in
certain ways, so we need to construct them as byte strings.
These tests all fail at present, proving the server is rendered
unresponsive, which is the crux of CVE-2020-10745.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit c9fd1dbb13175fcda45826f687e834a6d67df4cc
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri May 22 09:52:12 2020 +1200
ldb: Bump version to 2.0.12
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 303947c58abf9311a666fe63ebd4ce26655ff36e
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Wed May 13 10:56:56 2020 +1200
CVE-2020-10730: lib ldb: Check if ldb_lock_backend_callback called twice
Prevent use after free issues if ldb_lock_backend_callback is called
twice, usually due to ldb_module_done being called twice. This can happen if a
module ignores the return value from function a function that calls
ldb_module_done as part of it's error handling.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ae6e9445ac8bf8f6870a8caa24406153cd2ee2bf
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon May 18 12:37:39 2020 +1200
CVE-2020-10730: s4 dsdb vlv_pagination: Prevent repeat call of ldb_module_done
Check the return code from vlv_results, if it is not LDB_SUCCESS
ldb_module_done has already been called, and SHOULD NOT be called again.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dcf713038ff10e35a74ee255f1634be81103e360
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon May 18 12:36:57 2020 +1200
CVE-2020-10730: s4 dsdb paged_results: Prevent repeat call of ldb_module_done
Check the return code from paged_results, if it is not LDB_SUCCESS
ldb_module_done has already been called, and SHOULD NOT be called again.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0c8cd0a9fbd9d17c1d7219f977ca35f88f0a2ea3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed May 6 16:18:19 2020 +1200
CVE-2020-10730: dsdb: Ban the combination of paged_results and VLV
This (two different paging controls) makes no sense and fails against
Windows Server 1709.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit c7608e43c933d9a33d94e32371080e64cc1d4fcb
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed May 6 17:05:30 2020 +1200
CVE-2020-10730: dsdb: Fix crash when vlv and paged_results are combined
The GUID is not returned in the DN for some reason in this (to be banned)
combination.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 01cce3d1fc69f04cdc237425b2f2ad1f2ac973d4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed May 6 16:19:01 2020 +1200
CVE-2020-10730: selftest: Add test to show that VLV and paged_results are incompatible
As tested against Windows Server 1709
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 3fd7ce69761fd2e21a85101772196aafc5ae57df
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue May 5 16:34:11 2020 +1200
CVE-2020-10730: vlv: Another workaround for mixing ASQ and VLV
This is essentially an alternative patch, but without the correct
behaviour. Instead this just avoids a segfault.
Included in case we have something simialr again in
another module.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit cf10f9b9a9a2f94afc526995a4034c1c6f05f5b4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue May 5 13:16:48 2020 +1200
CVE-2020-10730: selftest: Add test to confirm VLV interaction with ASQ
Tested against Windows 1709.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 2041c05d9b41fb0255c3492d118628c14a0c4b3d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue May 5 12:55:57 2020 +1200
CVE-2020-10730: vlv: Do not re-ASQ search the results of an ASQ search with VLV
This is a silly combination, but at least try and keep the results sensible
and avoid a double-dereference.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit b8628cb44766ac4c4817b1a50f09ca316425bd8b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue May 5 12:54:59 2020 +1200
CVE-2020-10730: vlv: Use strcmp(), not strncmp() checking the NULL terminated control OIDs
The end result is the same, as sizeof() includes the trailing NUL, but this
avoids having to think about that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit a29be4ffa3bf9adcfe8ac73429f60bc9270ad2e8
Author: Karolin Seeger <kseeger at samba.org>
Date: Wed Jun 24 12:35:39 2020 +0200
VERSION: Bump version up to 4.11.11...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
(cherry picked from commit 08a51254198537395e9a6ea7a98fd627a491bf15)
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 88 +++++++-
lib/ldb/ABI/{ldb-2.0.10.sigs => ldb-2.0.12.sigs} | 0
...ldb-util-1.1.10.sigs => pyldb-util-2.0.12.sigs} | 0
lib/ldb/common/ldb.c | 9 +-
lib/ldb/wscript | 2 +-
libcli/nbt/nbtsocket.c | 17 +-
librpc/ndr/ndr_dns.c | 80 +------
librpc/ndr/ndr_dns_utils.c | 134 ++++++++++++
librpc/ndr/ndr_dns_utils.h | 6 +
librpc/ndr/ndr_nbt.c | 72 +------
librpc/tests/test_ndr_dns_nbt.c | 236 +++++++++++++++++++++
librpc/wscript_build | 16 +-
python/samba/tests/dns_packet.py | 230 ++++++++++++++++++++
.../__init__.py => selftest/knownfail.d/dns_packet | 0
selftest/knownfail.d/vlv | 2 +-
source4/dsdb/samdb/ldb_modules/paged_results.c | 65 +++++-
source4/dsdb/samdb/ldb_modules/vlv_pagination.c | 102 +++++++--
source4/dsdb/tests/python/asq.py | 54 +++++
source4/dsdb/tests/python/vlv.py | 184 ++++++++++------
source4/selftest/tests.py | 12 ++
21 files changed, 1076 insertions(+), 235 deletions(-)
copy lib/ldb/ABI/{ldb-2.0.10.sigs => ldb-2.0.12.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-2.0.12.sigs} (100%)
create mode 100644 librpc/ndr/ndr_dns_utils.c
create mode 100644 librpc/ndr/ndr_dns_utils.h
create mode 100644 librpc/tests/test_ndr_dns_nbt.c
create mode 100644 python/samba/tests/dns_packet.py
copy buildtools/wafsamba/__init__.py => selftest/knownfail.d/dns_packet (100%)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index a365113cf15..54f3b5842d6 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=11
-SAMBA_VERSION_RELEASE=10
+SAMBA_VERSION_RELEASE=11
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index c3f04c7993a..b9a6ac2e537 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,87 @@
+ ===============================
+ Release Notes for Samba 4.11.11
+ July 02, 2020
+ ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC
+ LDAP Server with ASQ, VLV and paged_results.
+o CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
+ excessive CPU
+o CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with
+ paged_results and VLV.
+o CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd.
+
+
+=======
+Details
+=======
+
+o CVE-2020-10730:
+ A client combining the 'ASQ' and 'VLV' LDAP controls can cause a NULL pointer
+ de-reference and further combinations with the LDAP paged_results feature can
+ give a use-after-free in Samba's AD DC LDAP server.
+
+o CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
+ excessive CPU.
+
+o CVE-2020-10760:
+ The use of the paged_results or VLV controls against the Global Catalog LDAP
+ server on the AD DC will cause a use-after-free.
+
+o CVE-2020-14303:
+ The AD DC NBT server in Samba 4.0 will enter a CPU spin and not process
+ further requests once it receives an empty (zero-length) UDP packet to
+ port 137.
+
+For more details, please refer to the security advisories.
+
+
+Changes since 4.11.10
+---------------------
+
+o Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+ * BUG 14378: CVE-2020-10745: Invalid DNS or NBT queries containing dots use
+ several seconds of CPU each.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 14364: CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ
+ and VLV combined.
+ * BUG 14402: CVE-2020-10760: Fix use-after-free in AD DC Global Catalog LDAP
+ server with paged_result or VLV.
+ * BUG 14417: CVE-2020-14303: Fix endless loop from empty UDP packet sent to
+ AD DC nbt_server.
+
+o Gary Lockyer <gary at catalyst.net.nz>
+ * BUG 14364: CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ
+ and VLV combined, ldb: Bump version to 2.1.4.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
===============================
Release Notes for Samba 4.11.10
June 30, 2020
@@ -54,8 +138,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
==============================
Release Notes for Samba 4.11.9
diff --git a/lib/ldb/ABI/ldb-2.0.10.sigs b/lib/ldb/ABI/ldb-2.0.12.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-2.0.10.sigs
copy to lib/ldb/ABI/ldb-2.0.12.sigs
diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util-2.0.12.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs
copy to lib/ldb/ABI/pyldb-util-2.0.12.sigs
diff --git a/lib/ldb/common/ldb.c b/lib/ldb/common/ldb.c
index 95e9138a56b..2d0926ffaf9 100644
--- a/lib/ldb/common/ldb.c
+++ b/lib/ldb/common/ldb.c
@@ -1018,6 +1018,13 @@ static int ldb_lock_backend_callback(struct ldb_request *req,
struct ldb_db_lock_context *lock_context;
int ret;
+ if (req->context == NULL) {
+ /*
+ * The usual way to get here is to ignore the return codes
+ * and continuing processing after an error.
+ */
+ abort();
+ }
lock_context = talloc_get_type(req->context,
struct ldb_db_lock_context);
@@ -1032,7 +1039,7 @@ static int ldb_lock_backend_callback(struct ldb_request *req,
* If this is a LDB_REPLY_DONE or an error, unlock the
* DB by calling the destructor on this context
*/
- talloc_free(lock_context);
+ TALLOC_FREE(req->context);
return ret;
}
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index aeb6cfa6c45..da2b935d102 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python
APPNAME = 'ldb'
-VERSION = '2.0.11'
+VERSION = '2.0.12'
import sys, os
diff --git a/libcli/nbt/nbtsocket.c b/libcli/nbt/nbtsocket.c
index 33d53fba993..8aecaf73247 100644
--- a/libcli/nbt/nbtsocket.c
+++ b/libcli/nbt/nbtsocket.c
@@ -167,8 +167,23 @@ static void nbt_name_socket_recv(struct nbt_name_socket *nbtsock)
return;
}
+ /*
+ * Given a zero length, data_blob_talloc() returns the
+ * NULL blob {NULL, 0}.
+ *
+ * We only want to error return here on a real out of memory condition
+ * (i.e. dsize != 0, so the UDP packet has data, but the return of the
+ * allocation failed, so blob.data==NULL).
+ *
+ * Given an actual zero length UDP packet having blob.data == NULL
+ * isn't an out of memory error condition, that's the defined semantics
+ * of data_blob_talloc() when asked for zero bytes.
+ *
+ * We still need to continue to do the zero-length socket_recvfrom()
+ * read in order to clear the "read pending" condition on the socket.
+ */
blob = data_blob_talloc(tmp_ctx, NULL, dsize);
- if (blob.data == NULL) {
+ if (blob.data == NULL && dsize != 0) {
talloc_free(tmp_ctx);
return;
}
diff --git a/librpc/ndr/ndr_dns.c b/librpc/ndr/ndr_dns.c
index d37c8cc2ece..966e0b59786 100644
--- a/librpc/ndr/ndr_dns.c
+++ b/librpc/ndr/ndr_dns.c
@@ -33,6 +33,7 @@
#include "librpc/gen_ndr/ndr_dnsp.h"
#include "system/locale.h"
#include "lib/util/util_net.h"
+#include "ndr_dns_utils.h"
/* don't allow an unlimited number of name components */
#define MAX_COMPONENTS 128
@@ -159,80 +160,11 @@ _PUBLIC_ enum ndr_err_code ndr_push_dns_string(struct ndr_push *ndr,
int ndr_flags,
const char *s)
{
- if (!(ndr_flags & NDR_SCALARS)) {
- return NDR_ERR_SUCCESS;
- }
-
- while (s && *s) {
- enum ndr_err_code ndr_err;
- char *compname;
- size_t complen;
- uint32_t offset;
-
- if (!(ndr->flags & LIBNDR_FLAG_NO_COMPRESSION)) {
- /* see if we have pushed the remaining string already,
- * if so we use a label pointer to this string
- */
- ndr_err = ndr_token_retrieve_cmp_fn(&ndr->dns_string_list, s,
- &offset,
- (comparison_fn_t)strcmp,
- false);
- if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- uint8_t b[2];
-
- if (offset > 0x3FFF) {
- return ndr_push_error(ndr, NDR_ERR_STRING,
- "offset for dns string " \
- "label pointer " \
- "%u[%08X] > 0x00003FFF",
- offset, offset);
- }
-
- b[0] = 0xC0 | (offset>>8);
- b[1] = (offset & 0xFF);
-
- return ndr_push_bytes(ndr, b, 2);
- }
- }
-
- complen = strcspn(s, ".");
-
- /* we need to make sure the length fits into 6 bytes */
- if (complen > 0x3F) {
- return ndr_push_error(ndr, NDR_ERR_STRING,
- "component length %u[%08X] > " \
- "0x0000003F",
- (unsigned)complen,
- (unsigned)complen);
- }
-
- compname = talloc_asprintf(ndr, "%c%*.*s",
- (unsigned char)complen,
- (unsigned char)complen,
- (unsigned char)complen, s);
- NDR_ERR_HAVE_NO_MEMORY(compname);
-
- /* remember the current component + the rest of the string
- * so it can be reused later
- */
- if (!(ndr->flags & LIBNDR_FLAG_NO_COMPRESSION)) {
- NDR_CHECK(ndr_token_store(ndr, &ndr->dns_string_list, s,
- ndr->offset));
- }
-
- /* push just this component into the blob */
- NDR_CHECK(ndr_push_bytes(ndr, (const uint8_t *)compname,
- complen+1));
- talloc_free(compname);
-
- s += complen;
- if (*s == '.') s++;
- }
-
- /* if we reach the end of the string and have pushed the last component
- * without using a label pointer, we need to terminate the string
- */
- return ndr_push_bytes(ndr, (const uint8_t *)"", 1);
+ return ndr_push_dns_string_list(ndr,
+ &ndr->dns_string_list,
+ ndr_flags,
+ s,
+ false);
}
_PUBLIC_ enum ndr_err_code ndr_pull_dns_txt_record(struct ndr_pull *ndr, int ndr_flags, struct dns_txt_record *r)
diff --git a/librpc/ndr/ndr_dns_utils.c b/librpc/ndr/ndr_dns_utils.c
new file mode 100644
index 00000000000..325d9c68bea
--- /dev/null
+++ b/librpc/ndr/ndr_dns_utils.c
@@ -0,0 +1,134 @@
+#include "includes.h"
+#include "../librpc/ndr/libndr.h"
+#include "ndr_dns_utils.h"
+
+
+/**
+ push a dns/nbt string list to the wire
+*/
+enum ndr_err_code ndr_push_dns_string_list(struct ndr_push *ndr,
+ struct ndr_token_list *string_list,
+ int ndr_flags,
+ const char *s,
+ bool is_nbt)
+{
+ const char *start = s;
+ bool use_compression;
+ size_t max_length;
+ if (is_nbt) {
+ use_compression = true;
+ /*
+ * Max length is longer in NBT/Wins, because Windows counts
+ * the semi-decompressed size of the netbios name (16 bytes)
+ * rather than the wire size of 32, which is what you'd expect
+ * if it followed RFC1002 (it uses the short form in
+ * [MS-WINSRA]). In other words the maximum size of the
+ * "scope" is 237, not 221.
+ *
+ * We make the size limit slightly larger than 255 + 16,
+ * because the 237 scope limit is already enforced in the
+ * winsserver code with a specific return value; bailing out
+ * here would muck with that.
+ */
+ max_length = 274;
+ } else {
+ use_compression = !(ndr->flags & LIBNDR_FLAG_NO_COMPRESSION);
+ max_length = 255;
+ }
+
+ if (!(ndr_flags & NDR_SCALARS)) {
+ return NDR_ERR_SUCCESS;
+ }
+
+ while (s && *s) {
+ enum ndr_err_code ndr_err;
+ char *compname;
+ size_t complen;
+ uint32_t offset;
+
+ if (use_compression) {
+ /* see if we have pushed the remaining string already,
+ * if so we use a label pointer to this string
+ */
+ ndr_err = ndr_token_retrieve_cmp_fn(string_list, s,
+ &offset,
+ (comparison_fn_t)strcmp,
+ false);
+ if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ uint8_t b[2];
+
+ if (offset > 0x3FFF) {
+ return ndr_push_error(ndr, NDR_ERR_STRING,
+ "offset for dns string " \
+ "label pointer " \
+ "%u[%08X] > 0x00003FFF",
+ offset, offset);
+ }
+
+ b[0] = 0xC0 | (offset>>8);
+ b[1] = (offset & 0xFF);
+
+ return ndr_push_bytes(ndr, b, 2);
+ }
+ }
+
+ complen = strcspn(s, ".");
+
+ /* the length must fit into 6 bits (i.e. <= 63) */
+ if (complen > 0x3F) {
+ return ndr_push_error(ndr, NDR_ERR_STRING,
+ "component length %u[%08X] > " \
+ "0x0000003F",
+ (unsigned)complen,
+ (unsigned)complen);
+ }
+
+ if (complen == 0 && s[complen] == '.') {
+ return ndr_push_error(ndr, NDR_ERR_STRING,
+ "component length is 0 "
+ "(consecutive dots)");
+ }
+
+ if (is_nbt && s[complen] == '.' && s[complen + 1] == '\0') {
+ /* nbt names are sometimes usernames, and we need to
+ * keep a trailing dot to ensure it is byte-identical,
+ * (not just semantically identical given DNS
+ * semantics). */
+ complen++;
+ }
+
+ compname = talloc_asprintf(ndr, "%c%*.*s",
+ (unsigned char)complen,
+ (unsigned char)complen,
+ (unsigned char)complen, s);
+ NDR_ERR_HAVE_NO_MEMORY(compname);
+
+ /* remember the current component + the rest of the string
+ * so it can be reused later
+ */
+ if (use_compression) {
+ NDR_CHECK(ndr_token_store(ndr, string_list, s,
+ ndr->offset));
+ }
+
+ /* push just this component into the blob */
+ NDR_CHECK(ndr_push_bytes(ndr, (const uint8_t *)compname,
+ complen+1));
+ talloc_free(compname);
+
+ s += complen;
+ if (*s == '.') {
+ s++;
+ }
+ if (s - start > max_length) {
+ return ndr_push_error(ndr, NDR_ERR_STRING,
+ "name > %zu character long",
+ max_length);
+ }
+ }
+
+ /* if we reach the end of the string and have pushed the last component
+ * without using a label pointer, we need to terminate the string
+ */
+ return ndr_push_bytes(ndr, (const uint8_t *)"", 1);
+}
diff --git a/librpc/ndr/ndr_dns_utils.h b/librpc/ndr/ndr_dns_utils.h
new file mode 100644
index 00000000000..71a65433bbb
--- /dev/null
+++ b/librpc/ndr/ndr_dns_utils.h
@@ -0,0 +1,6 @@
+
+enum ndr_err_code ndr_push_dns_string_list(struct ndr_push *ndr,
+ struct ndr_token_list *string_list,
+ int ndr_flags,
+ const char *s,
+ bool is_nbt);
diff --git a/librpc/ndr/ndr_nbt.c b/librpc/ndr/ndr_nbt.c
index 838f947a168..e8dd7549a53 100644
--- a/librpc/ndr/ndr_nbt.c
+++ b/librpc/ndr/ndr_nbt.c
@@ -25,6 +25,8 @@
#include "includes.h"
#include "../libcli/nbt/libnbt.h"
#include "../libcli/netlogon/netlogon.h"
+#include "ndr_dns_utils.h"
+
/* don't allow an unlimited number of name components */
#define MAX_COMPONENTS 128
@@ -141,71 +143,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_nbt_string(struct ndr_pull *ndr, int ndr_fla
*/
_PUBLIC_ enum ndr_err_code ndr_push_nbt_string(struct ndr_push *ndr, int ndr_flags, const char *s)
{
- if (!(ndr_flags & NDR_SCALARS)) {
- return NDR_ERR_SUCCESS;
- }
-
- while (s && *s) {
- enum ndr_err_code ndr_err;
- char *compname;
- size_t complen;
- uint32_t offset;
-
- /* see if we have pushed the remaining string already,
- * if so we use a label pointer to this string
- */
- ndr_err = ndr_token_retrieve_cmp_fn(&ndr->nbt_string_list, s, &offset, (comparison_fn_t)strcmp, false);
- if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- uint8_t b[2];
-
- if (offset > 0x3FFF) {
- return ndr_push_error(ndr, NDR_ERR_STRING,
- "offset for nbt string label pointer %u[%08X] > 0x00003FFF",
- offset, offset);
- }
-
- b[0] = 0xC0 | (offset>>8);
- b[1] = (offset & 0xFF);
-
- return ndr_push_bytes(ndr, b, 2);
- }
-
- complen = strcspn(s, ".");
-
- /* we need to make sure the length fits into 6 bytes */
- if (complen > 0x3F) {
- return ndr_push_error(ndr, NDR_ERR_STRING,
- "component length %u[%08X] > 0x0000003F",
- (unsigned)complen, (unsigned)complen);
- }
-
- if (s[complen] == '.' && s[complen+1] == '\0') {
- complen++;
--
Samba Shared Repository
More information about the samba-cvs
mailing list