[SCM] Samba Shared Repository - branch v4-10-stable updated
Karolin Seeger
kseeger at samba.org
Thu Jul 2 07:54:46 UTC 2020
The branch, v4-10-stable has been updated
via e88b0e44899 VERSION: Diable GIT_SNAPSHOT for the 4.10.17 release.
via 9127ebabb8e WHATSNEW: Add release notes for Samba 4.10.17.
via ca38b0eecdd CVE-2020-10760 dsdb: Add tests for paged_results and VLV over the Global Catalog port
via 4bc0ada8d99 CVE-2020-10760 dsdb: Ensure a proper talloc tree for saved controls
via 2e190d5c766 CVE-2020-14303: s4 nbt: fix busy loop on empty UDP packet
via 9773231e3a5 CVE-2020-14303 Ensure an empty packet will not DoS the NBT server
via 21a449f491b CVE-2020-10745: ndr/dns-utils: prepare for NBT compatibility
via d266802a3fd CVE-2020-10745: dns_util/push: forbid names longer than 255 bytes
via dbde3431f70 CVE-2020-10745: ndr_dns: do not allow consecutive dots
via 0c6bbd70192 CVE-2020-10745: ndr/dns_utils: correct a comment
via b8788a04ebd CVE-2020-10745: ndr_dns: move ndr_push_dns_string core into sharable function
via b9ba23d41e0 CVE-2020-10745: librpc/tests: cmocka tests of dns and ndr strings
via 6253d590d23 CVE-2020-10745: pytests: hand-rolled invalid dns/nbt packet tests
via ec11a9adbf9 ldb: Bump version to 1.5.8
via d6848d2f3f2 CVE-2020-10730: lib ldb: Check if ldb_lock_backend_callback called twice
via d400d7d8ac6 CVE-2020-10730: s4 dsdb vlv_pagination: Prevent repeat call of ldb_module_done
via 9c5c2c845ca CVE-2020-10730: s4 dsdb paged_results: Prevent repeat call of ldb_module_done
via fff5a35ba4e CVE-2020-10730: dsdb: Ban the combination of paged_results and VLV
via 04f059fa7ec CVE-2020-10730: dsdb: Fix crash when vlv and paged_results are combined
via ca2be7c95bb CVE-2020-10730: selftest: Add test to show that VLV and paged_results are incompatible
via 80144c53d55 CVE-2020-10730: vlv: Another workaround for mixing ASQ and VLV
via 9d4b98d75ea CVE-2020-10730: selftest: Add test to confirm VLV interaction with ASQ
via c745a495415 CVE-2020-10730: vlv: Do not re-ASQ search the results of an ASQ search with VLV
via 3ca77e3edc0 CVE-2020-10730: vlv: Use strcmp(), not strncmp() checking the NULL terminated control OIDs
via 55f01236e44 VERSION: Bump version up to 4.10.17...
from ee766dffdd8 VERSION: Disable GIT_SNAPSHOT for the 4.10.16 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-10-stable
- Log -----------------------------------------------------------------
commit e88b0e44899ad462abef61d0082b10d9a4e2c9cb
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Jun 25 13:12:45 2020 +0200
VERSION: Diable GIT_SNAPSHOT for the 4.10.17 release.
This is a security release in order to address the following CVEs:
o CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC
LDAP Server with ASQ, VLV and paged_results.
o CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
excessive CPU.
o CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with
paged_results and VLV.
o CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 9127ebabb8eddfdca9cd0418b8276089809ff056
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Jun 25 13:12:17 2020 +0200
WHATSNEW: Add release notes for Samba 4.10.17.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit ca38b0eecddbfab0ff1b80d7e588b19beb299084
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jun 8 16:32:14 2020 +1200
CVE-2020-10760 dsdb: Add tests for paged_results and VLV over the Global Catalog port
This should avoid a regression.
(backported from master patch)
[abartlet at samba.org: sort=True parameter on test_paged_delete_during_search
is not in 4.10]
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 4bc0ada8d99425ad8d8933e0c3b1abecaa185edf
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jun 5 22:14:48 2020 +1200
CVE-2020-10760 dsdb: Ensure a proper talloc tree for saved controls
Otherwise a paged search on the GC port will fail as the ->data was
not kept around for the second page of searches.
An example command to produce this is
bin/ldbsearch --paged -H ldap://$SERVER:3268 -U$USERNAME%$PASSWORD
This shows up later in the partition module as:
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00151ef20 at pc 0x7fec3f801aac bp 0x7ffe8472c270 sp 0x7ffe8472c260
READ of size 4 at 0x60b00151ef20 thread T0 (ldap(0))
#0 0x7fec3f801aab in talloc_chunk_from_ptr ../../lib/talloc/talloc.c:526
#1 0x7fec3f801aab in __talloc_get_name ../../lib/talloc/talloc.c:1559
#2 0x7fec3f801aab in talloc_check_name ../../lib/talloc/talloc.c:1582
#3 0x7fec1b86b2e1 in partition_search ../../source4/dsdb/samdb/ldb_modules/partition.c:780
or
smb_panic_default: PANIC (pid 13287): Bad talloc magic value - unknown value
(from source4/dsdb/samdb/ldb_modules/partition.c:780)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14402
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 2e190d5c766d3487223ccdd4dc1e2ad0e160bb3f
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Wed Jun 24 14:27:08 2020 +1200
CVE-2020-14303: s4 nbt: fix busy loop on empty UDP packet
An empty UDP packet put the nbt server into a busy loop that consumes
100% of a cpu.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14417
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit 9773231e3a53291214a914ed168065f5ed5ea1e6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 25 11:59:54 2020 +1200
CVE-2020-14303 Ensure an empty packet will not DoS the NBT server
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
(backported from master commit)
[abartlet at samba.org: Remove f"" format string not supported in
Python 3.4]
commit 21a449f491be33f7cc2dd54491abf17dae041c21
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri May 15 10:52:45 2020 +1200
CVE-2020-10745: ndr/dns-utils: prepare for NBT compatibility
NBT has a funny thing where it sometimes needs to send a trailing dot as
part of the last component, because the string representation is a user
name. In DNS, "example.com", and "example.com." are the same, both
having three components ("example", "com", ""); in NBT, we want to treat
them differently, with the second form having the three components
("example", "com.", "").
This retains the logic of e6e2ec0001fe3c010445e26cc0efddbc1f73416b.
Also DNS compression cannot be turned off for NBT.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit d266802a3fd75b91848b41f2b347de2e27fee5f9
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri May 15 00:06:08 2020 +1200
CVE-2020-10745: dns_util/push: forbid names longer than 255 bytes
As per RFC 1035.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit dbde3431f70ec0cf9c0da7abe7bc53fd4e5d3a63
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sat Apr 25 11:10:18 2020 +1200
CVE-2020-10745: ndr_dns: do not allow consecutive dots
The empty subdomain component is reserved for the root domain, which we
should only (and always) see at the end of the list. That is, we expect
"example.com.", but never "example..com".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 0c6bbd701926dfc16754fc5ea523d6f21d0ea740
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sat Apr 25 11:03:30 2020 +1200
CVE-2020-10745: ndr/dns_utils: correct a comment
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit b8788a04ebd6ca9c2f9f72e11049d770ff54afac
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sat Apr 25 11:02:08 2020 +1200
CVE-2020-10745: ndr_dns: move ndr_push_dns_string core into sharable function
This is because ndr_nbt.c does almost exactly the same thing with
almost exactly the same code, and they both do it wrong. Soon they
will both be using the better version that this will become. Though in
this patch we just move the code, not fix it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit b9ba23d41e0bc5f781e8a391f71b3be5f8017155
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Jun 12 14:26:38 2020 +1200
CVE-2020-10745: librpc/tests: cmocka tests of dns and ndr strings
These time the push and pull function in isolation.
Timing should be under 0.0001 seconds on even quite old hardware; we
assert it must be under 0.2 seconds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
(backported from master commit)
[abartlet at samba.org: backported due to differences in pre-existing
tests - eg test_ndr - mentioned in wscript_build and tests.py]
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 6253d590d2330eadd740fdde79551f9a50f4b52f
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Jun 11 17:38:51 2020 +1200
CVE-2020-10745: pytests: hand-rolled invalid dns/nbt packet tests
The client libraries don't allow us to make packets that are broken in
certain ways, so we need to construct them as byte strings.
These tests all fail at present, proving the server is rendered
unresponsive, which is the crux of CVE-2020-10745.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(backported from patch for master)
[abartlet at samba.org: f"" strings are not in Python 3.4 and
bytes cannot be formatted in python 3.4]
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit ec11a9adbf989add9a77c68fe8175bd587400d4b
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri May 22 10:53:29 2020 +1200
ldb: Bump version to 1.5.8
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d6848d2f3f281956d8401f11ed1a6b609f802e21
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Wed May 13 10:56:56 2020 +1200
CVE-2020-10730: lib ldb: Check if ldb_lock_backend_callback called twice
Prevent use after free issues if ldb_lock_backend_callback is called
twice, usually due to ldb_module_done being called twice. This can happen if a
module ignores the return value from function a function that calls
ldb_module_done as part of it's error handling.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d400d7d8ac66ab889c3f1a6572fec64f20f0861e
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon May 18 12:37:39 2020 +1200
CVE-2020-10730: s4 dsdb vlv_pagination: Prevent repeat call of ldb_module_done
Check the return code from vlv_results, if it is not LDB_SUCCESS
ldb_module_done has already been called, and SHOULD NOT be called again.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9c5c2c845caf7f03a6b47abcd5e1bc0092d628c2
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon May 18 12:36:57 2020 +1200
CVE-2020-10730: s4 dsdb paged_results: Prevent repeat call of ldb_module_done
Check the return code from paged_results, if it is not LDB_SUCCESS
ldb_module_done has already been called, and SHOULD NOT be called again.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fff5a35ba4ee43c50691fc178c386dd2d9e460e7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed May 6 16:18:19 2020 +1200
CVE-2020-10730: dsdb: Ban the combination of paged_results and VLV
This (two different paging controls) makes no sense and fails against
Windows Server 1709.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 04f059fa7ec543122e72f77d3fbd6e9cc45f6947
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed May 6 17:05:30 2020 +1200
CVE-2020-10730: dsdb: Fix crash when vlv and paged_results are combined
The GUID is not returned in the DN for some reason in this (to be banned)
combination.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit ca2be7c95bb3a76c125cc816a8fe23a5557b6e63
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed May 6 16:19:01 2020 +1200
CVE-2020-10730: selftest: Add test to show that VLV and paged_results are incompatible
As tested against Windows Server 1709
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 80144c53d5546314f929b48f40c704f7cff083a8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue May 5 16:34:11 2020 +1200
CVE-2020-10730: vlv: Another workaround for mixing ASQ and VLV
This is essentially an alternative patch, but without the correct
behaviour. Instead this just avoids a segfault.
Included in case we have something simialr again in
another module.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 9d4b98d75ea6a283afc45e9e4aef91fdfb95a189
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue May 5 13:16:48 2020 +1200
CVE-2020-10730: selftest: Add test to confirm VLV interaction with ASQ
Tested against Windows 1709.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit c745a495415d77fd3ebfb8a658a1dad7cce114a5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue May 5 12:55:57 2020 +1200
CVE-2020-10730: vlv: Do not re-ASQ search the results of an ASQ search with VLV
This is a silly combination, but at least try and keep the results sensible
and avoid a double-dereference.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 3ca77e3edc0ba2c9dd3f2c0394f8c2f799d989b9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue May 5 12:54:59 2020 +1200
CVE-2020-10730: vlv: Use strcmp(), not strncmp() checking the NULL terminated control OIDs
The end result is the same, as sizeof() includes the trailing NUL, but this
avoids having to think about that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 55f01236e4453dd258df27dc9bac28745f93b1f4
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon May 25 10:28:05 2020 +0200
VERSION: Bump version up to 4.10.17...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
(cherry picked from commit 69324a82444552bedd76852888db8946c0e9b18c)
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 88 +++++++-
lib/ldb/ABI/{ldb-1.5.6.sigs => ldb-1.5.8.sigs} | 0
...yldb-util-1.1.10.sigs => pyldb-util-1.5.8.sigs} | 0
...-util-1.1.10.sigs => pyldb-util.py3-1.5.8.sigs} | 0
lib/ldb/common/ldb.c | 9 +-
lib/ldb/wscript | 2 +-
libcli/nbt/nbtsocket.c | 17 +-
librpc/ndr/ndr_dns.c | 80 +------
librpc/ndr/ndr_dns_utils.c | 134 ++++++++++++
librpc/ndr/ndr_dns_utils.h | 6 +
librpc/ndr/ndr_nbt.c | 72 +------
librpc/tests/test_ndr_dns_nbt.c | 236 +++++++++++++++++++++
librpc/wscript_build | 16 +-
python/samba/tests/dns_packet.py | 229 ++++++++++++++++++++
.../__init__.py => selftest/knownfail.d/dns_packet | 0
selftest/knownfail.d/vlv | 2 +-
source4/dsdb/samdb/ldb_modules/paged_results.c | 65 +++++-
source4/dsdb/samdb/ldb_modules/vlv_pagination.c | 102 +++++++--
source4/dsdb/tests/python/asq.py | 54 +++++
source4/dsdb/tests/python/vlv.py | 184 ++++++++++------
source4/selftest/tests.py | 12 ++
22 files changed, 1075 insertions(+), 235 deletions(-)
copy lib/ldb/ABI/{ldb-1.5.6.sigs => ldb-1.5.8.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-1.5.8.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util.py3-1.5.8.sigs} (100%)
create mode 100644 librpc/ndr/ndr_dns_utils.c
create mode 100644 librpc/ndr/ndr_dns_utils.h
create mode 100644 librpc/tests/test_ndr_dns_nbt.c
create mode 100644 python/samba/tests/dns_packet.py
copy buildtools/wafsamba/__init__.py => selftest/knownfail.d/dns_packet (100%)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 5e391d3a25c..01b300ae0da 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=10
-SAMBA_VERSION_RELEASE=16
+SAMBA_VERSION_RELEASE=17
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index f644038694c..a99a8bdcef5 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,87 @@
+ ===============================
+ Release Notes for Samba 4.10.17
+ July 02, 2020
+ ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC
+ LDAP Server with ASQ, VLV and paged_results.
+o CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
+ excessive CPU
+o CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with
+ paged_results and VLV.
+o CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd.
+
+
+=======
+Details
+=======
+
+o CVE-2020-10730:
+ A client combining the 'ASQ' and 'VLV' LDAP controls can cause a NULL pointer
+ de-reference and further combinations with the LDAP paged_results feature can
+ give a use-after-free in Samba's AD DC LDAP server.
+
+o CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
+ excessive CPU.
+
+o CVE-2020-10760:
+ The use of the paged_results or VLV controls against the Global Catalog LDAP
+ server on the AD DC will cause a use-after-free.
+
+o CVE-2020-14303:
+ The AD DC NBT server in Samba 4.0 will enter a CPU spin and not process
+ further requests once it receives an empty (zero-length) UDP packet to
+ port 137.
+
+For more details, please refer to the security advisories.
+
+
+Changes since 4.10.16
+---------------------
+
+o Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+ * BUG 14378: CVE-2020-10745: Invalid DNS or NBT queries containing dots use
+ several seconds of CPU each.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 14364: CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ
+ and VLV combined.
+ * BUG 14402: CVE-2020-10760: Fix use-after-free in AD DC Global Catalog LDAP
+ server with paged_result or VLV.
+ * BUG 14417: CVE-2020-14303: Fix endless loop from empty UDP packet sent to
+ AD DC nbt_server.
+
+o Gary Lockyer <gary at catalyst.net.nz>
+ * BUG 14364: CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ
+ and VLV combined, ldb: Bump version to 1.5.8.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
===============================
Release Notes for Samba 4.10.16
May 25, 2020
@@ -46,8 +130,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
===============================
Release Notes for Samba 4.10.15
diff --git a/lib/ldb/ABI/ldb-1.5.6.sigs b/lib/ldb/ABI/ldb-1.5.8.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-1.5.6.sigs
copy to lib/ldb/ABI/ldb-1.5.8.sigs
diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util-1.5.8.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs
copy to lib/ldb/ABI/pyldb-util-1.5.8.sigs
diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util.py3-1.5.8.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs
copy to lib/ldb/ABI/pyldb-util.py3-1.5.8.sigs
diff --git a/lib/ldb/common/ldb.c b/lib/ldb/common/ldb.c
index 44a487ba987..090d41dde69 100644
--- a/lib/ldb/common/ldb.c
+++ b/lib/ldb/common/ldb.c
@@ -1009,6 +1009,13 @@ static int ldb_lock_backend_callback(struct ldb_request *req,
struct ldb_db_lock_context *lock_context;
int ret;
+ if (req->context == NULL) {
+ /*
+ * The usual way to get here is to ignore the return codes
+ * and continuing processing after an error.
+ */
+ abort();
+ }
lock_context = talloc_get_type(req->context,
struct ldb_db_lock_context);
@@ -1023,7 +1030,7 @@ static int ldb_lock_backend_callback(struct ldb_request *req,
* If this is a LDB_REPLY_DONE or an error, unlock the
* DB by calling the destructor on this context
*/
- talloc_free(lock_context);
+ TALLOC_FREE(req->context);
return ret;
}
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index 0f760a9bc80..58240222d5f 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python
APPNAME = 'ldb'
-VERSION = '1.5.7'
+VERSION = '1.5.8'
import sys, os
diff --git a/libcli/nbt/nbtsocket.c b/libcli/nbt/nbtsocket.c
index 33d53fba993..8aecaf73247 100644
--- a/libcli/nbt/nbtsocket.c
+++ b/libcli/nbt/nbtsocket.c
@@ -167,8 +167,23 @@ static void nbt_name_socket_recv(struct nbt_name_socket *nbtsock)
return;
}
+ /*
+ * Given a zero length, data_blob_talloc() returns the
+ * NULL blob {NULL, 0}.
+ *
+ * We only want to error return here on a real out of memory condition
+ * (i.e. dsize != 0, so the UDP packet has data, but the return of the
+ * allocation failed, so blob.data==NULL).
+ *
+ * Given an actual zero length UDP packet having blob.data == NULL
+ * isn't an out of memory error condition, that's the defined semantics
+ * of data_blob_talloc() when asked for zero bytes.
+ *
+ * We still need to continue to do the zero-length socket_recvfrom()
+ * read in order to clear the "read pending" condition on the socket.
+ */
blob = data_blob_talloc(tmp_ctx, NULL, dsize);
- if (blob.data == NULL) {
+ if (blob.data == NULL && dsize != 0) {
talloc_free(tmp_ctx);
return;
}
diff --git a/librpc/ndr/ndr_dns.c b/librpc/ndr/ndr_dns.c
index d37c8cc2ece..966e0b59786 100644
--- a/librpc/ndr/ndr_dns.c
+++ b/librpc/ndr/ndr_dns.c
@@ -33,6 +33,7 @@
#include "librpc/gen_ndr/ndr_dnsp.h"
#include "system/locale.h"
#include "lib/util/util_net.h"
+#include "ndr_dns_utils.h"
/* don't allow an unlimited number of name components */
#define MAX_COMPONENTS 128
@@ -159,80 +160,11 @@ _PUBLIC_ enum ndr_err_code ndr_push_dns_string(struct ndr_push *ndr,
int ndr_flags,
const char *s)
{
- if (!(ndr_flags & NDR_SCALARS)) {
- return NDR_ERR_SUCCESS;
- }
-
- while (s && *s) {
- enum ndr_err_code ndr_err;
- char *compname;
- size_t complen;
- uint32_t offset;
-
- if (!(ndr->flags & LIBNDR_FLAG_NO_COMPRESSION)) {
- /* see if we have pushed the remaining string already,
- * if so we use a label pointer to this string
- */
- ndr_err = ndr_token_retrieve_cmp_fn(&ndr->dns_string_list, s,
- &offset,
- (comparison_fn_t)strcmp,
- false);
- if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- uint8_t b[2];
-
- if (offset > 0x3FFF) {
- return ndr_push_error(ndr, NDR_ERR_STRING,
- "offset for dns string " \
- "label pointer " \
- "%u[%08X] > 0x00003FFF",
- offset, offset);
- }
-
- b[0] = 0xC0 | (offset>>8);
- b[1] = (offset & 0xFF);
-
- return ndr_push_bytes(ndr, b, 2);
- }
- }
-
- complen = strcspn(s, ".");
-
- /* we need to make sure the length fits into 6 bytes */
- if (complen > 0x3F) {
- return ndr_push_error(ndr, NDR_ERR_STRING,
- "component length %u[%08X] > " \
- "0x0000003F",
- (unsigned)complen,
- (unsigned)complen);
- }
-
- compname = talloc_asprintf(ndr, "%c%*.*s",
- (unsigned char)complen,
- (unsigned char)complen,
- (unsigned char)complen, s);
- NDR_ERR_HAVE_NO_MEMORY(compname);
-
- /* remember the current component + the rest of the string
- * so it can be reused later
- */
- if (!(ndr->flags & LIBNDR_FLAG_NO_COMPRESSION)) {
- NDR_CHECK(ndr_token_store(ndr, &ndr->dns_string_list, s,
- ndr->offset));
- }
-
- /* push just this component into the blob */
- NDR_CHECK(ndr_push_bytes(ndr, (const uint8_t *)compname,
- complen+1));
- talloc_free(compname);
-
- s += complen;
- if (*s == '.') s++;
- }
-
- /* if we reach the end of the string and have pushed the last component
- * without using a label pointer, we need to terminate the string
- */
- return ndr_push_bytes(ndr, (const uint8_t *)"", 1);
+ return ndr_push_dns_string_list(ndr,
+ &ndr->dns_string_list,
+ ndr_flags,
+ s,
+ false);
}
_PUBLIC_ enum ndr_err_code ndr_pull_dns_txt_record(struct ndr_pull *ndr, int ndr_flags, struct dns_txt_record *r)
diff --git a/librpc/ndr/ndr_dns_utils.c b/librpc/ndr/ndr_dns_utils.c
new file mode 100644
index 00000000000..325d9c68bea
--- /dev/null
+++ b/librpc/ndr/ndr_dns_utils.c
@@ -0,0 +1,134 @@
+#include "includes.h"
+#include "../librpc/ndr/libndr.h"
+#include "ndr_dns_utils.h"
+
+
+/**
+ push a dns/nbt string list to the wire
+*/
+enum ndr_err_code ndr_push_dns_string_list(struct ndr_push *ndr,
+ struct ndr_token_list *string_list,
+ int ndr_flags,
+ const char *s,
+ bool is_nbt)
+{
+ const char *start = s;
+ bool use_compression;
+ size_t max_length;
+ if (is_nbt) {
+ use_compression = true;
+ /*
+ * Max length is longer in NBT/Wins, because Windows counts
+ * the semi-decompressed size of the netbios name (16 bytes)
+ * rather than the wire size of 32, which is what you'd expect
+ * if it followed RFC1002 (it uses the short form in
+ * [MS-WINSRA]). In other words the maximum size of the
+ * "scope" is 237, not 221.
+ *
+ * We make the size limit slightly larger than 255 + 16,
+ * because the 237 scope limit is already enforced in the
+ * winsserver code with a specific return value; bailing out
+ * here would muck with that.
+ */
+ max_length = 274;
+ } else {
+ use_compression = !(ndr->flags & LIBNDR_FLAG_NO_COMPRESSION);
+ max_length = 255;
+ }
+
+ if (!(ndr_flags & NDR_SCALARS)) {
+ return NDR_ERR_SUCCESS;
+ }
+
+ while (s && *s) {
+ enum ndr_err_code ndr_err;
+ char *compname;
+ size_t complen;
+ uint32_t offset;
+
+ if (use_compression) {
+ /* see if we have pushed the remaining string already,
+ * if so we use a label pointer to this string
+ */
+ ndr_err = ndr_token_retrieve_cmp_fn(string_list, s,
+ &offset,
+ (comparison_fn_t)strcmp,
+ false);
+ if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ uint8_t b[2];
+
+ if (offset > 0x3FFF) {
+ return ndr_push_error(ndr, NDR_ERR_STRING,
+ "offset for dns string " \
+ "label pointer " \
+ "%u[%08X] > 0x00003FFF",
+ offset, offset);
+ }
+
+ b[0] = 0xC0 | (offset>>8);
+ b[1] = (offset & 0xFF);
+
+ return ndr_push_bytes(ndr, b, 2);
+ }
+ }
+
+ complen = strcspn(s, ".");
+
+ /* the length must fit into 6 bits (i.e. <= 63) */
+ if (complen > 0x3F) {
+ return ndr_push_error(ndr, NDR_ERR_STRING,
+ "component length %u[%08X] > " \
+ "0x0000003F",
+ (unsigned)complen,
+ (unsigned)complen);
+ }
+
+ if (complen == 0 && s[complen] == '.') {
+ return ndr_push_error(ndr, NDR_ERR_STRING,
+ "component length is 0 "
+ "(consecutive dots)");
+ }
+
+ if (is_nbt && s[complen] == '.' && s[complen + 1] == '\0') {
+ /* nbt names are sometimes usernames, and we need to
+ * keep a trailing dot to ensure it is byte-identical,
+ * (not just semantically identical given DNS
+ * semantics). */
+ complen++;
+ }
+
+ compname = talloc_asprintf(ndr, "%c%*.*s",
+ (unsigned char)complen,
+ (unsigned char)complen,
+ (unsigned char)complen, s);
+ NDR_ERR_HAVE_NO_MEMORY(compname);
+
+ /* remember the current component + the rest of the string
+ * so it can be reused later
+ */
+ if (use_compression) {
+ NDR_CHECK(ndr_token_store(ndr, string_list, s,
+ ndr->offset));
+ }
+
+ /* push just this component into the blob */
+ NDR_CHECK(ndr_push_bytes(ndr, (const uint8_t *)compname,
+ complen+1));
+ talloc_free(compname);
+
+ s += complen;
+ if (*s == '.') {
+ s++;
+ }
+ if (s - start > max_length) {
+ return ndr_push_error(ndr, NDR_ERR_STRING,
+ "name > %zu character long",
+ max_length);
+ }
+ }
+
+ /* if we reach the end of the string and have pushed the last component
+ * without using a label pointer, we need to terminate the string
+ */
+ return ndr_push_bytes(ndr, (const uint8_t *)"", 1);
+}
diff --git a/librpc/ndr/ndr_dns_utils.h b/librpc/ndr/ndr_dns_utils.h
new file mode 100644
index 00000000000..71a65433bbb
--- /dev/null
+++ b/librpc/ndr/ndr_dns_utils.h
@@ -0,0 +1,6 @@
+
+enum ndr_err_code ndr_push_dns_string_list(struct ndr_push *ndr,
+ struct ndr_token_list *string_list,
+ int ndr_flags,
+ const char *s,
+ bool is_nbt);
diff --git a/librpc/ndr/ndr_nbt.c b/librpc/ndr/ndr_nbt.c
index 838f947a168..e8dd7549a53 100644
--- a/librpc/ndr/ndr_nbt.c
+++ b/librpc/ndr/ndr_nbt.c
@@ -25,6 +25,8 @@
#include "includes.h"
#include "../libcli/nbt/libnbt.h"
#include "../libcli/netlogon/netlogon.h"
+#include "ndr_dns_utils.h"
+
/* don't allow an unlimited number of name components */
#define MAX_COMPONENTS 128
@@ -141,71 +143,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_nbt_string(struct ndr_pull *ndr, int ndr_fla
*/
_PUBLIC_ enum ndr_err_code ndr_push_nbt_string(struct ndr_push *ndr, int ndr_flags, const char *s)
{
- if (!(ndr_flags & NDR_SCALARS)) {
- return NDR_ERR_SUCCESS;
- }
-
- while (s && *s) {
- enum ndr_err_code ndr_err;
- char *compname;
- size_t complen;
- uint32_t offset;
-
- /* see if we have pushed the remaining string already,
- * if so we use a label pointer to this string
- */
- ndr_err = ndr_token_retrieve_cmp_fn(&ndr->nbt_string_list, s, &offset, (comparison_fn_t)strcmp, false);
- if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- uint8_t b[2];
-
- if (offset > 0x3FFF) {
- return ndr_push_error(ndr, NDR_ERR_STRING,
- "offset for nbt string label pointer %u[%08X] > 0x00003FFF",
- offset, offset);
- }
-
- b[0] = 0xC0 | (offset>>8);
- b[1] = (offset & 0xFF);
-
- return ndr_push_bytes(ndr, b, 2);
- }
-
- complen = strcspn(s, ".");
-
- /* we need to make sure the length fits into 6 bytes */
- if (complen > 0x3F) {
- return ndr_push_error(ndr, NDR_ERR_STRING,
- "component length %u[%08X] > 0x0000003F",
- (unsigned)complen, (unsigned)complen);
--
Samba Shared Repository
More information about the samba-cvs
mailing list