[SCM] Samba Shared Repository - branch v4-18-test updated
Jule Anger
janger at samba.org
Tue Aug 8 12:57:01 UTC 2023
The branch, v4-18-test has been updated
via 1b3197ff477 dcerpc.idl: fix definitions for DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED payload
via 30f317cfb09 librpc/rpc: let dcerpc_read_ncacn_packet_next_vector() handle fragments without any payload
via f2604db12b0 s4:torture/ndr: add tests for DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED
via bace04c3c5c vfs_aio_pthread: fix segfault if samba-tool ntacl get
via cf7a0c9d754 vfs_aio_pthread: don't crash without a pthreadpool
from e911424161d lib/cmdline: Also redact --newpassword in samba_cmdline_burn()
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-test
- Log -----------------------------------------------------------------
commit 1b3197ff477714239eca42722cc368c366827327
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 4 14:03:43 2023 +0200
dcerpc.idl: fix definitions for DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED payload
It seems commit 259129e8f4bc8cacd1850eba3f6551134835d079 was partly just
fantasy...
Windows clients just use 16 bytes for DCERPC_PKT_CO_CANCEL and
DCERPC_PKT_ORPHANED pdus.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15446
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Tue Aug 8 08:57:46 UTC 2023 on atb-devel-224
(cherry picked from commit 9ec22e680249cfde06fb1a0a34fcc94d1f47002d)
Autobuild-User(v4-18-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-18-test): Tue Aug 8 12:56:30 UTC 2023 on atb-devel-224
commit 30f317cfb094db05abd3bd368806304be30f232b
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Aug 7 16:16:27 2023 +0200
librpc/rpc: let dcerpc_read_ncacn_packet_next_vector() handle fragments without any payload
DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED don't have any payload by
default. In order to receive them via dcerpc_read_ncacn_packet_send/recv
we need to allow fragments with frag_len == DCERPC_NCACN_PAYLOAD_OFFSET.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15446
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 5c724a3e156ae734e4d187bf9639d895bb011834)
commit f2604db12b0a5da6ad3b28d4a0257ec1dd4a37fc
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 4 13:57:12 2023 +0200
s4:torture/ndr: add tests for DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED
The PDUs were generated by Windows clients.
And we fail to parse them currently.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15446
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit c37adb762640b7df9731d6a60edce808aa8787f8)
commit bace04c3c5c3bd3b345e2e5bf06f522745be2024
Author: Jones Syue <jonessyue at qnap.com>
Date: Wed Aug 2 09:48:40 2023 +0800
vfs_aio_pthread: fix segfault if samba-tool ntacl get
If configured as AD DC and aio_pthread appended into 'vfs objects'[1],
run these commands would get segfault:
1. sudo samba-tool ntacl get .
2. sudo net vfs getntacl sysvol .
gdb said it goes through aio_pthread_openat_fn() @ vfs_aio_pthread.c[2],
and the fsp->conn->sconn->client is null (0x0).
'sconn->client' memory is allocated when a new connection is accpeted:
smbd_accept_connection > smbd_process > smbXsrv_client_create
While running local commands looks like it would not go through
smbXsrv_client_create so the 'client' is null, segfault might happen.
We should not dereference 'client->server_multi_channel_enabled',
if 'client' is null.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15441
[1] smb.conf example, samba-4.18.5, ubuntu 22.04.2
[global]
dns forwarder = 127.0.0.53
netbios name = U22-JONES-88X1
realm = U22-JONES-88X1.X88X1.JONES
server role = active directory domain controller
workgroup = X88X1
idmap_ldb:use rfc2307 = yes
vfs objects = dfs_samba4 acl_xattr aio_pthread
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/u22-jones-88x1.x88x1.jones/scripts
read only = No
[2] gdb
(gdb) run /usr/local/samba/bin/samba-tool ntacl get .
Starting program: /usr/local/Python3/bin/python3 /usr/local/samba/bin/samba-tool ntacl get .
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007fffd0eb809e in aio_pthread_openat_fn (handle=0x8d5cc0, dirfsp=0x8c3070, smb_fname=0x18ab4f0, fsp=0x1af3550, flags=196608, mode=0)
at ../../source3/modules/vfs_aio_pthread.c:467
warning: Source file is more recent than executable.
467 if (fsp->conn->sconn->client->server_multi_channel_enabled) {
(gdb) bt
at ../../source3/modules/vfs_aio_pthread.c:467
at ../../source3/smbd/pysmbd.c:320
---Type <return> to continue, or q <return> to quit---
(gdb) f
at ../../source3/modules/vfs_aio_pthread.c:467
467 if (fsp->conn->sconn->client->server_multi_channel_enabled) {
(gdb) p fsp->conn->sconn->client
$1 = (struct smbXsrv_client *) 0x0
(gdb)
Signed-off-by: Jones Syue <jonessyue at qnap.com>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 8f4c1c67b4f118a9a47b09ac7908cd3d969b19c2)
commit cf7a0c9d754c0f5e0888fc9023e9a863e2f366a3
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue May 2 15:15:16 2023 +0200
vfs_aio_pthread: don't crash without a pthreadpool
During 'samba-tool ntacl sysvolreset' and similar.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15441
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3694f2ce6205a647eb5dab2115785fb45decaf0b)
-----------------------------------------------------------------------
Summary of changes:
librpc/idl/dcerpc.idl | 2 -
librpc/rpc/dcerpc_util.c | 9 ++-
source3/modules/vfs_aio_pthread.c | 10 ++-
source4/torture/ndr/dcerpc.c | 148 ++++++++++++++++++++++++++++++++++++++
source4/torture/ndr/ndr.c | 1 +
source4/torture/wscript_build | 1 +
6 files changed, 166 insertions(+), 5 deletions(-)
create mode 100644 source4/torture/ndr/dcerpc.c
Changeset truncated at 500 lines:
diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
index bbb17f0b8c4..1850526042c 100644
--- a/librpc/idl/dcerpc.idl
+++ b/librpc/idl/dcerpc.idl
@@ -276,12 +276,10 @@ interface dcerpc
} dcerpc_auth3;
typedef [public] struct {
- [value(0)] uint32 _pad;
[flag(NDR_REMAINING)] DATA_BLOB auth_info;
} dcerpc_orphaned;
typedef [public] struct {
- [value(0)] uint32 _pad;
[flag(NDR_REMAINING)] DATA_BLOB auth_info;
} dcerpc_co_cancel;
diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
index c3997eb1b19..e3c81b6194a 100644
--- a/librpc/rpc/dcerpc_util.c
+++ b/librpc/rpc/dcerpc_util.c
@@ -565,9 +565,14 @@ static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
ofs = state->buffer.length;
- if (frag_len < ofs) {
+ if (frag_len <= ofs) {
/*
- * something is wrong, let the caller deal with it
+ * With frag_len == ofs, we are done, this is likely
+ * a DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED
+ * without any payload.
+ *
+ * Otherwise it's a broken packet and we
+ * let the caller deal with it.
*/
*_vector = NULL;
*_count = 0;
diff --git a/source3/modules/vfs_aio_pthread.c b/source3/modules/vfs_aio_pthread.c
index 5d051b4f7da..0303ff04bc9 100644
--- a/source3/modules/vfs_aio_pthread.c
+++ b/source3/modules/vfs_aio_pthread.c
@@ -468,7 +468,15 @@ static int aio_pthread_openat_fn(vfs_handle_struct *handle,
return -1;
}
- if (fsp->conn->sconn->client->server_multi_channel_enabled) {
+ if (fsp->conn->sconn->pool == NULL) {
+ /*
+ * a threadpool is required for async support
+ */
+ aio_allow_open = false;
+ }
+
+ if (fsp->conn->sconn->client != NULL &&
+ fsp->conn->sconn->client->server_multi_channel_enabled) {
/*
* This module is not compatible with multi channel yet.
*/
diff --git a/source4/torture/ndr/dcerpc.c b/source4/torture/ndr/dcerpc.c
new file mode 100644
index 00000000000..459817d4951
--- /dev/null
+++ b/source4/torture/ndr/dcerpc.c
@@ -0,0 +1,148 @@
+/*
+ Unix SMB/CIFS implementation.
+ test suite for dcerpc ndr operations
+
+ Copyright (C) Stefan Metzmacher 2023
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "torture/ndr/ndr.h"
+#include "librpc/gen_ndr/ndr_dcerpc.h"
+#include "torture/ndr/proto.h"
+
+/*
+ * ncacn_packet: struct ncacn_packet
+ * rpc_vers : 0x05 (5)
+ * rpc_vers_minor : 0x00 (0)
+ * ptype : DCERPC_PKT_CO_CANCEL (18)
+ * pfc_flags : 0x06 (6)
+ * 0: DCERPC_PFC_FLAG_FIRST
+ * 1: DCERPC_PFC_FLAG_LAST
+ * 1: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
+ * 0: DCERPC_PFC_FLAG_CONC_MPX
+ * 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
+ * 0: DCERPC_PFC_FLAG_MAYBE
+ * 0: DCERPC_PFC_FLAG_OBJECT_UUID
+ * drep: ARRAY(4)
+ * [0] : 0x10 (16)
+ * [1] : 0x00 (0)
+ * [2] : 0x00 (0)
+ * [3] : 0x00 (0)
+ * frag_length : 0x0010 (16)
+ * auth_length : 0x0000 (0)
+ * call_id : 0x00000001 (1)
+ * u : union dcerpc_payload(case 18)
+ * co_cancel: struct dcerpc_co_cancel
+ * auth_info : DATA_BLOB length=0
+ */
+static const uint8_t ncacn_packet_co_cancel_data[] = {
+ 0x05, 0x00, 0x12, 0x06, 0x10, 0x00, 0x00, 0x00,
+ 0x10, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
+};
+
+static bool ncacn_packet_co_cancel_check(struct torture_context *tctx,
+ struct ncacn_packet *pkt)
+{
+ torture_assert_int_equal(tctx, pkt->rpc_vers, 5, "rpc_vers");
+ torture_assert_int_equal(tctx, pkt->rpc_vers_minor, 0, "rpc_vers_minor");
+ torture_assert_int_equal(tctx, pkt->ptype, DCERPC_PKT_CO_CANCEL, "ptype");
+ torture_assert_int_equal(tctx, pkt->pfc_flags,
+ DCERPC_PFC_FLAG_LAST |
+ DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING,
+ "pfc_flags");
+ torture_assert_int_equal(tctx, pkt->drep[0], DCERPC_DREP_LE, "drep[0]");
+ torture_assert_int_equal(tctx, pkt->drep[1], 0, "drep[1]");
+ torture_assert_int_equal(tctx, pkt->drep[2], 0, "drep[2]");
+ torture_assert_int_equal(tctx, pkt->drep[3], 0, "drep[3]");
+ torture_assert_int_equal(tctx, pkt->frag_length, 16, "frag_length");
+ torture_assert_int_equal(tctx, pkt->auth_length, 0, "auth_length");
+ torture_assert_int_equal(tctx, pkt->call_id, 1, "call_id");
+ torture_assert_int_equal(tctx, pkt->u.co_cancel.auth_info.length, 0,
+ "co_cancel.auth_info.length");
+ return true;
+}
+
+/*
+ * ncacn_packet: struct ncacn_packet
+ * rpc_vers : 0x05 (5)
+ * rpc_vers_minor : 0x00 (0)
+ * ptype : DCERPC_PKT_ORPHANED (19)
+ * pfc_flags : 0x03 (3)
+ * 1: DCERPC_PFC_FLAG_FIRST
+ * 1: DCERPC_PFC_FLAG_LAST
+ * 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
+ * 0: DCERPC_PFC_FLAG_CONC_MPX
+ * 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
+ * 0: DCERPC_PFC_FLAG_MAYBE
+ * 0: DCERPC_PFC_FLAG_OBJECT_UUID
+ * drep: ARRAY(4)
+ * [0] : 0x10 (16)
+ * [1] : 0x00 (0)
+ * [2] : 0x00 (0)
+ * [3] : 0x00 (0)
+ * frag_length : 0x0010 (16)
+ * auth_length : 0x0000 (0)
+ * call_id : 0x00000008 (8)
+ * u : union dcerpc_payload(case 19)
+ * orphaned: struct dcerpc_orphaned
+ * auth_info : DATA_BLOB length=0
+ */
+static const uint8_t ncacn_packet_orphaned_data[] = {
+ 0x05, 0x00, 0x13, 0x03, 0x10, 0x00, 0x00, 0x00,
+ 0x10, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00,
+};
+
+static bool ncacn_packet_orphaned_check(struct torture_context *tctx,
+ struct ncacn_packet *pkt)
+{
+ torture_assert_int_equal(tctx, pkt->rpc_vers, 5, "rpc_vers");
+ torture_assert_int_equal(tctx, pkt->rpc_vers_minor, 0, "rpc_vers_minor");
+ torture_assert_int_equal(tctx, pkt->ptype, DCERPC_PKT_ORPHANED, "ptype");
+ torture_assert_int_equal(tctx, pkt->pfc_flags,
+ DCERPC_PFC_FLAG_FIRST|DCERPC_PFC_FLAG_LAST,
+ "pfc_flags");
+ torture_assert_int_equal(tctx, pkt->drep[0], DCERPC_DREP_LE, "drep[0]");
+ torture_assert_int_equal(tctx, pkt->drep[1], 0, "drep[1]");
+ torture_assert_int_equal(tctx, pkt->drep[2], 0, "drep[2]");
+ torture_assert_int_equal(tctx, pkt->drep[3], 0, "drep[3]");
+ torture_assert_int_equal(tctx, pkt->frag_length, 16, "frag_length");
+ torture_assert_int_equal(tctx, pkt->auth_length, 0, "auth_length");
+ torture_assert_int_equal(tctx, pkt->call_id, 8, "call_id");
+ torture_assert_int_equal(tctx, pkt->u.orphaned.auth_info.length, 0,
+ "orphaned.auth_info.length");
+ return true;
+}
+
+struct torture_suite *ndr_dcerpc_suite(TALLOC_CTX *ctx)
+{
+ struct torture_suite *suite = torture_suite_create(ctx, "dcerpc");
+ struct torture_suite *co_cancel = torture_suite_create(ctx, "co_cancel");
+ struct torture_suite *orphaned = torture_suite_create(ctx, "orphaned");
+
+ torture_suite_add_suite(suite, co_cancel);
+ torture_suite_add_ndr_pull_validate_test(co_cancel,
+ ncacn_packet,
+ ncacn_packet_co_cancel_data,
+ ncacn_packet_co_cancel_check);
+
+ torture_suite_add_suite(suite, orphaned);
+ torture_suite_add_ndr_pull_validate_test(orphaned,
+ ncacn_packet,
+ ncacn_packet_orphaned_data,
+ ncacn_packet_orphaned_check);
+
+ return suite;
+}
diff --git a/source4/torture/ndr/ndr.c b/source4/torture/ndr/ndr.c
index 99d8f8adca4..e2a2c33ca5a 100644
--- a/source4/torture/ndr/ndr.c
+++ b/source4/torture/ndr/ndr.c
@@ -759,6 +759,7 @@ struct torture_suite *torture_local_ndr(TALLOC_CTX *mem_ctx)
{
struct torture_suite *suite = torture_suite_create(mem_ctx, "ndr");
+ torture_suite_add_suite(suite, ndr_dcerpc_suite(suite));
torture_suite_add_suite(suite, ndr_winreg_suite(suite));
torture_suite_add_suite(suite, ndr_atsvc_suite(suite));
torture_suite_add_suite(suite, ndr_lsa_suite(suite));
diff --git a/source4/torture/wscript_build b/source4/torture/wscript_build
index d870a3ab807..6bfc6aeae65 100644
--- a/source4/torture/wscript_build
+++ b/source4/torture/wscript_build
@@ -47,6 +47,7 @@ if bld.CONFIG_SET('WITH_NTVFS_FILESERVER'):
bld.SAMBA_SUBSYSTEM('TORTURE_NDR',
source='''ndr/ndr.c
+ ndr/dcerpc.c
ndr/winreg.c
ndr/atsvc.c
ndr/lsa.c
--
Samba Shared Repository
More information about the samba-cvs
mailing list