[SCM] Samba Shared Repository - branch v4-16-stable updated
Jule Anger
janger at samba.org
Wed Jul 27 10:30:54 UTC 2022
The branch, v4-16-stable has been updated
via 9618af1b66a VERSION: Disable GIT_SNAPSHOT for the 4.16.4 release.
via b0ad1276b5e WHATSNEW: Add release notes for Samba 4.16.4.
via 74946420dd5 CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.
via ed3f82f4d70 CVE-2022-32742: s4: torture: Add raw.write.bad-write test.
via e650b41ff90 CVE-2022-2031 testprogs: Add test for short-lived ticket across an incoming trust
via a46dd2846f3 CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd tickets
via 8c0f421852d CVE-2022-2031 s4:auth: Use PAC to determine whether ticket is a TGT
via 9895018b64c CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info
via ff66f68a11c CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswd
via 7ee246ef9ca CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd server principal into krb5_rd_req_ctx()
via c9e1949fa8e CVE-2022-32744 s4:kdc: Modify HDB plugin to only look up kpasswd principal
via fa198ce28f8 s4:kdc: Remove kadmin mode from HDB plugin
via d03021791b8 CVE-2022-32744 s4:kdc: Rename keytab_name -> kpasswd_keytab_name
via 0cb4100d16d CVE-2022-2031 s4:kdc: Don't use strncmp to compare principal components
via 1f54e16cf1d CVE-2022-2031 tests/krb5: Test truncated forms of server principals
via 8d8ffbfc7b5 CVE-2022-32744 s4:kdc: Don't allow HDB keytab iteration
via 90e53b8eae9 CVE-2022-2031 s4:kdc: Reject tickets during the last two minutes of their life
via b77fb6e636c CVE-2022-2031 third_party/heimdal: Add function to get current KDC time
via f70ada5eb45 CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less
via fb7391ca60e CVE-2022-2031 s4:kdc: Fix canonicalisation of kadmin/changepw principal
via 2b63f021e59 CVE-2022-2031 s4:kdc: Refactor samba_kdc_get_entry_principal()
via 9022a69aebf CVE-2022-2031 s4:kdc: Split out a samba_kdc_get_entry_principal() function
via ada799129eb CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw() helper function
via 4aafa72991c CVE-2022-2031 testprogs: Add kadmin/changepw canonicalization test with MIT kpasswd
via 3761a6e8713 CVE-2022-2031 testprogs: Fix auth with smbclient and krb5 ccache
via 59d656406f5 s4:kpasswd: Restructure code for clarity
via b8d97f5bd55 CVE-2022-2031 s4:kpasswd: Require an initial ticket
via eade23880ec CVE-2022-2031 gensec_krb5: Add helper function to check if client sent an initial ticket
via 393c18b53ec CVE-2022-2031 s4:kpasswd: Return a kpasswd error code in KRB-ERROR
via 99bbd95a1d6 CVE-2022-2031 lib:krb5_wrap: Generate valid error codes in smb_krb5_mk_error()
via 63d6af6ed70 CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failure
via 705e7ff46d6 CVE-2022-2031 s4:kpasswd: Correctly generate error strings
via 8a4f07c2ca2 CVE-2022-2031 tests/krb5: Add tests for kpasswd service
via 4af92867274 CVE-2022-32744 selftest: Specify Administrator kvno for Python krb5 tests
via c84eb0e6736 CVE-2022-2031 tests/krb5: Add kpasswd_exchange() method
via 06c7f3d3f67 CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and realm
via 3e52255fd16 tests/krb5: Add option for creating accounts with expired passwords
via a907564b698 tests/krb5: Fix enum typo
via 5f32710d678 CVE-2022-2031 tests/krb5: Add methods to send and receive generic messages
via 82bfffcdc3c CVE-2022-2031 tests/krb5: Add 'port' parameter to connect()
via 7cc2b1ac553 CVE-2022-2031 tests/krb5: Add methods to create ASN1 kpasswd structures
via a0efc5bc0ae CVE-2022-2031 tests/krb5: Add new definitions for kpasswd
via 7c9faf1aacc CVE-2022-32744 tests/krb5: Correctly calculate salt for pre-existing accounts
via 3034c1933c2 CVE-2022-2031 tests/krb5: Split out _make_tgs_request()
via af53dbec65c CVE-2022-32744 tests/krb5: Correctly handle specifying account kvno
via 3bd5df466cb CVE-2022-2031 s4:kpasswd: Add MIT fallback for decoding setpw structure
via f706dcd5ddc CVE-2022-2031 s4:kpasswd: Account for missing target principal
via 52b953bfc18 CVE-2022-2031 third_party/heimdal: Check generate_pac() return code
via 628534b4dcf CVE-2022-2031 s4:kdc: Add MIT support for ATTRIBUTES_INFO and REQUESTER_SID PAC buffers
via 06444c0d4ea selftest: Simplify krb5 test environments
via 191adf2cf38 tests/krb5: Add helper function to modify ticket flags
via 23f770ed910 s4:kdc: Also cannoicalize krbtgt principals when enforcing canonicalization
via e0d25e172c4 CVE-2022-32745 s4/dsdb/util: Correctly copy values into message element
via 701aef133fd CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a NULL pointer
via f2ded77168d CVE-2022-32745 s4/dsdb/util: Use correct value for loop count limit
via 1d7690b000f CVE-2022-32745 s4/dsdb/samldb: Check for empty values array
via 90ef792d904 CVE-2022-32746 ldb: Release LDB 2.5.2
via 18b73e01ca4 CVE-2022-32746 ldb: Make use of functions for appending to an ldb_message
via c0127af98b2 CVE-2022-32746 ldb: Add functions for appending to an ldb_message
via a7a59c540ba CVE-2022-32746 ldb: Ensure shallow copy modifications do not affect original message
via 513574283d9 CVE-2022-32746 ldb: Add flag to mark message element values as shared
via 77d87117744 CVE-2022-32746 s4/registry: Use LDB_FLAG_MOD_TYPE() for flags equality check
via 738955d0e14 CVE-2022-32746 s4/dsdb/tombstone_reanimate: Use LDB_FLAG_MOD_TYPE() for flags equality check
via f2ee4c78d95 CVE-2022-32746 s4/dsdb/repl_meta_data: Use LDB_FLAG_MOD_TYPE() for flags equality check
via ef8e25cf53f CVE-2022-32746 ldb:rdn_name: Use LDB_FLAG_MOD_TYPE() for flags equality check
via b436fa43f29 CVE-2022-32746 s4/dsdb/acl: Fix LDB flags comparison
via e46e43f76e7 CVE-2022-32746 s4:torture: Fix LDB flags comparison
via 59cd645b395 CVE-2022-32746 s4/dsdb/partition: Fix LDB flags comparison
via c83967ad71a CVE-2022-32746 s4:dsdb:tests: Add test for deleting a disallowed SPN
via 16f3112687e CVE-2022-32746 s4/dsdb/objectclass_attrs: Fix typo
via f44ba288796 VERSION: Bump version up to Samba 4.16.4...
from b3cbf421c2a VERSION: Disable GIT_SNAPSHOT for the 4.16.3 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-stable
- Log -----------------------------------------------------------------
commit 9618af1b66aa7503e02b25c9a0bb5b1f31baffbc
Author: Jule Anger <janger at samba.org>
Date: Sun Jul 24 11:45:55 2022 +0200
VERSION: Disable GIT_SNAPSHOT for the 4.16.4 release.
Signed-off-by: Jule Anger <janger at samba.org>
commit b0ad1276b5ef7f6ba1e6b60e57ff54d5b8b8f3af
Author: Jule Anger <janger at samba.org>
Date: Sun Jul 24 11:12:28 2022 +0200
WHATSNEW: Add release notes for Samba 4.16.4.
Signed-off-by: Jule Anger <janger at samba.org>
commit 74946420dd59a102c8d5f4a0127d5e479da5470d
Author: Jeremy Allison <jra at samba.org>
Date: Wed Jun 8 13:50:51 2022 -0700
CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.
Fixes the raw.write.bad-write test.
NB. We need the two (==0) changes in source3/smbd/reply.c
as the gcc optimizer now knows that the return from
smbreq_bufrem() can never be less than zero.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085
Remove knownfail.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: David Disseldorp <ddiss at samba.org>
commit ed3f82f4d70bbc89b89af31153eed96a544a754a
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jun 7 09:40:45 2022 -0700
CVE-2022-32742: s4: torture: Add raw.write.bad-write test.
Reproduces the test code in:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085
Add knownfail.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: David Disseldorp <ddiss at samba.org>
commit e650b41ff907ac48f66844bbdf72f83a9e41ea16
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 23 13:59:11 2022 +1200
CVE-2022-2031 testprogs: Add test for short-lived ticket across an incoming trust
We ensure that the KDC does not reject a TGS-REQ with our short-lived
TGT over an incoming trust.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit a46dd2846f37ec7d64716c8e68d53cf1ab5e4f67
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 10 19:18:53 2022 +1200
CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd tickets
If TGTs can be used as kpasswd tickets, the two-minute lifetime of a
authentic kpasswd ticket may be bypassed. Furthermore, kpasswd tickets
are not supposed to be cached, but using this flaw, a stolen credentials
cache containing a TGT may be used to change that account's password,
and thus is made more valuable to an attacker.
Since all TGTs should be issued with a REQUESTER_SID PAC buffer, and
service tickets without it, we assert the absence of this buffer to
ensure we're not accepting a TGT.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
[jsutton at samba.org Fixed knownfail conflicts]
commit 8c0f421852dfcde31ef94e3af182e438a3bc460f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 10 19:18:35 2022 +1200
CVE-2022-2031 s4:auth: Use PAC to determine whether ticket is a TGT
We use the presence or absence of a REQUESTER_SID PAC buffer to
determine whether the ticket is a TGT. We will later use this to reject
TGTs where a service ticket is expected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 9895018b64c56c6e5a291c0ae90f3fc33e26e0ef
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 10 19:18:07 2022 +1200
CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info
This field may be used to convey whether we were provided with a TGT or
a non-TGT. We ensure both structures are zeroed out to avoid incorrect
results being produced by an uninitialised field.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ff66f68a11c87531648c907ae2a7a6753868bc03
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 10 19:17:11 2022 +1200
CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswd
The kpasswd service should require a kpasswd service ticket, and
disallow TGTs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
[jsutton at samba.org Fixed knownfail conflicts]
commit 7ee246ef9ca9c057779466bc9d0319606de46eff
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 30 19:16:02 2022 +1200
CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd server principal into krb5_rd_req_ctx()
To ensure that, when decrypting the kpasswd ticket, we look up the
correct principal and don't trust the sname from the ticket, we should
pass the principal name of the kpasswd service into krb5_rd_req_ctx().
However, gensec_krb5_update_internal() will pass in NULL unless the
principal in our credentials is CRED_SPECIFIED.
At present, our principal will be considered obtained as CRED_SMB_CONF
(from the cli_credentials_set_conf() a few lines up), so we explicitly
set the realm again, but this time as CRED_SPECIFIED. Now the value of
server_in_keytab that we provide to smb_krb5_rd_req_decoded() will not
be NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit c9e1949fa8e14a3f2516abb439a2ba83dab418ce
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu May 26 16:39:20 2022 +1200
CVE-2022-32744 s4:kdc: Modify HDB plugin to only look up kpasswd principal
This plugin is now only used by the kpasswd service. Thus, ensuring we
only look up the kadmin/changepw principal means we can't be fooled into
accepting tickets for other service principals. We make sure not to
specify a specific kvno, to ensure that we do not accept RODC-issued
tickets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
[jsutton at samba.org Fixed knownfail conflicts]
commit fa198ce28f82efd2e05178bab3b5606662c40a09
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 8 13:53:29 2022 +1200
s4:kdc: Remove kadmin mode from HDB plugin
It appears we no longer require it.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d03021791b8b51f45bfa9007a6b937f5eeba3d8a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu May 26 16:36:30 2022 +1200
CVE-2022-32744 s4:kdc: Rename keytab_name -> kpasswd_keytab_name
This makes explicitly clear the purpose of this keytab.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 0cb4100d16d567f05669c192d6a20dbf5b9bbe98
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed May 25 20:00:55 2022 +1200
CVE-2022-2031 s4:kdc: Don't use strncmp to compare principal components
We would only compare the first 'n' characters, where 'n' is the length
of the principal component string, so 'k at REALM' would erroneously be
considered equal to 'krbtgt at REALM'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1f54e16cf1d5a1f113b88ae938c4752c630eb1d0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 14 15:23:55 2022 +1200
CVE-2022-2031 tests/krb5: Test truncated forms of server principals
We should not be able to use krb at REALM instead of krbtgt at REALM.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 8d8ffbfc7b567622c5682866bfec650583d026f2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 24 17:52:05 2022 +1200
CVE-2022-32744 s4:kdc: Don't allow HDB keytab iteration
A fallback in krb5_rd_req_ctx() means that Samba's kpasswd service will
try many inappropriate keys to decrypt the ticket supplied to it. For
example, it will accept a ticket encrypted with the Administrator's key,
when it should rather accept only tickets encrypted with the krbtgt's
key (and not an RODC krbtgt). To fix this, declare the HDB keytab using
the HDBGET ops, which do not support iteration.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 90e53b8eae98c6b8ae0982a84bf87c329ab8f2a4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 30 19:18:17 2022 +1200
CVE-2022-2031 s4:kdc: Reject tickets during the last two minutes of their life
For Heimdal, this now matches the behaviour of Windows. The object of
this requirement is to ensure we don't allow kpasswd tickets, not having
a lifetime of more than two minutes, to be passed off as TGTs.
An existing requirement for TGTs to contain a REQUESTER_SID PAC buffer
suffices to prevent kpasswd ticket misuse, so this is just an additional
precaution on top.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b77fb6e636ce46f1f62cf5b71efd8dd3dd6fdbdb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 22 20:01:12 2022 +1200
CVE-2022-2031 third_party/heimdal: Add function to get current KDC time
This allows the plugin to check the endtime of a ticket against the
KDC's current time, to see if the ticket will expire in the next two
minutes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit f70ada5eb45baf192f72e9df11327dea5a49fa36
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 24 17:53:49 2022 +1200
CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less
This matches the behaviour of Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
[jsutton at samba.org Adapted entry to entry_ex->entry; included
samba_kdc.h header file]
commit fb7391ca60e4c86bcf79d25547476edf81278c1c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed May 18 16:56:01 2022 +1200
CVE-2022-2031 s4:kdc: Fix canonicalisation of kadmin/changepw principal
Since this principal goes through the samba_kdc_fetch_server() path,
setting the canonicalisation flag would cause the principal to be
replaced with the sAMAccountName; this meant requests to
kadmin/changepw at REALM would result in a ticket to krbtgt at REALM. Now we
properly handle canonicalisation for the kadmin/changepw principal.
View with 'git show -b'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
[jsutton at samba.org Adapted entry to entry_ex->entry; removed MIT KDC
1.20-specific knownfails]
commit 2b63f021e5970386fc4e4923f32b14008e6aac0e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed May 25 17:19:58 2022 +1200
CVE-2022-2031 s4:kdc: Refactor samba_kdc_get_entry_principal()
This eliminates some duplicate branches.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 9022a69aebfca3af5a5ef432ff392df69490d961
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed May 18 16:56:01 2022 +1200
CVE-2022-2031 s4:kdc: Split out a samba_kdc_get_entry_principal() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
[jsutton at samba.org Adapted entry to entry_ex->entry]
commit ada799129ebc19c51a014dcf05cd17ea86b73f5b
Author: Andreas Schneider <asn at samba.org>
Date: Tue May 24 09:54:18 2022 +0200
CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
[jsutton at samba.org Adapted entry to entry_ex->entry]
commit 4aafa72991cb59426669725733251d45f912cccb
Author: Andreas Schneider <asn at samba.org>
Date: Thu May 19 16:35:28 2022 +0200
CVE-2022-2031 testprogs: Add kadmin/changepw canonicalization test with MIT kpasswd
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 3761a6e87131a27b6687eb387b35069cba0119d3
Author: Andreas Schneider <asn at samba.org>
Date: Tue May 24 10:17:00 2022 +0200
CVE-2022-2031 testprogs: Fix auth with smbclient and krb5 ccache
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 59d656406f58af649fb20a74c295f840327135b0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed May 18 17:11:49 2022 +1200
s4:kpasswd: Restructure code for clarity
View with 'git show -b'.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b8d97f5bd5566996a5fb9def4d0ee3fb8b21974b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed May 18 16:52:41 2022 +1200
CVE-2022-2031 s4:kpasswd: Require an initial ticket
Ensure that for password changes the client uses an AS-REQ to get the
ticket to kpasswd, and not a TGS-REQ.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
[jsutton at samba.org Removed MIT KDC 1.20-specific knownfails]
commit eade23880ec8484530ca19a929bae7c437eafc7e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed May 18 16:06:31 2022 +1200
CVE-2022-2031 gensec_krb5: Add helper function to check if client sent an initial ticket
This will be used in the kpasswd service to ensure that the client has
an initial ticket to kadmin/changepw, and not a service ticket.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 393c18b53ec88e18239b9fa2c1e6ef2009a75ad5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed May 18 16:49:43 2022 +1200
CVE-2022-2031 s4:kpasswd: Return a kpasswd error code in KRB-ERROR
If we attempt to return an error code outside of Heimdal's allowed range
[KRB5KDC_ERR_NONE, KRB5_ERR_RCSID), it will be replaced with a GENERIC
error, and the error text will be set to the meaningless result of
krb5_get_error_message(). Avoid this by ensuring the error code is in
the correct range.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 99bbd95a1d6d96b33e9af310e8c0788440e51845
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri May 27 19:29:34 2022 +1200
CVE-2022-2031 lib:krb5_wrap: Generate valid error codes in smb_krb5_mk_error()
The error code passed in will be an offset from ERROR_TABLE_BASE_krb5,
so we need to subtract that before creating the error. Heimdal does this
internally, so it isn't needed there.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 63d6af6ed70a0e9581f851c46c921f1024c7515d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed May 18 16:48:59 2022 +1200
CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failure
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
[jsutton at samba.org Removed MIT KDC 1.20-specific knownfails]
commit 705e7ff46d61338e0529c2ac6ce2245d399d27d5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri May 27 19:21:06 2022 +1200
CVE-2022-2031 s4:kpasswd: Correctly generate error strings
The error_data we create already has an explicit length, and should not
be zero-terminated, so we omit the trailing null byte. Previously,
Heimdal builds would leave a superfluous trailing null byte on error
strings, while MIT builds would omit the final character.
The two bytes added to the string's length are for the prepended error
code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
[jsutton at samba.org Removed MIT KDC 1.20-specific knownfails]
commit 8a4f07c2ca2dc153a3c5fc635ac261d372c62fde
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 24 19:59:16 2022 +1200
CVE-2022-2031 tests/krb5: Add tests for kpasswd service
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
[jsutton at samba.org Fixed conflicts in usage.py and knownfails; removed
MIT KDC 1.20-specific knownfails as it's not supported]
commit 4af9286727415485ae82fb68478753e70c0bbe6d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu May 26 16:35:03 2022 +1200
CVE-2022-32744 selftest: Specify Administrator kvno for Python krb5 tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit c84eb0e673640aeb391766bda50ec7649a75e4d9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 24 19:57:57 2022 +1200
CVE-2022-2031 tests/krb5: Add kpasswd_exchange() method
Now we can test the kpasswd service from Python.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 06c7f3d3f672646b2e0e556693df83761e8dc4e1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 24 19:34:59 2022 +1200
CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and realm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
[jsutton at samba.org Fixed conflict due to lacking rc4_support parameter]
commit 3e52255fd1623883449ab0ef8e759e0463662597
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 24 19:30:12 2022 +1200
tests/krb5: Add option for creating accounts with expired passwords
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a907564b698b5a2647ccf011db6ee45d5049ed04
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 24 19:26:56 2022 +1200
tests/krb5: Fix enum typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 5f32710d6787bbf821a37f786a3e82360b7b7660
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 24 19:20:28 2022 +1200
CVE-2022-2031 tests/krb5: Add methods to send and receive generic messages
This allows us to send and receive kpasswd messages, while avoiding the
existing logic for encoding and decoding other Kerberos message types.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 82bfffcdc3cd2ae5f71f5cc18bf862ac88ee038a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 24 19:21:37 2022 +1200
CVE-2022-2031 tests/krb5: Add 'port' parameter to connect()
This allows us to use the kpasswd port, 464.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 7cc2b1ac55390cefca0644534939329b49a9535a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 24 19:17:45 2022 +1200
CVE-2022-2031 tests/krb5: Add methods to create ASN1 kpasswd structures
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a0efc5bc0aeff42563660cd68ba4dcb85d609bc6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 24 19:13:54 2022 +1200
CVE-2022-2031 tests/krb5: Add new definitions for kpasswd
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 7c9faf1aacc3c22c0c1a44a7259ddd995bc26c4a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 24 19:06:53 2022 +1200
CVE-2022-32744 tests/krb5: Correctly calculate salt for pre-existing accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 3034c1933c22c76d112693117ac6bf0f95a49f70
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu May 26 20:52:04 2022 +1200
CVE-2022-2031 tests/krb5: Split out _make_tgs_request()
This allows us to make use of it in other tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit af53dbec65ca65030d4712acdabbb7505b811611
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu May 26 16:34:01 2022 +1200
CVE-2022-32744 tests/krb5: Correctly handle specifying account kvno
The environment variable is a string, but we expect an integer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 3bd5df466cb567be8c673eb20cfe903f1950a700
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 30 19:17:41 2022 +1200
CVE-2022-2031 s4:kpasswd: Add MIT fallback for decoding setpw structure
The target principal and realm fields of the setpw structure are
supposed to be optional, but in MIT Kerberos they are mandatory. For
better compatibility and ease of testing, fall back to parsing the
simpler (containing only the new password) structure if the MIT function
fails to decode it.
Although the target principal and realm fields should be optional, one
is not supposed to specified without the other, so we don't have to deal
with the case where only one is specified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit f706dcd5ddc13f7e615a7d503420693d1ee45eb2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri May 27 19:17:02 2022 +1200
CVE-2022-2031 s4:kpasswd: Account for missing target principal
This field is supposed to be optional.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 52b953bfc1891a83099b0829b00f6710f17454fb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jun 16 15:32:49 2022 +1200
CVE-2022-2031 third_party/heimdal: Check generate_pac() return code
If the function fails, we should not issue a ticket missing the PAC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 628534b4dcf080a1ab9349d43973c97de818d69c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 15 19:37:39 2022 +1200
CVE-2022-2031 s4:kdc: Add MIT support for ATTRIBUTES_INFO and REQUESTER_SID PAC buffers
So that we do not confuse TGTs and kpasswd tickets, it is critical to
check that the REQUESTER_SID buffer exists in TGTs, and to ensure that
it is not propagated to service tickets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 06444c0d4ea7e4f26bcf7ea285061e97c294444e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 4 16:57:27 2022 +1300
selftest: Simplify krb5 test environments
It's not necessary to repeat the required environment variables for
every test.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit e729606631b5bfaf7c4ad8c1e70697adf8274777)
commit 191adf2cf3880a56a8289b5da7dd1bdf41f24ce6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Feb 8 12:15:36 2022 +1300
tests/krb5: Add helper function to modify ticket flags
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit ded5115f73dff5b8b2f3212988e03f9dbe0c2aa3)
commit 23f770ed910b837b20f5252283f849cebff66745
Author: Andreas Schneider <asn at samba.org>
Date: Tue Dec 21 12:17:11 2021 +0100
s4:kdc: Also cannoicalize krbtgt principals when enforcing canonicalization
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit f1ec950aeb47283a504018bafa21f54c3282e70c)
commit e0d25e172c48c1cd083466dc304257698aadf4af
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 3 16:16:31 2022 +1200
CVE-2022-32745 s4/dsdb/util: Correctly copy values into message element
To use memcpy(), we need to specify the number of bytes to copy, rather
than the number of ldb_val structures.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 701aef133fd6efb03f8b32dfd5a4d93acf8b9fce
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Feb 17 11:13:38 2022 +1300
CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a NULL pointer
Doing so is undefined behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit f2ded77168dbc54b1d0c8ead08701c48af3f3a74
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Feb 17 11:11:53 2022 +1300
CVE-2022-32745 s4/dsdb/util: Use correct value for loop count limit
Currently, we can crash the server by sending a large number of values
of a specific attribute (such as sAMAccountName) spread across a few
message elements. If val_count is larger than the total number of
elements, we get an access beyond the elements array.
Similarly, we can include unrelated message elements prior to the
message elements of the attribute in question, so that not all of the
attribute's values are copied into the returned elements values array.
This can cause the server to access uninitialised data, likely resulting
in a crash or unexpected behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 1d7690b000f115ea39fb498d63de46ab6705f927
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Feb 16 17:03:10 2022 +1300
CVE-2022-32745 s4/dsdb/samldb: Check for empty values array
This avoids potentially trying to access the first element of an empty
array.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 90ef792d904bc14c462a0232b985185a2159cf94
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jun 14 15:43:26 2022 +1200
CVE-2022-32746 ldb: Release LDB 2.5.2
* CVE-2022-32746 Use-after-free occurring in database audit logging module (bug 15009)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 18b73e01ca4c67d27e08e505c0d29ff5c99d26ea
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Feb 21 16:27:37 2022 +1300
CVE-2022-32746 ldb: Make use of functions for appending to an ldb_message
This aims to minimise usage of the error-prone pattern of searching for
a just-added message element in order to make modifications to it (and
potentially finding the wrong element).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit c0127af98b2af828c635bd5a97b732cc5d151567
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Feb 16 16:30:03 2022 +1300
CVE-2022-32746 ldb: Add functions for appending to an ldb_message
Currently, there are many places where we use ldb_msg_add_empty() to add
an empty element to a message, and then call ldb_msg_add_value() or
similar to add values to that element. However, this performs an
unnecessary search of the message's elements to locate the new element.
Moreover, if an element with the same attribute name already exists
earlier in the message, the values will be added to that element,
instead of to the intended newly added element.
A similar pattern exists where we add values to a message, and then call
ldb_msg_find_element() to locate that message element and sets its flags
to (e.g.) LDB_FLAG_MOD_REPLACE. This also performs an unnecessary
search, and may locate the wrong message element for setting the flags.
To avoid these problems, add functions for appending a value to a
message, so that a particular value can be added to the end of a message
in a single operation.
For ADD requests, it is important that no two message elements share the
same attribute name, otherwise things will break. (Normally,
ldb_msg_normalize() is called before processing the request to help
ensure this.) Thus, we must be careful not to append an attribute to an
ADD message, unless we are sure (e.g. through ldb_msg_find_element())
that an existing element for that attribute is not present.
These functions will be used in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit a7a59c540ba13777109b33470dbd2d2c4938eb9d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Feb 16 12:35:13 2022 +1300
CVE-2022-32746 ldb: Ensure shallow copy modifications do not affect original message
Using the newly added ldb flag, we can now detect when a message has
been shallow-copied so that its elements share their values with the
original message elements. Then when adding values to the copied
message, we now make a copy of the shared values array first.
This should prevent a use-after-free that occurred in LDB modules when
new values were added to a shallow copy of a message by calling
talloc_realloc() on the original values array, invalidating the 'values'
pointer in the original message element. The original values pointer can
later be used in the database audit logging module which logs database
requests, and potentially cause a crash.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 513574283d9985b9a74b9faecf57355fea178dc0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Feb 21 16:10:32 2022 +1300
CVE-2022-32746 ldb: Add flag to mark message element values as shared
When making a shallow copy of an ldb message, mark the message elements
of the copy as sharing their values with the message elements in the
original message.
This flag value will be heeded in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 77d87117744a0d96fa758e68dd0a4c2fc759b413
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 14 21:12:39 2022 +1200
CVE-2022-32746 s4/registry: Use LDB_FLAG_MOD_TYPE() for flags equality check
Now unrelated flags will no longer affect the result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 738955d0e14ead23c3ca2e8c0ce1d042332de73d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 14 21:11:33 2022 +1200
CVE-2022-32746 s4/dsdb/tombstone_reanimate: Use LDB_FLAG_MOD_TYPE() for flags equality check
Now unrelated flags will no longer affect the result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit f2ee4c78d95e744d83a85f472f9d2d487cc3cf3a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 14 19:49:19 2022 +1200
CVE-2022-32746 s4/dsdb/repl_meta_data: Use LDB_FLAG_MOD_TYPE() for flags equality check
Now unrelated flags will no longer affect the result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit ef8e25cf53f218c63f6becd8724a20d4e0cba6f7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Feb 16 12:43:52 2022 +1300
CVE-2022-32746 ldb:rdn_name: Use LDB_FLAG_MOD_TYPE() for flags equality check
Now unrelated flags will no longer affect the result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit b436fa43f29da677513e4fb6bf5c4f9f69280be0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 21 15:22:47 2022 +1200
CVE-2022-32746 s4/dsdb/acl: Fix LDB flags comparison
LDB_FLAG_MOD_* values are not actually flags, and the previous
comparison was equivalent to
(el->flags & LDB_FLAG_MOD_MASK) == 0
which is only true if none of the LDB_FLAG_MOD_* values are set, so we
would not successfully return if the element was a DELETE. Correct the
expression to what it was intended to be.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit e46e43f76e7731c90ef4c47caa67d233d8c62d9a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 21 14:49:51 2022 +1200
CVE-2022-32746 s4:torture: Fix LDB flags comparison
LDB_FLAG_MOD_* values are not actually flags, and the previous
comparison was equivalent to
(el->flags & LDB_FLAG_MOD_MASK) == 0
which is only true if none of the LDB_FLAG_MOD_* values are set. Correct
the expression to what it was probably intended to be.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 59cd645b3958eeb7b359ed5b488820070873fac8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 21 14:41:02 2022 +1200
CVE-2022-32746 s4/dsdb/partition: Fix LDB flags comparison
LDB_FLAG_MOD_* values are not actually flags, and the previous
comparison was equivalent to
(req_msg->elements[el_idx].flags & LDB_FLAG_MOD_MASK) != 0
which is true whenever any of the LDB_FLAG_MOD_* values are set. Correct
the expression to what it was probably intended to be.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit c83967ad71ae1fbacb6cec696face96aef1d2e22
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 21 15:37:15 2022 +1200
CVE-2022-32746 s4:dsdb:tests: Add test for deleting a disallowed SPN
If an account has an SPN that requires Write Property to set, we should
still be able to delete it with just Validated Write.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 16f3112687e59deb862ebb8f3649310a352b038a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 14 21:09:53 2022 +1200
CVE-2022-32746 s4/dsdb/objectclass_attrs: Fix typo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 71 +-
auth/auth_sam_reply.c | 2 +-
auth/auth_util.c | 2 +-
lib/krb5_wrap/krb5_samba.c | 2 +-
lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.5.2.sigs} | 8 +
...pyldb-util-2.1.0.sigs => pyldb-util-2.5.2.sigs} | 0
lib/ldb/common/ldb_msg.c | 260 ++++-
lib/ldb/include/ldb.h | 30 +
lib/ldb/include/ldb_module.h | 6 +
lib/ldb/ldb_map/ldb_map.c | 5 +-
lib/ldb/ldb_map/ldb_map_inbound.c | 9 +-
lib/ldb/modules/rdn_name.c | 24 +-
lib/ldb/wscript | 2 +-
librpc/idl/auth.idl | 23 +
python/samba/tests/krb5/as_req_tests.py | 30 +-
python/samba/tests/krb5/kdc_base_test.py | 135 ++-
python/samba/tests/krb5/kdc_tgs_tests.py | 102 +-
python/samba/tests/krb5/kpasswd_tests.py | 1049 ++++++++++++++++++++
python/samba/tests/krb5/raw_testcase.py | 425 +++++++-
python/samba/tests/krb5/rfc4120.asn1 | 6 +
python/samba/tests/krb5/rfc4120_constants.py | 13 +
python/samba/tests/krb5/rfc4120_pyasn1.py | 13 +-
python/samba/tests/krb5/s4u_tests.py | 17 +-
python/samba/tests/usage.py | 1 +
selftest/knownfail_mit_kdc | 11 +-
source3/include/smb_macros.h | 2 +-
source3/passdb/pdb_samba_dsdb.c | 14 +-
source3/smbd/reply.c | 4 +-
source4/auth/gensec/gensec_krb5.c | 20 +-
source4/auth/gensec/gensec_krb5_helpers.c | 72 ++
.../auth/gensec/gensec_krb5_helpers.h | 25 +-
.../auth/gensec/gensec_krb5_internal.h | 37 +-
source4/auth/gensec/wscript_build | 4 +
source4/auth/kerberos/kerberos_pac.c | 44 +
source4/auth/ntlm/auth_developer.c | 2 +-
source4/auth/sam.c | 2 +-
source4/auth/session.c | 2 +
source4/auth/system_session.c | 6 +-
source4/dns_server/dnsserver_common.c | 12 +-
source4/dsdb/common/util.c | 134 ++-
source4/dsdb/samdb/ldb_modules/acl.c | 5 +-
source4/dsdb/samdb/ldb_modules/descriptor.c | 10 +-
source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 2 +-
source4/dsdb/samdb/ldb_modules/objectguid.c | 20 +-
source4/dsdb/samdb/ldb_modules/partition.c | 4 +-
source4/dsdb/samdb/ldb_modules/partition_init.c | 14 +-
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 32 +-
source4/dsdb/samdb/ldb_modules/samldb.c | 82 +-
.../dsdb/samdb/ldb_modules/tombstone_reanimate.c | 16 +-
source4/dsdb/samdb/ldb_modules/util.c | 14 +-
source4/dsdb/tests/python/acl.py | 26 +
source4/kdc/db-glue.c | 242 +++--
source4/kdc/hdb-samba4-plugin.c | 37 +-
source4/kdc/hdb-samba4.c | 66 ++
source4/kdc/kdc-glue.h | 3 +
source4/kdc/kdc-heimdal.c | 6 +-
source4/kdc/kdc-server.h | 2 +-
source4/kdc/kdc-service-mit.c | 4 +-
source4/kdc/kpasswd-helper.c | 33 +-
source4/kdc/kpasswd-helper.h | 2 +
source4/kdc/kpasswd-service-heimdal.c | 76 +-
source4/kdc/kpasswd-service-mit.c | 146 ++-
source4/kdc/kpasswd-service.c | 36 +-
source4/kdc/mit-kdb/kdb_samba_principals.c | 2 +-
source4/kdc/mit_samba.c | 79 +-
source4/kdc/samba_kdc.h | 2 +
source4/kdc/wdc-samba4.c | 26 +
source4/kdc/wscript_build | 1 +
source4/lib/registry/ldb.c | 2 +-
source4/nbt_server/wins/winsdb.c | 13 +-
source4/rpc_server/lsa/dcesrv_lsa.c | 55 +-
source4/selftest/tests.py | 244 +----
source4/torture/drs/rpc/dssync.c | 4 +-
source4/torture/raw/write.c | 89 ++
source4/winbind/idmap.c | 10 +-
testprogs/blackbox/test_kinit_trusts_heimdal.sh | 6 +-
testprogs/blackbox/test_kpasswd_heimdal.sh | 39 +-
third_party/heimdal/kdc/kerberos5.c | 4 +-
third_party/heimdal/kdc/libkdc-exports.def | 1 +
third_party/heimdal/kdc/process.c | 6 +
third_party/heimdal/kdc/version-script.map | 1 +
82 files changed, 3193 insertions(+), 897 deletions(-)
copy lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.5.2.sigs} (96%)
copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.5.2.sigs} (100%)
create mode 100755 python/samba/tests/krb5/kpasswd_tests.py
create mode 100644 source4/auth/gensec/gensec_krb5_helpers.c
copy source3/include/srvstr.h => source4/auth/gensec/gensec_krb5_helpers.h (65%)
copy libcli/smbreadline/smbreadline.h => source4/auth/gensec/gensec_krb5_internal.h (51%)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index ece0505a714..d948db4fa15 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=16
-SAMBA_VERSION_RELEASE=3
+SAMBA_VERSION_RELEASE=4
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index f6d5cc5331e..c9146b8ef29 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,71 @@
+ ==============================
+ Release Notes for Samba 4.16.4
+ July 27, 2022
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2022-2031: Samba AD users can bypass certain restrictions associated with
+ changing passwords.
+ https://www.samba.org/samba/security/CVE-2022-2031.html
+
+o CVE-2022-32744: Samba AD users can forge password change requests for any user.
+ https://www.samba.org/samba/security/CVE-2022-32744.html
+
+o CVE-2022-32745: Samba AD users can crash the server process with an LDAP add
+ or modify request.
+ https://www.samba.org/samba/security/CVE-2022-32745.html
+
+o CVE-2022-32746: Samba AD users can induce a use-after-free in the server
+ process with an LDAP add or modify request.
+ https://www.samba.org/samba/security/CVE-2022-32746.html
+
+o CVE-2022-32742: Server memory information leak via SMB1.
+ https://www.samba.org/samba/security/CVE-2022-32742.html
+
+Changes since 4.16.3
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 15085: CVE-2022-32742.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 15009: CVE-2022-32746.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 15047: CVE-2022-2031.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 15008: CVE-2022-32745.
+ * BUG 15009: CVE-2022-32746.
+ * BUG 15047: CVE-2022-2031.
+ * BUG 15074: CVE-2022-32744.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.16.3
July 18, 2022
@@ -65,8 +133,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.16.2
June 13, 2022
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index fda014c87d5..173a5132964 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -416,7 +416,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_LEVEL;
}
- user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
+ user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc);
NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
/*
diff --git a/auth/auth_util.c b/auth/auth_util.c
index fe01babd107..ec9094d0f15 100644
--- a/auth/auth_util.c
+++ b/auth/auth_util.c
@@ -44,7 +44,7 @@ struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
return NULL;
}
- dst = talloc(mem_ctx, struct auth_session_info);
+ dst = talloc_zero(mem_ctx, struct auth_session_info);
if (dst == NULL) {
DBG_ERR("talloc failed\n");
TALLOC_FREE(frame);
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 99809ffea27..4321f07ca09 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -237,7 +237,7 @@ krb5_error_code smb_krb5_mk_error(krb5_context context,
return code;
}
- errpkt.error = error_code;
+ errpkt.error = error_code - ERROR_TABLE_BASE_krb5;
errpkt.text.length = 0;
if (e_text != NULL) {
diff --git a/lib/ldb/ABI/ldb-2.0.5.sigs b/lib/ldb/ABI/ldb-2.5.2.sigs
similarity index 96%
copy from lib/ldb/ABI/ldb-2.0.5.sigs
copy to lib/ldb/ABI/ldb-2.5.2.sigs
index 5049dc64ce1..40388d9e330 100644
--- a/lib/ldb/ABI/ldb-2.0.5.sigs
+++ b/lib/ldb/ABI/ldb-2.5.2.sigs
@@ -155,7 +155,14 @@ ldb_msg_add_linearized_dn: int (struct ldb_message *, const char *, struct ldb_d
ldb_msg_add_steal_string: int (struct ldb_message *, const char *, char *)
ldb_msg_add_steal_value: int (struct ldb_message *, const char *, struct ldb_val *)
ldb_msg_add_string: int (struct ldb_message *, const char *, const char *)
+ldb_msg_add_string_flags: int (struct ldb_message *, const char *, const char *, int)
ldb_msg_add_value: int (struct ldb_message *, const char *, const struct ldb_val *, struct ldb_message_element **)
+ldb_msg_append_fmt: int (struct ldb_message *, int, const char *, const char *, ...)
+ldb_msg_append_linearized_dn: int (struct ldb_message *, const char *, struct ldb_dn *, int)
+ldb_msg_append_steal_string: int (struct ldb_message *, const char *, char *, int)
+ldb_msg_append_steal_value: int (struct ldb_message *, const char *, struct ldb_val *, int)
+ldb_msg_append_string: int (struct ldb_message *, const char *, const char *, int)
+ldb_msg_append_value: int (struct ldb_message *, const char *, const struct ldb_val *, int)
ldb_msg_canonicalize: struct ldb_message *(struct ldb_context *, const struct ldb_message *)
ldb_msg_check_string_attribute: int (const struct ldb_message *, const char *, const char *)
ldb_msg_copy: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *)
@@ -163,6 +170,7 @@ ldb_msg_copy_attr: int (struct ldb_message *, const char *, const char *)
ldb_msg_copy_shallow: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *)
ldb_msg_diff: struct ldb_message *(struct ldb_context *, struct ldb_message *, struct ldb_message *)
ldb_msg_difference: int (struct ldb_context *, TALLOC_CTX *, struct ldb_message *, struct ldb_message *, struct ldb_message **)
+ldb_msg_element_add_value: int (TALLOC_CTX *, struct ldb_message_element *, const struct ldb_val *)
ldb_msg_element_compare: int (struct ldb_message_element *, struct ldb_message_element *)
ldb_msg_element_compare_name: int (struct ldb_message_element *, struct ldb_message_element *)
ldb_msg_element_equal_ordered: bool (const struct ldb_message_element *, const struct ldb_message_element *)
diff --git a/lib/ldb/ABI/pyldb-util-2.1.0.sigs b/lib/ldb/ABI/pyldb-util-2.5.2.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-2.1.0.sigs
copy to lib/ldb/ABI/pyldb-util-2.5.2.sigs
diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c
index 57dfc5a04c2..9cd7998e21c 100644
--- a/lib/ldb/common/ldb_msg.c
+++ b/lib/ldb/common/ldb_msg.c
@@ -417,6 +417,47 @@ int ldb_msg_add(struct ldb_message *msg,
return LDB_SUCCESS;
}
+/*
+ * add a value to a message element
+ */
+int ldb_msg_element_add_value(TALLOC_CTX *mem_ctx,
+ struct ldb_message_element *el,
+ const struct ldb_val *val)
+{
+ struct ldb_val *vals;
+
+ if (el->flags & LDB_FLAG_INTERNAL_SHARED_VALUES) {
+ /*
+ * Another message is using this message element's values array,
+ * so we don't want to make any modifications to the original
+ * message, or potentially invalidate its own values by calling
+ * talloc_realloc(). Make a copy instead.
+ */
+ el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES;
+
+ vals = talloc_array(mem_ctx, struct ldb_val,
+ el->num_values + 1);
+ if (vals == NULL) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ if (el->values != NULL) {
+ memcpy(vals, el->values, el->num_values * sizeof(struct ldb_val));
+ }
+ } else {
+ vals = talloc_realloc(mem_ctx, el->values, struct ldb_val,
+ el->num_values + 1);
+ if (vals == NULL) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ }
+ el->values = vals;
+ el->values[el->num_values] = *val;
+ el->num_values++;
+
+ return LDB_SUCCESS;
+}
+
/*
add a value to a message
*/
@@ -426,7 +467,6 @@ int ldb_msg_add_value(struct ldb_message *msg,
struct ldb_message_element **return_el)
{
struct ldb_message_element *el;
- struct ldb_val *vals;
int ret;
el = ldb_msg_find_element(msg, attr_name);
@@ -437,14 +477,10 @@ int ldb_msg_add_value(struct ldb_message *msg,
}
}
- vals = talloc_realloc(msg->elements, el->values, struct ldb_val,
- el->num_values+1);
- if (!vals) {
- return LDB_ERR_OPERATIONS_ERROR;
+ ret = ldb_msg_element_add_value(msg->elements, el, val);
+ if (ret != LDB_SUCCESS) {
+ return ret;
}
- el->values = vals;
- el->values[el->num_values] = *val;
- el->num_values++;
if (return_el) {
*return_el = el;
@@ -473,12 +509,15 @@ int ldb_msg_add_steal_value(struct ldb_message *msg,
/*
- add a string element to a message
+ add a string element to a message, specifying flags
*/
-int ldb_msg_add_string(struct ldb_message *msg,
- const char *attr_name, const char *str)
+int ldb_msg_add_string_flags(struct ldb_message *msg,
+ const char *attr_name, const char *str,
+ int flags)
{
struct ldb_val val;
+ int ret;
+ struct ldb_message_element *el = NULL;
val.data = discard_const_p(uint8_t, str);
val.length = strlen(str);
@@ -488,7 +527,25 @@ int ldb_msg_add_string(struct ldb_message *msg,
return LDB_SUCCESS;
}
- return ldb_msg_add_value(msg, attr_name, &val, NULL);
+ ret = ldb_msg_add_value(msg, attr_name, &val, &el);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (flags != 0) {
+ el->flags = flags;
+ }
+
+ return LDB_SUCCESS;
+}
+
+/*
+ add a string element to a message
+*/
+int ldb_msg_add_string(struct ldb_message *msg,
+ const char *attr_name, const char *str)
+{
+ return ldb_msg_add_string_flags(msg, attr_name, str, 0);
}
/*
@@ -550,6 +607,142 @@ int ldb_msg_add_fmt(struct ldb_message *msg,
return ldb_msg_add_steal_value(msg, attr_name, &val);
}
+static int ldb_msg_append_value_impl(struct ldb_message *msg,
+ const char *attr_name,
+ const struct ldb_val *val,
+ int flags,
+ struct ldb_message_element **return_el)
+{
+ struct ldb_message_element *el = NULL;
+ int ret;
+
+ ret = ldb_msg_add_empty(msg, attr_name, flags, &el);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ ret = ldb_msg_element_add_value(msg->elements, el, val);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (return_el != NULL) {
+ *return_el = el;
+ }
+
+ return LDB_SUCCESS;
+}
+
+/*
+ append a value to a message
+*/
+int ldb_msg_append_value(struct ldb_message *msg,
+ const char *attr_name,
+ const struct ldb_val *val,
+ int flags)
+{
+ return ldb_msg_append_value_impl(msg, attr_name, val, flags, NULL);
+}
+
+/*
+ append a value to a message, stealing it into the 'right' place
+*/
+int ldb_msg_append_steal_value(struct ldb_message *msg,
+ const char *attr_name,
+ struct ldb_val *val,
+ int flags)
+{
+ int ret;
+ struct ldb_message_element *el = NULL;
+
+ ret = ldb_msg_append_value_impl(msg, attr_name, val, flags, &el);
+ if (ret == LDB_SUCCESS) {
+ talloc_steal(el->values, val->data);
+ }
+ return ret;
+}
+
+/*
+ append a string element to a message, stealing it into the 'right' place
+*/
+int ldb_msg_append_steal_string(struct ldb_message *msg,
+ const char *attr_name, char *str,
+ int flags)
+{
+ struct ldb_val val;
+
+ val.data = (uint8_t *)str;
+ val.length = strlen(str);
+
+ if (val.length == 0) {
+ /* allow empty strings as non-existent attributes */
+ return LDB_SUCCESS;
+ }
+
+ return ldb_msg_append_steal_value(msg, attr_name, &val, flags);
+}
+
+/*
+ append a string element to a message
+*/
+int ldb_msg_append_string(struct ldb_message *msg,
+ const char *attr_name, const char *str, int flags)
+{
+ struct ldb_val val;
+
+ val.data = discard_const_p(uint8_t, str);
+ val.length = strlen(str);
+
+ if (val.length == 0) {
+ /* allow empty strings as non-existent attributes */
+ return LDB_SUCCESS;
+ }
+
+ return ldb_msg_append_value(msg, attr_name, &val, flags);
+}
+
+/*
+ append a DN element to a message
+ WARNING: this uses the linearized string from the dn, and does not
+ copy the string.
+*/
+int ldb_msg_append_linearized_dn(struct ldb_message *msg, const char *attr_name,
+ struct ldb_dn *dn, int flags)
+{
+ char *str = ldb_dn_alloc_linearized(msg, dn);
+
+ if (str == NULL) {
+ /* we don't want to have unknown DNs added */
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ return ldb_msg_append_steal_string(msg, attr_name, str, flags);
+}
+
+/*
+ append a printf formatted element to a message
+*/
+int ldb_msg_append_fmt(struct ldb_message *msg, int flags,
+ const char *attr_name, const char *fmt, ...)
+{
+ struct ldb_val val;
+ va_list ap;
+ char *str = NULL;
+
+ va_start(ap, fmt);
+ str = talloc_vasprintf(msg, fmt, ap);
+ va_end(ap);
+
+ if (str == NULL) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ val.data = (uint8_t *)str;
+ val.length = strlen(str);
+
+ return ldb_msg_append_steal_value(msg, attr_name, &val, flags);
+}
+
/*
compare two ldb_message_element structures
assumes case sensitive comparison
@@ -833,11 +1026,7 @@ void ldb_msg_sort_elements(struct ldb_message *msg)
ldb_msg_element_compare_name);
}
-/*
- shallow copy a message - copying only the elements array so that the caller
- can safely add new elements without changing the message
-*/
-struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx,
+static struct ldb_message *ldb_msg_copy_shallow_impl(TALLOC_CTX *mem_ctx,
const struct ldb_message *msg)
{
struct ldb_message *msg2;
@@ -863,6 +1052,35 @@ failed:
return NULL;
}
+/*
+ shallow copy a message - copying only the elements array so that the caller
+ can safely add new elements without changing the message
+*/
+struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx,
+ const struct ldb_message *msg)
+{
+ struct ldb_message *msg2;
+ unsigned int i;
+
+ msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg);
+ if (msg2 == NULL) {
+ return NULL;
+ }
+
+ for (i = 0; i < msg2->num_elements; ++i) {
+ /*
+ * Mark this message's elements as sharing their values with the
+ * original message, so that we don't inadvertently modify or
+ * free them. We don't mark the original message element as
+ * shared, so the original message element should not be
+ * modified or freed while the shallow copy lives.
+ */
+ struct ldb_message_element *el = &msg2->elements[i];
+ el->flags |= LDB_FLAG_INTERNAL_SHARED_VALUES;
+ }
+
+ return msg2;
+}
/*
copy a message, allocating new memory for all parts
@@ -873,7 +1091,7 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx,
struct ldb_message *msg2;
unsigned int i, j;
- msg2 = ldb_msg_copy_shallow(mem_ctx, msg);
+ msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg);
if (msg2 == NULL) return NULL;
if (msg2->dn != NULL) {
@@ -894,6 +1112,12 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx,
goto failed;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list