[SCM] Samba Shared Repository - branch v4-15-test updated

Jule Anger janger at samba.org
Wed Mar 2 12:28:01 UTC 2022 

The branch, v4-15-test has been updated
       via  c4b2930a837 smbd: Fix a use-after-free
       via  e19d287cef3 s4:sam: Don't use talloc_steal for msg attributes in authsam_make_user_info_dc()
      from  f7e31127e7f waf: re-add missing readlink test

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test


- Log -----------------------------------------------------------------
commit c4b2930a837d817f3da8c7641b1b7201383ea36c
Author: Volker Lendecke <vl at samba.org>
Date:   Wed Feb 23 15:56:41 2022 +0100

    smbd: Fix a use-after-free
    
    stat_cache_lookup() allocates its result on top of talloc_tos().
    filename_convert_smb1_search_path() creates a talloc_stackframe(),
    which makes the names which were supposed to be allocated on the "ctx"
    parameter of filename_convert_smb1_search_path() go away too
    early. Reparent the results from stat_cache_lookup() properly.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=14989
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Tue Mar  1 20:59:55 UTC 2022 on sn-devel-184
    
    (cherry picked from commit 8c97743511e4d53f795f2469a28aabfb96da0dfa)
    
    Autobuild-User(v4-15-test): Jule Anger <janger at samba.org>
    Autobuild-Date(v4-15-test): Wed Mar  2 12:27:47 UTC 2022 on sn-devel-184

commit e19d287cef39d137124295331243c019bd56438f
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Feb 25 07:40:17 2022 +0100

    s4:sam: Don't use talloc_steal for msg attributes in authsam_make_user_info_dc()
    
    This is most likely not a problem for the current callers,
    but that it is unexpected and will likely cause problems with future
    changes.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14993
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit f6fe86924c2ca756083d3628d5dbace0b12d06b0)

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/filename.c |  7 +++++++
 source4/auth/sam.c      | 19 ++++++++++++++-----
 2 files changed, 21 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index 56ebdd9f370..ad9a0e817ff 100644
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -1100,6 +1100,13 @@ NTSTATUS unix_convert(TALLOC_CTX *mem_ctx,
 					  &state->name,
 					  state->smb_fname->twrp,
 					  &state->smb_fname->st);
+		/*
+		 * stat_cache_lookup() allocates on talloc_tos() even
+		 * when !found, reparent correctly
+		 */
+		talloc_steal(state->smb_fname, state->smb_fname->base_name);
+		talloc_steal(state->mem_ctx, state->dirpath);
+
 		if (found) {
 			goto done;
 		}
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 93b41be3b21..8b233bab3ad 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -454,12 +454,15 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx,
 	user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
 	NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
 
-	info->account_name = talloc_steal(info,
-		ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL));
+	str = ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL);
+	info->account_name = talloc_strdup(info, str);
+	if (info->account_name == NULL) {
+		TALLOC_FREE(user_info_dc);
+		return NT_STATUS_NO_MEMORY;
+	}
 
-	info->user_principal_name = talloc_steal(info,
-		ldb_msg_find_attr_as_string(msg, "userPrincipalName", NULL));
-	if (info->user_principal_name == NULL && dns_domain_name != NULL) {
+	str = ldb_msg_find_attr_as_string(msg, "userPrincipalName", NULL);
+	if (str == NULL && dns_domain_name != NULL) {
 		info->user_principal_name = talloc_asprintf(info, "%s@%s",
 					info->account_name,
 					dns_domain_name);
@@ -468,6 +471,12 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx,
 			return NT_STATUS_NO_MEMORY;
 		}
 		info->user_principal_constructed = true;
+	} else if (str != NULL) {
+		info->user_principal_name = talloc_strdup(info, str);
+		if (info->user_principal_name == NULL) {
+			TALLOC_FREE(user_info_dc);
+			return NT_STATUS_NO_MEMORY;
+		}
 	}
 
 	info->domain_name = talloc_strdup(info, domain_name);


-- 
Samba Shared Repository

More information about the samba-cvs mailing list