[SCM] Samba Shared Repository - branch v4-15-test updated
Jule Anger
janger at samba.org
Wed Mar 2 12:28:01 UTC 2022
The branch, v4-15-test has been updated
via c4b2930a837 smbd: Fix a use-after-free
via e19d287cef3 s4:sam: Don't use talloc_steal for msg attributes in authsam_make_user_info_dc()
from f7e31127e7f waf: re-add missing readlink test
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test
- Log -----------------------------------------------------------------
commit c4b2930a837d817f3da8c7641b1b7201383ea36c
Author: Volker Lendecke <vl at samba.org>
Date: Wed Feb 23 15:56:41 2022 +0100
smbd: Fix a use-after-free
stat_cache_lookup() allocates its result on top of talloc_tos().
filename_convert_smb1_search_path() creates a talloc_stackframe(),
which makes the names which were supposed to be allocated on the "ctx"
parameter of filename_convert_smb1_search_path() go away too
early. Reparent the results from stat_cache_lookup() properly.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14989
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Mar 1 20:59:55 UTC 2022 on sn-devel-184
(cherry picked from commit 8c97743511e4d53f795f2469a28aabfb96da0dfa)
Autobuild-User(v4-15-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-15-test): Wed Mar 2 12:27:47 UTC 2022 on sn-devel-184
commit e19d287cef39d137124295331243c019bd56438f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 25 07:40:17 2022 +0100
s4:sam: Don't use talloc_steal for msg attributes in authsam_make_user_info_dc()
This is most likely not a problem for the current callers,
but that it is unexpected and will likely cause problems with future
changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14993
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f6fe86924c2ca756083d3628d5dbace0b12d06b0)
-----------------------------------------------------------------------
Summary of changes:
source3/smbd/filename.c | 7 +++++++
source4/auth/sam.c | 19 ++++++++++++++-----
2 files changed, 21 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index 56ebdd9f370..ad9a0e817ff 100644
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -1100,6 +1100,13 @@ NTSTATUS unix_convert(TALLOC_CTX *mem_ctx,
&state->name,
state->smb_fname->twrp,
&state->smb_fname->st);
+ /*
+ * stat_cache_lookup() allocates on talloc_tos() even
+ * when !found, reparent correctly
+ */
+ talloc_steal(state->smb_fname, state->smb_fname->base_name);
+ talloc_steal(state->mem_ctx, state->dirpath);
+
if (found) {
goto done;
}
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 93b41be3b21..8b233bab3ad 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -454,12 +454,15 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx,
user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
- info->account_name = talloc_steal(info,
- ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL));
+ str = ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL);
+ info->account_name = talloc_strdup(info, str);
+ if (info->account_name == NULL) {
+ TALLOC_FREE(user_info_dc);
+ return NT_STATUS_NO_MEMORY;
+ }
- info->user_principal_name = talloc_steal(info,
- ldb_msg_find_attr_as_string(msg, "userPrincipalName", NULL));
- if (info->user_principal_name == NULL && dns_domain_name != NULL) {
+ str = ldb_msg_find_attr_as_string(msg, "userPrincipalName", NULL);
+ if (str == NULL && dns_domain_name != NULL) {
info->user_principal_name = talloc_asprintf(info, "%s@%s",
info->account_name,
dns_domain_name);
@@ -468,6 +471,12 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
info->user_principal_constructed = true;
+ } else if (str != NULL) {
+ info->user_principal_name = talloc_strdup(info, str);
+ if (info->user_principal_name == NULL) {
+ TALLOC_FREE(user_info_dc);
+ return NT_STATUS_NO_MEMORY;
+ }
}
info->domain_name = talloc_strdup(info, domain_name);
--
Samba Shared Repository
More information about the samba-cvs
mailing list