[SCM] Samba Shared Repository - branch v4-15-test updated
Jule Anger
janger at samba.org
Mon Jan 31 13:44:57 UTC 2022
The branch, v4-15-test has been updated
via 9cd1099bbea VERSION: Bump version up to Samba 4.15.6...
via 2a28e10dc2b Merge tag 'samba-4.15.5' into v4-15-test
via 27bd8a32359 VERSION: Disable GIT_SNAPSHOT for the 4.15.5 release.
via 81aab85bae8 WHATSNEW: Add release notes for Samba 4.15.5.
via e7d0d40e684 CVE-2021-44141: s3: smbd: Inside rename_internals_fsp(), we must use vfs_stat() for existence, not SMB_VFS_STAT().
via d46ffccc078 CVE-2021-44141: s3: torture: Add a test samba3.blackbox.test_symlink_rename.SMB1.posix that shows we still leak target info across a SMB1+POSIX rename.
via 9371ace08e6 CVE-2021-44141: s3: smbd: Fix a subtle bug in the error returns from filename_convert().
via 66774e97e20 CVE-2021-44141: s3: smbd: Inside check_reduced_name() ensure we return the correct error codes when failing symlinks.
via b97f4a6519f CVE-2021-44141: s3: smbd: For SMB1+POSIX clients trying to open a symlink, always return NT_STATUS_OBJECT_NAME_NOT_FOUND.
via dbeef6bc732 CVE-2021-44141: s3: torture: Change expected error return for samba3.smbtorture_s3.plain.POSIX.smbtorture.
via f03c42ea77f CVE-2021-44141: s3: torture: In test_smbclient_s3, change the error codes expected for test_widelinks() and test_nosymlinks() from ACCESS_DENIED to NT_STATUS_OBJECT_NAME_NOT_FOUND.
via 700f80d551d CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB1.posix
via e3f84b2b9f8 CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB1.
via 9e90f31639a CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB2.
via 3e0d40f5481 CVE-2021-44141: s3: smbtorture3: Fix POSIX-BLOCKING-LOCK to actually negotiate SMB1+POSIX before using POSIX calls.
via c7aa173d2a4 CVE-2021-44141: s3: tests: Fix the samba3.blackbox.acl_xattr test to actually negotiate SMB1+POSIX before using POSIX calls.
via a180e5726d5 CVE-2021-44141: s3: tests: Fix the samba3.blackbox.inherit_owner test to actually negotiate SMB1+POSIX before using POSIX calls.
via 300abd383ea CVE-2021-44141: s4: torture: Fix unix.info2 test to actually negotiate SMB1+POSIX before using POSIX calls.
via a7b6aa7d1f2 CVE-2021-44141: s4: torture: Fix raw.search:test_one_file() by using the SMB1+POSIX connection for POSIX info levels.
via 08c40af6381 CVE-2021-44141: s4: torture: raw.search: Add setup_smb1_posix(). Call it on the second connection in test_one_file().
via bfcf165b29b CVE-2021-44141: s4: torture: In raw.search:test_one_file() add a second connection.
via c032a254bb5 CVE-2021-44141: s3: smbclient: Give a message if we try and use any POSIX command without negotiating POSIX first.
via 4fc4bd4f20c CVE-2021-44141: s3: smbd: Tighten up info level checks for SMB1+POSIX to make sure POSIX was negotiated first.
via 738c7080e78 CVE-2021-44141: s4: torture: In raw.search:test_one_file() remove the leading '\' in the test filenames.
via 10242faa078 CVE-2021-44141: s4: torture: Fix raw.search:test_one_file() to use torture_result() instead of printf.
via f8698b1f797 CVE-2021-44141: s3: smbd: Remove 'struct uc_state' name_has_wildcard element.
via f77e56e2d1b CVE-2021-44141: s3: smbd: In unix_convert_step_stat() remove use of state->name_was_wildcard.
via e94d2bcbdc6 CVE-2021-44141: s3: smbd: In unix_convert_step() remove all use of 'state->name_was_wildcard'
via 104499b56de CVE-2021-44141: s3: smbd: In unix_convert() remove the now unneeded block indentation.
via 36f480c7c8e CVE-2021-44141: s3: smbd: In unix_convert(), remove all references to state->name_has_wildcard.
via 3471f03816f CVE-2021-44141: s3: smbd: Inside unix_convert(), never set state->name_is_wildcard.
via d52dd78e9d8 CVE-2021-44141: s3: smbd: UCF_ALWAYS_ALLOW_WCARD_LCOMP 0x00000002 is no longer used.
via b0fc0efbac5 CVE-2021-44141: s3: smbd: We no longer need determine_path_error().
via 5e42ab3f6a0 CVE-2021-44141: s3: smbd: Inside 'struct uc_state', remove allow_wcard_last_component.
via b73be0c7a7c CVE-2021-44141: s3: smbd: filename_convert() no longer deals with wildcards.
via 6f2c67d9993 CVE-2021-44141: s3: smbd: parse_dfs_path() can ignore wildcards.
via d91d4a17443 CVE-2021-44141: s3: smbd: Remove 'bool search_wcard_flag' from parse_dfs_path().
via fc8e6669edb CVE-2021-44141: s3: smbd: dfs_path_lookup() no longer deals with wildcards.
via 12b44645fb9 CVE-2021-44141: s3: smbd: Fix call_trans2findfirst() to use filename_convert_smb1_search_path().
via 0f1436ed031 CVE-2021-44141: s3: smbd: Convert reply_search() to use filename_convert_smb1_search_path().
via e6d9ef3b1e8 CVE-2021-44141: s3: smbd: Add filename_convert_smb1_search_path() - deals with SMB1 search pathnames.
via 5c55cd93e5b CVE-2021-44141: s3: smbd: Allow dfs_redirect() to return a TWRP token it got from a parsed pathname.
via 3490db2a389 CVE-2021-44141: s3: smbd: In dfs_path_lookup(). If we have a DFS path including a @GMT-token, don't throw away the twrp value when parsing the path.
via f8ecb37606e CVE-2021-44141: s3: smbd: filename_convert() is now a one-to-one wrapper around filename_convert_internal().
via 51c024a1b02 CVE-2021-44141: s3: smbd: Remove now unused check_reduced_name_with_privilege().
via 3f60b452049 CVE-2021-44141: s3: smbd: Remove unused check_name_with_privilege().
via 733e66aa31d CVE-2021-44141: s3: smbd: In filename_convert_internal(), remove call to check_name_with_privilege().
via 46ec23c244b CVE-2021-44141: s3: smbd: Remove filename_convert_with_privilege(). No longer used.
via 1c1c7ed9946 CVE-2021-44141: s3: smbd: In call_trans2findfirst() we don't need filename_convert_with_privilege() anymore.
via 0163d21c31a CVE-2021-44141: s3: smbd: Remove split_fname_dir_mask().
via 68ee550a0dd CVE-2021-44141: s3: smbd: In rename_internals(), remove the name spliting and re-combining code.
via 43a9866c46b CVE-2021-44141: s3: smbd: check_name() is now static to filename.c
via 838985e439d CVE-2021-44141: s3: smbd: In rename_internals_fsp(), remove unneeded call to check_name().
via 26ecf18b426 CVE-2021-44141: s3: smbd: Handling SMB_FILE_RENAME_INFORMATION, the destination name is a single component.
via fad0039acab CVE-2021-44141: s3: smbd: Remove the old unlink_internals() implementation.
via a88596028ea CVE-2021-44141: s3: smbd: Comment out the old unlink_internals(). Rename do_unlink() -> unlink_internals().
via 9fb1d11b2ed CVE-2021-44141: s3: smbd: Move to modern debug calls inside do_unlink().
via 9907c8af089 CVE-2021-44141: s3: smbd: Move setting of dirtype if FILE_ATTRIBUTE_NORMAL to do_unlink().
via 8c1a9ccb546 CVE-2021-44141: s3: smbd: Remove 'const char *src_original_lcomp' from reply_mv().
via fc80b553dc6 CVE-2021-44141: s3: smbd: Remove 'const char *src_original_lcomp' parameter from rename_internals().
via cf2de328ea3 CVE-2021-44141: s3: smbd: Inside rename_internals() remove '{ ... }' block around singleton rename code.
via be70e606c61 CVE-2021-44141: s3: smbd: Remove the commented out resolve_wildcards().
via cafca2b7a0e CVE-2021-44141: s3: smbd: Remove all wildcard code from rename_internals().
via ece00d51a7b CVE-2021-44141: s3: smbd: Remove dest_has_wild and all associated code from rename_internals()
via 848b891d978 CVE-2021-44141: s3: smbd: Prepare to remove wildcard matching from rename_internals().
via 992864a49f0 CVE-2021-44141: s3: smbd: In reply_ntrename() remove 'bool dest_has_wcard' and all uses.
via c7678425514 CVE-2021-44141: s3: smbd: In reply_ntrename(), never set dest_has_wcard.
via 9d0c2fd42fc CVE-2021-44141: s3: smbd: In reply_ntrename() remove the UCF_ALWAYS_ALLOW_WCARD_LCOMP flag for destination lookups.
via 07b47529426 CVE-2021-44141: s3: smbd: In SMBntrename (0xa5) prevent wildcards in destination name.
via 7b0eba7ff03 CVE-2021-44141: s3: smbd: In smb_file_rename_information() (SMB_FILE_RENAME_INFORMATION info level) prevent destination wildcards.
via 410126c7fb9 CVE-2021-44141: s3: smbd: Remove UCF_ALWAYS_ALLOW_WCARD_LCOMP flag from pathname processing in reply_mv().
via 945c9264243 CVE-2021-44141: s3: smbd: Remove 'bool has_wild' parameter from unlink_internals().
via e4c3d31854f CVE-2021-44141: s3: smbd: Change unlink_internals() to ignore has_wild parameter.
via 79ae11f3cb4 CVE-2021-44141: s3: smbd: In reply_unlink() remove the possibility of receiving a wildcard name.
via d57802650f4 CVE-2021-44141: s3: smbd: Remove support for SMBcopy SMB_COM_COPY (0x29)
via 80d8a557dda CVE-2021-44141: s3: torture: Remove the wildcard unlink test code.
via 05d2d29964e CVE-2021-44141: s4: torture: Remove the wildcard rename test code.
via b39ba559c07 CVE-2021-44141: s4: torture: Remove the wildcard unlink test code.
via 6c40cda03e7 CVE-2021-44141: s3: torture: In run_smb1_wild_mangle_unlink_test() use a valid pathname for rename target.
via c249f1d09d6 CVE-2021-44141: s3: torture: In torture_mangle(), use torture_deltree() for setup and cleanup.
via cf109e26b7a CVE-2021-44141: s3: torture: In test_mask(), use torture_deltree() for setup.
via 8349c57f76f CVE-2021-44141: s3: torture: In run_streamerror(), use torture_deltree() for setup.
via ff64b0f32d0 CVE-2021-44141: s3: torture: In torture_chkpath_test(), use torture_deltree() for setup and cleanup.
via 18ac36f7aed CVE-2021-44141: s3: torture: In torture_casetable(), use torture_deltree() for setup and cleanup.
via 04304b9f92c CVE-2021-44141: s3: torture: In torture_utable(), use torture_deltree() for setup.
via 919b3c8d3fb CVE-2021-44141: s3: torture: In run_smb1_wild_mangle_rename_test() use torture_deltree() for setup and cleanup.
via 74fe15a05ad CVE-2021-44141: s3: torture: In run_smb1_wild_mangle_unlink_test() use torture_deltree() for setup and cleanup.
via 57fbf7564c7 CVE-2021-44141: s3: torture: Add torture_deltree() for setup and teardown.
via db095ee5f03 CVE-2021-44141: s4: libcli: smbcli_unlink() is no longer used with wildcard patterns.
via 2cfbfd3e0a6 CVE-2021-44141: s4: torture: Use smbcli_unlink_wcard() to setup and cleanup in masktest.
via ee3a5f2ee00 CVE-2021-44141: s4: torture: Use smbcli_unlink_wcard() in base.casetable test.
via 745d08fe10a CVE-2021-44141: s4: torture: Use smbcli_unlink_wcard() to cleanup in base.mangle test.
via 6f9580493e2 CVE-2021-44141: s4: torture: Use smbcli_unlink_wcard() to remove wildcards in base.chkpath test.
via a0fd6cd62f3 CVE-2021-44141: s4: torture: In raw.notify test use smbcli_unlink_wcard() in place of smbcli_unlink().
via cf661f306af CVE-2021-44141: s4: libcli: In smbcli_deltree() use smbcli_unlink_wcard() in place of smbcli_unlink().
via 550ece56400 CVE-2021-44141: s4: libcli: Add smbcli_unlink_wcard().
via 0e2b3fb982d CVE-2021-44142: libadouble: harden parsing code
via 4533a7b4319 CVE-2021-44142: libadouble: add basic cmocka tests
via b4c0b4620f1 CVE-2021-44142: libadouble: harden ad_unpack_xattrs()
via 22b40919249 CVE-2021-44142: smbd: add Netatalk xattr used by vfs_fruit to the list of private Samba xattrs
via eee61be9b58 CVE-2021-44142: libadouble: add defines for icon lengths
via 7a516257ea3 CVE-2022-0336: s4/dsdb/samldb: Don't return early when an SPN is re-added to an object
via d392b10c55b CVE-2022-0336: pytest: Add a test for an SPN conflict with a re-added SPN
from bab52ff3bf8 blackbox.ndrdump: fix test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE test
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test
- Log -----------------------------------------------------------------
commit 9cd1099bbeaf007b1258b2ac00f34ab58d3d40e5
Author: Jule Anger <janger at samba.org>
Date: Mon Jan 31 14:44:06 2022 +0100
VERSION: Bump version up to Samba 4.15.6...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 2a28e10dc2b9cf7156051b493d2ef08f180d079c
Merge: bab52ff3bf8 27bd8a32359
Author: Jule Anger <janger at samba.org>
Date: Mon Jan 31 14:43:18 2022 +0100
Merge tag 'samba-4.15.5' into v4-15-test
samba: tag release samba-4.15.5
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 58 +-
python/samba/tests/ldap_spn.py | 7 +
selftest/target/Samba3.pm | 2 +-
selftest/tests.py | 2 +
selftest/todo_smb2_tests_to_port.list | 2 -
source3/client/client.c | 79 ++
source3/lib/adouble.c | 136 +-
source3/lib/adouble.h | 2 +
source3/lib/test_adouble.c | 389 ++++++
source3/printing/nt_printing.c | 2 +-
source3/script/tests/test_acl_xattr.sh | 12 +-
source3/script/tests/test_inherit_owner.sh | 2 +-
source3/script/tests/test_smbclient_s3.sh | 10 +-
.../script/tests/test_symlink_rename_smb1_posix.sh | 186 +++
.../script/tests/test_symlink_traversal_smb1.sh | 263 ++++
.../tests/test_symlink_traversal_smb1_posix.sh | 270 ++++
.../script/tests/test_symlink_traversal_smb2.sh | 263 ++++
source3/selftest/tests.py | 22 +-
source3/smbd/filename.c | 665 ++++++----
source3/smbd/msdfs.c | 30 +-
source3/smbd/nttrans.c | 50 +-
source3/smbd/open.c | 13 +-
source3/smbd/proto.h | 22 +-
source3/smbd/reply.c | 1344 ++------------------
source3/smbd/smbd.h | 2 +-
source3/smbd/trans2.c | 194 +--
source3/smbd/vfs.c | 191 +--
source3/torture/mangle_test.c | 9 +-
source3/torture/masktest.c | 3 +-
source3/torture/proto.h | 1 +
source3/torture/torture.c | 238 ++--
source3/torture/utable.c | 8 +-
source3/wscript_build | 5 +
source4/dsdb/samdb/ldb_modules/samldb.c | 3 +-
source4/libcli/clideltree.c | 2 +-
source4/libcli/clifile.c | 100 +-
source4/libcli/libcli.h | 5 +
source4/torture/basic/base.c | 4 +-
source4/torture/basic/mangle_test.c | 2 +-
source4/torture/basic/utable.c | 2 +-
source4/torture/masktest.c | 2 +-
source4/torture/raw/notify.c | 2 +-
source4/torture/raw/rename.c | 33 -
source4/torture/raw/search.c | 161 ++-
source4/torture/raw/unlink.c | 72 --
source4/torture/unix/unix_info2.c | 42 +-
47 files changed, 2698 insertions(+), 2216 deletions(-)
create mode 100644 source3/lib/test_adouble.c
create mode 100755 source3/script/tests/test_symlink_rename_smb1_posix.sh
create mode 100755 source3/script/tests/test_symlink_traversal_smb1.sh
create mode 100755 source3/script/tests/test_symlink_traversal_smb1_posix.sh
create mode 100755 source3/script/tests/test_symlink_traversal_smb2.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index fa3ca1826e3..d11bae2323b 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=15
-SAMBA_VERSION_RELEASE=5
+SAMBA_VERSION_RELEASE=6
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 9cb58de2a61..292c34457df 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,58 @@
+ ==============================
+ Release Notes for Samba 4.15.5
+ January 31, 2022
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target
+ of a symlink exists.
+ https://www.samba.org/samba/security/CVE-2021-44141.html
+
+o CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module.
+ https://www.samba.org/samba/security/CVE-2021-44142.html
+
+o CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks.
+ https://www.samba.org/samba/security/CVE-2022-0336.html
+
+
+Changes since 4.15.4
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 14911: CVE-2021-44141
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 14914: CVE-2021-44142
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 14950: CVE-2022-0336
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.libera.chat or the
+#samba-technical:matrix.org matrix channel.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.15.4
January 19, 2022
@@ -61,8 +116,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.15.3
December 08, 2021
diff --git a/python/samba/tests/ldap_spn.py b/python/samba/tests/ldap_spn.py
index 8a398ffaa49..6ebdf8f9a32 100644
--- a/python/samba/tests/ldap_spn.py
+++ b/python/samba/tests/ldap_spn.py
@@ -268,6 +268,8 @@ class LdapSpnTestBase(TestCase):
for k in ('dNSHostName', 'servicePrincipalName'):
if isinstance(m.get(k), str):
m[k] = m[k].format(dnsname=f"x.{REALM}")
+ elif isinstance(m.get(k), list):
+ m[k] = [x.format(dnsname=f"x.{REALM}") for x in m[k]]
msg = ldb.Message.from_dict(samdb, m, op)
@@ -727,6 +729,11 @@ class LdapSpnSambaOnlyTest(LdapSpnTestBase):
('user:C', 'host/{dnsname}', '*', ok),
('user:D', 'www/{dnsname}', 'D', denied),
),
+ ("add a conflict, along with a re-added SPN",
+ ('A', 'cifs/{dnsname}', '*', ok),
+ ('B', 'cifs/heeble.example.net', 'B', ok),
+ ('B', ['cifs/heeble.example.net', 'host/{dnsname}'], 'B', constraint),
+ ),
("changing dNSHostName after host",
('A', {'dNSHostName': '{dnsname}'}, '*', ok),
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 84903b87d3e..b901fd2677a 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -2496,7 +2496,7 @@ sub provision($$)
create_file_chmod("$widelinks_target", 0666) or return undef;
##
- ## This link should get ACCESS_DENIED
+ ## This link should get an error
##
symlink "$widelinks_target", "$widelinks_shrdir/source";
##
diff --git a/selftest/tests.py b/selftest/tests.py
index e7338985caf..c87b41c1a66 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -434,3 +434,5 @@ if with_elasticsearch_backend:
[os.path.join(bindir(), "default/source3/test_mdsparser_es")] + [configuration])
plantestsuite("samba.unittests.credentials", "none",
[os.path.join(bindir(), "default/auth/credentials/test_creds")])
+plantestsuite("samba.unittests.adouble", "none",
+ [os.path.join(bindir(), "test_adouble")])
diff --git a/selftest/todo_smb2_tests_to_port.list b/selftest/todo_smb2_tests_to_port.list
index a9d7b8b48c5..dc1df963918 100644
--- a/selftest/todo_smb2_tests_to_port.list
+++ b/selftest/todo_smb2_tests_to_port.list
@@ -242,7 +242,6 @@ samba3.smbtorture_s3.crypt_client.TRANS2(nt4_dc_smb1)
samba3.smbtorture_s3.crypt_client.UID-REGRESSION-TEST(nt4_dc_smb1)
samba3.smbtorture_s3.crypt_client.UNLINK(nt4_dc_smb1)
samba3.smbtorture_s3.crypt_client.W2K(nt4_dc_smb1)
-samba3.smbtorture_s3.crypt_client.WILDDELETE(nt4_dc_smb1)
samba3.smbtorture_s3.crypt_client.XCOPY(nt4_dc_smb1)
samba3.smbtorture_s3.crypt.POSIX-ACL-OPLOCK(nt4_dc_smb1)
samba3.smbtorture_s3.crypt.POSIX-ACL-SHAREROOT(nt4_dc_smb1)
@@ -327,7 +326,6 @@ samba3.smbtorture_s3.plain.TRANS2(fileserver_smb1)
samba3.smbtorture_s3.plain.UID-REGRESSION-TEST(fileserver_smb1)
samba3.smbtorture_s3.plain.UNLINK(fileserver_smb1)
samba3.smbtorture_s3.plain.W2K(fileserver_smb1)
-samba3.smbtorture_s3.plain.WILDDELETE(fileserver_smb1)
samba3.smbtorture_s3.plain.WINDOWS-BAD-SYMLINK(nt4_dc_smb1)
samba3.smbtorture_s3.plain.XCOPY(fileserver_smb1)
samba3.smbtorture_s3.vfs_aio_fork(fileserver_smb1).RW1(fileserver_smb1)
diff --git a/source3/client/client.c b/source3/client/client.c
index a8e11044b39..5ad6ee7b844 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -2839,6 +2839,11 @@ static int cmd_posix_open(void)
d_printf("posix_open <filename> 0<mode>\n");
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"posix_open\" command can be used.\n");
+ return 1;
+ }
mode = (mode_t)strtol(buf, (char **)NULL, 8);
status = cli_resolve_path(ctx, "",
@@ -2900,6 +2905,11 @@ static int cmd_posix_mkdir(void)
d_printf("posix_mkdir <filename> 0<mode>\n");
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"posix_mkdir\" command can be used.\n");
+ return 1;
+ }
mode = (mode_t)strtol(buf, (char **)NULL, 8);
status = cli_resolve_path(ctx, "",
@@ -2934,6 +2944,11 @@ static int cmd_posix_unlink(void)
d_printf("posix_unlink <filename>\n");
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"posix_unlink\" command can be used.\n");
+ return 1;
+ }
mask = talloc_asprintf(ctx,
"%s%s",
client_get_cur_dir(),
@@ -2979,6 +2994,11 @@ static int cmd_posix_rmdir(void)
d_printf("posix_rmdir <filename>\n");
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"posix_rmdir\" command can be used.\n");
+ return 1;
+ }
mask = talloc_asprintf(ctx,
"%s%s",
client_get_cur_dir(),
@@ -3178,6 +3198,12 @@ static int cmd_lock(void)
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"lock\" command can be used.\n");
+ return 1;
+ }
+
len = (uint64_t)strtol(buf, (char **)NULL, 16);
status = cli_posix_lock(cli, fnum, start, len, true, lock_type);
@@ -3214,6 +3240,12 @@ static int cmd_unlock(void)
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"unlock\" command can be used.\n");
+ return 1;
+ }
+
len = (uint64_t)strtol(buf, (char **)NULL, 16);
status = cli_posix_unlock(cli, fnum, start, len);
@@ -3237,6 +3269,12 @@ static int cmd_posix_whoami(void)
bool guest = false;
uint32_t i;
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"posix_whoami\" command can be used.\n");
+ return 1;
+ }
+
status = cli_posix_whoami(cli,
ctx,
&uid,
@@ -3374,6 +3412,12 @@ static int cmd_link(void)
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"link\" command can be used.\n");
+ return 1;
+ }
+
status = cli_posix_hardlink(targetcli, targetname, newname);
if (!NT_STATUS_IS_OK(status)) {
d_printf("%s linking files (%s -> %s)\n",
@@ -3427,6 +3471,12 @@ static int cmd_readlink(void)
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"readlink\" command can be used.\n");
+ return 1;
+ }
+
status = cli_posix_readlink(targetcli, name, talloc_tos(), &linkname);
if (!NT_STATUS_IS_OK(status)) {
d_printf("%s readlink on file %s\n",
@@ -3466,6 +3516,11 @@ static int cmd_symlink(void)
link_target = buf;
if (SERVER_HAS_UNIX_CIFS(cli)) {
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"symlink\" command can be used.\n");
+ return 1;
+ }
newname = talloc_asprintf(ctx, "%s%s", client_get_cur_dir(),
buf2);
if (!newname) {
@@ -3549,6 +3604,12 @@ static int cmd_chmod(void)
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"chmod\" command can be used.\n");
+ return 1;
+ }
+
status = cli_posix_chmod(targetcli, targetname, mode);
if (!NT_STATUS_IS_OK(status)) {
d_printf("%s chmod file %s 0%o\n",
@@ -3713,6 +3774,12 @@ static int cmd_getfacl(void)
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"getfacl\" command can be used.\n");
+ return 1;
+ }
+
status = cli_unix_extensions_version(targetcli, &major, &minor,
&caplow, &caphigh);
if (!NT_STATUS_IS_OK(status)) {
@@ -4012,6 +4079,12 @@ static int cmd_stat(void)
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"stat\" command can be used.\n");
+ return 1;
+ }
+
status = cli_posix_stat(targetcli, targetname, &sbuf);
if (!NT_STATUS_IS_OK(status)) {
d_printf("%s stat file %s\n",
@@ -4126,6 +4199,12 @@ static int cmd_chown(void)
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"chown\" command can be used.\n");
+ return 1;
+ }
+
status = cli_posix_chown(targetcli, targetname, uid, gid);
if (!NT_STATUS_IS_OK(status)) {
d_printf("%s chown file %s uid=%d, gid=%d\n",
diff --git a/source3/lib/adouble.c b/source3/lib/adouble.c
index f809a445081..37fb686f17b 100644
--- a/source3/lib/adouble.c
+++ b/source3/lib/adouble.c
@@ -269,6 +269,95 @@ size_t ad_setentryoff(struct adouble *ad, int eid, size_t off)
return ad->ad_eid[eid].ade_off = off;
}
+/*
+ * All entries besides FinderInfo and resource fork must fit into the
+ * buffer. FinderInfo is special as it may be larger then the default 32 bytes
+ * if it contains marshalled xattrs, which we will fixup that in
+ * ad_convert(). The first 32 bytes however must also be part of the buffer.
+ *
+ * The resource fork is never accessed directly by the ad_data buf.
+ */
+static bool ad_entry_check_size(uint32_t eid,
+ size_t bufsize,
+ uint32_t off,
+ uint32_t got_len)
+{
+ struct {
+ off_t expected_len;
+ bool fixed_size;
+ bool minimum_size;
+ } ad_checks[] = {
+ [ADEID_DFORK] = {-1, false, false}, /* not applicable */
+ [ADEID_RFORK] = {-1, false, false}, /* no limit */
+ [ADEID_NAME] = {ADEDLEN_NAME, false, false},
+ [ADEID_COMMENT] = {ADEDLEN_COMMENT, false, false},
+ [ADEID_ICONBW] = {ADEDLEN_ICONBW, true, false},
+ [ADEID_ICONCOL] = {ADEDLEN_ICONCOL, false, false},
+ [ADEID_FILEI] = {ADEDLEN_FILEI, true, false},
+ [ADEID_FILEDATESI] = {ADEDLEN_FILEDATESI, true, false},
+ [ADEID_FINDERI] = {ADEDLEN_FINDERI, false, true},
+ [ADEID_MACFILEI] = {ADEDLEN_MACFILEI, true, false},
+ [ADEID_PRODOSFILEI] = {ADEDLEN_PRODOSFILEI, true, false},
+ [ADEID_MSDOSFILEI] = {ADEDLEN_MSDOSFILEI, true, false},
+ [ADEID_SHORTNAME] = {ADEDLEN_SHORTNAME, false, false},
+ [ADEID_AFPFILEI] = {ADEDLEN_AFPFILEI, true, false},
+ [ADEID_DID] = {ADEDLEN_DID, true, false},
+ [ADEID_PRIVDEV] = {ADEDLEN_PRIVDEV, true, false},
+ [ADEID_PRIVINO] = {ADEDLEN_PRIVINO, true, false},
+ [ADEID_PRIVSYN] = {ADEDLEN_PRIVSYN, true, false},
+ [ADEID_PRIVID] = {ADEDLEN_PRIVID, true, false},
+ };
+
+ if (eid >= ADEID_MAX) {
+ return false;
+ }
+ if (got_len == 0) {
+ /* Entry present, but empty, allow */
+ return true;
+ }
+ if (ad_checks[eid].expected_len == 0) {
+ /*
+ * Shouldn't happen: implicitly initialized to zero because
+ * explicit initializer missing.
+ */
+ return false;
+ }
+ if (ad_checks[eid].expected_len == -1) {
+ /* Unused or no limit */
+ return true;
+ }
+ if (ad_checks[eid].fixed_size) {
+ if (ad_checks[eid].expected_len != got_len) {
+ /* Wrong size fo fixed size entry. */
+ return false;
+ }
+ } else {
+ if (ad_checks[eid].minimum_size) {
+ if (got_len < ad_checks[eid].expected_len) {
+ /*
+ * Too small for variable sized entry with
+ * minimum size.
+ */
+ return false;
+ }
+ } else {
+ if (got_len > ad_checks[eid].expected_len) {
+ /* Too big for variable sized entry. */
+ return false;
+ }
+ }
+ }
+ if (off + got_len < off) {
+ /* wrap around */
+ return false;
+ }
+ if (off + got_len > bufsize) {
+ /* overflow */
+ return false;
+ }
+ return true;
+}
+
/**
* Return a pointer to an AppleDouble entry
*
@@ -276,8 +365,15 @@ size_t ad_setentryoff(struct adouble *ad, int eid, size_t off)
**/
char *ad_get_entry(const struct adouble *ad, int eid)
{
+ size_t bufsize = talloc_get_size(ad->ad_data);
off_t off = ad_getentryoff(ad, eid);
size_t len = ad_getentrylen(ad, eid);
+ bool valid;
+
+ valid = ad_entry_check_size(eid, bufsize, off, len);
+ if (!valid) {
+ return NULL;
+ }
if (off == 0 || len == 0) {
return NULL;
@@ -707,14 +803,27 @@ static bool ad_pack(struct vfs_handle_struct *handle,
static bool ad_unpack_xattrs(struct adouble *ad)
{
struct ad_xattr_header *h = &ad->adx_header;
+ size_t bufsize = talloc_get_size(ad->ad_data);
const char *p = ad->ad_data;
uint32_t hoff;
uint32_t i;
+ if (ad->ad_type != ADOUBLE_RSRC) {
+ return false;
+ }
+
if (ad_getentrylen(ad, ADEID_FINDERI) <= ADEDLEN_FINDERI) {
return true;
}
+ /*
+ * Ensure the buffer ad->ad_data was allocated by ad_alloc() for an
+ * ADOUBLE_RSRC type (._ AppleDouble file on-disk).
+ */
+ if (bufsize != AD_XATTR_MAX_HDR_SIZE) {
+ return false;
+ }
+
/* 2 bytes padding */
hoff = ad_getentryoff(ad, ADEID_FINDERI) + ADEDLEN_FINDERI + 2;
@@ -901,20 +1010,11 @@ static bool ad_unpack(struct adouble *ad, const size_t nentries,
return false;
}
- /*
- * All entries besides FinderInfo and resource fork
- * must fit into the buffer. FinderInfo is special as
- * it may be larger then the default 32 bytes (if it
- * contains marshalled xattrs), but we will fixup that
- * in ad_convert(). And the resource fork is never
- * accessed directly by the ad_data buf (also see
- * comment above) anyway.
- */
- if ((eid != ADEID_RFORK) &&
- (eid != ADEID_FINDERI) &&
- ((off + len) > bufsize)) {
- DEBUG(1, ("bogus eid %d: off: %" PRIu32 ", len: %" PRIu32 "\n",
- eid, off, len));
+ ok = ad_entry_check_size(eid, bufsize, off, len);
+ if (!ok) {
+ DBG_ERR("bogus eid [%"PRIu32"] bufsize [%zu] "
--
Samba Shared Repository
More information about the samba-cvs
mailing list