[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Mon Jul 31 11:50:01 UTC 2023
The branch, master has been updated
via d23dd3e26c5 dsdb: Add tracing to dsdb_search_dn() similar to gendb_search_v()
via 78669a04589 dsdb: Add tracing to dsdb_search() similar to gendb_search_v()
via acf6d89c3e2 dsdb: Add dsdb_search_scope_as_string() and use in ldap_backend.c
via 5cc861603a6 lib/util: Move DEBUG() calls in gendb_search_v to common levels and new DBG_*() pattern
via c58a714232b lib:krb5_wrap: Fix resource leak in smb_krb5_kt_seek_and_delete_old_entries
via 3ef5162dcdd auth:credentials: Fix resource leak in cli_credentials_set_from_ccache()
via 256471299ac auth:kerberos: Fix resource leak in smb_krb5_update_keytab()
via f1356805ba5 auth:kerberos: Fix resource leak in smb_krb5_get_keytab_container()
via dfc26dc494e auth:kerberos: Fix resource leak in parse_principal()
via f374da1dd91 s4:auth: Fix trailing whitespaces in kerberos_util.c
from 16eaf7fd52e gp: Cleanup some unused code
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d23dd3e26c5291a381f3576e3a864d8b697ec5ae
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 31 16:07:46 2023 +1200
dsdb: Add tracing to dsdb_search_dn() similar to gendb_search_v()
The aim of this tracing is to make it simple to follow the
requests made from the RPC server and similar to LDB now that
gendb_search_v() is no longer the dominant interface.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Mon Jul 31 11:49:19 UTC 2023 on atb-devel-224
commit 78669a0458985175da6330c726f2da202db249ae
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 31 16:03:53 2023 +1200
dsdb: Add tracing to dsdb_search() similar to gendb_search_v()
The aim of this tracing is to make it simple to follow the
requests made from the RPC server and similar to LDB now that
gendb_search_v() is no longer the dominant interface.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit acf6d89c3e2c18784a8d0ba7c9bf0c07502ae000
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 31 16:02:25 2023 +1200
dsdb: Add dsdb_search_scope_as_string() and use in ldap_backend.c
This will be useful when adding debugging to other routines.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 5cc861603a6b27a5a16ea4e0201953c65c1309d9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 31 14:02:12 2023 +1200
lib/util: Move DEBUG() calls in gendb_search_v to common levels and new DBG_*() pattern
This moves success logs 6 -> 10, failure logs 4 -> 5.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit c58a714232b1c904359d623e28ac53ed6ef0f30e
Author: Pavel Filipenský <pfilipensky at samba.org>
Date: Wed Jul 26 22:37:51 2023 +0200
lib:krb5_wrap: Fix resource leak in smb_krb5_kt_seek_and_delete_old_entries
Reported by Red Hat internal covscan
leaked_storage: Variable "cursor" going out of scope leaks the storage it points to.
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3ef5162dcdd1a89497163cd361a2b61d6e1a1540
Author: Pavel Filipenský <pfilipensky at samba.org>
Date: Wed Jul 26 16:28:36 2023 +0200
auth:credentials: Fix resource leak in cli_credentials_set_from_ccache()
Reported by Red Hat internal covscan
leaked_storage: Variable "princ" going out of scope leaks the storage it points to.
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 256471299ac2c19d813f98f513ac1a444bad7fca
Author: Pavel Filipenský <pfilipensky at samba.org>
Date: Wed Jul 26 16:25:26 2023 +0200
auth:kerberos: Fix resource leak in smb_krb5_update_keytab()
Reported by Red Hat internal covscan
leaked_storage: Variable "keytab" going out of scope leaks the storage it points to.
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit f1356805ba505e28b2daccd18b044b3c7255064c
Author: Pavel Filipenský <pfilipensky at samba.org>
Date: Wed Jul 26 16:28:36 2023 +0200
auth:kerberos: Fix resource leak in smb_krb5_get_keytab_container()
Reported by Red Hat internal covscan
leaked_storage: Variable "keytab" going out of scope leaks the storage it points to.
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit dfc26dc494eb9d80fe5b19b0ed41cedd0e187dbd
Author: Pavel Filipenský <pfilipensky at samba.org>
Date: Wed Jul 26 16:28:36 2023 +0200
auth:kerberos: Fix resource leak in parse_principal()
Reported by Red Hat internal covscan
leaked_storage: Variable "princ" going out of scope leaks the storage it points to.
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit f374da1dd91f20b567c76e821afdbeeae8eacb98
Author: Pavel Filipenský <pfilipensky at samba.org>
Date: Wed Jul 26 16:07:12 2023 +0200
s4:auth: Fix trailing whitespaces in kerberos_util.c
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials_krb5.c | 1 +
lib/krb5_wrap/krb5_samba.c | 15 ++++---
lib/util/util_ldb.c | 8 ++--
source4/auth/kerberos/kerberos_util.c | 67 +++++++++++++++++++----------
source4/auth/kerberos/srv_keytab.c | 11 ++---
source4/dsdb/common/util.c | 80 ++++++++++++++++++++++++++++++++---
source4/ldap_server/ldap_backend.c | 5 +--
7 files changed, 141 insertions(+), 46 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 796b52ea905..71863367aa5 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -261,6 +261,7 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
(*error_string) = talloc_asprintf(cred, "failed to unparse principal from ccache: %s\n",
smb_get_krb5_error_message(ccache->smb_krb5_context->krb5_context,
ret, cred));
+ krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
return ret;
}
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 427e4beb91a..9488fcde7e2 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1690,17 +1690,22 @@ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
ZERO_STRUCT(cursor);
ZERO_STRUCT(kt_entry);
+ /*
+ * Start with talloc_new() and only then call krb5_kt_start_seq_get().
+ * If any of them fails, the cleanup code is simpler.
+ */
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ return ENOMEM;
+ }
+
ret = krb5_kt_start_seq_get(context, keytab, &cursor);
if (ret == KRB5_KT_END || ret == ENOENT ) {
/* no entries */
+ talloc_free(tmp_ctx);
return 0;
}
- tmp_ctx = talloc_new(NULL);
- if (tmp_ctx == NULL) {
- return ENOMEM;
- }
-
DEBUG(3, (__location__ ": Will try to delete old keytab entries\n"));
while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
bool name_ok = false;
diff --git a/lib/util/util_ldb.c b/lib/util/util_ldb.c
index bf6fe996c4c..1fd54220fa1 100644
--- a/lib/util/util_ldb.c
+++ b/lib/util/util_ldb.c
@@ -56,9 +56,9 @@ int gendb_search_v(struct ldb_context *ldb,
expr?"%s":NULL, expr);
if (ret == LDB_SUCCESS) {
- DEBUG(6,("gendb_search_v: %s %s -> %d\n",
+ DBG_DEBUG("%s %s -> %d\n",
basedn?ldb_dn_get_linearized(basedn):"NULL",
- expr?expr:"NULL", res->count));
+ expr?expr:"NULL", res->count);
ret = res->count;
if (msgs != NULL) {
@@ -69,8 +69,8 @@ int gendb_search_v(struct ldb_context *ldb,
ret = 0;
if (msgs != NULL) *msgs = NULL;
} else {
- DEBUG(4,("gendb_search_v: search failed: %s\n",
- ldb_errstring(ldb)));
+ DBG_INFO("search failed: %s\n",
+ ldb_errstring(ldb));
ret = -1;
if (msgs != NULL) *msgs = NULL;
}
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index c14d8c72d8c..2dfd45dc3fe 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -1,21 +1,21 @@
-/*
+/*
Unix SMB/CIFS implementation.
Kerberos utility functions for GENSEC
-
+
Copyright (C) Andrew Bartlett <abartlet at samba.org> 2004-2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -56,6 +56,24 @@ static krb5_error_code parse_principal(TALLOC_CTX *parent_ctx,
return 0;
}
+ /*
+ * Start with talloc(), talloc_reference() and only then call
+ * krb5_parse_name(). If any of them fails, the cleanup code is simpler.
+ */
+ mem_ctx = talloc(parent_ctx, struct principal_container);
+ if (!mem_ctx) {
+ (*error_string) = error_message(ENOMEM);
+ return ENOMEM;
+ }
+
+ mem_ctx->smb_krb5_context = talloc_reference(mem_ctx,
+ smb_krb5_context);
+ if (mem_ctx->smb_krb5_context == NULL) {
+ (*error_string) = error_message(ENOMEM);
+ talloc_free(mem_ctx);
+ return ENOMEM;
+ }
+
ret = krb5_parse_name(smb_krb5_context->krb5_context,
princ_string, princ);
@@ -63,19 +81,12 @@ static krb5_error_code parse_principal(TALLOC_CTX *parent_ctx,
(*error_string) = smb_get_krb5_error_message(
smb_krb5_context->krb5_context,
ret, parent_ctx);
+ talloc_free(mem_ctx);
return ret;
}
- mem_ctx = talloc(parent_ctx, struct principal_container);
- if (!mem_ctx) {
- (*error_string) = error_message(ENOMEM);
- return ENOMEM;
- }
-
/* This song-and-dance effectivly puts the principal
* into talloc, so we can't loose it. */
- mem_ctx->smb_krb5_context = talloc_reference(mem_ctx,
- smb_krb5_context);
mem_ctx->principal = *princ;
talloc_set_destructor(mem_ctx, free_principal);
return 0;
@@ -221,7 +232,7 @@ done:
/**
* Return a freshly allocated ccache (destroyed by destructor on child
- * of parent_ctx), for a given set of client credentials
+ * of parent_ctx), for a given set of client credentials
*/
krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx,
@@ -353,7 +364,7 @@ done:
return EINVAL;
} else {
/* No password available, try to use a keyblock instead */
-
+
krb5_keyblock keyblock;
const struct samr_Password *mach_pwd;
mach_pwd = cli_credentials_get_nt_hash(credentials, mem_ctx);
@@ -368,9 +379,9 @@ done:
}
ret = smb_krb5_keyblock_init_contents(smb_krb5_context->krb5_context,
ENCTYPE_ARCFOUR_HMAC,
- mach_pwd->hash, sizeof(mach_pwd->hash),
+ mach_pwd->hash, sizeof(mach_pwd->hash),
&keyblock);
-
+
if (ret == 0) {
ret = smb_krb5_kinit_keyblock_ccache(smb_krb5_context->krb5_context,
ccache,
@@ -416,7 +427,7 @@ done:
DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset));
krb5_set_real_time(smb_krb5_context->krb5_context, t + time_offset + 1, 0);
}
-
+
if (ret == KRB5KDC_ERR_PREAUTH_FAILED && cli_credentials_wrong_password(credentials)) {
ret = kinit_to_ccache(parent_ctx,
credentials,
@@ -457,6 +468,21 @@ krb5_error_code smb_krb5_get_keytab_container(TALLOC_CTX *mem_ctx,
krb5_keytab keytab;
krb5_error_code ret;
+ /*
+ * Start with talloc(), talloc_reference() and only then call
+ * krb5_kt_resolve(). If any of them fails, the cleanup code is simpler.
+ */
+ *ktc = talloc(mem_ctx, struct keytab_container);
+ if (!*ktc) {
+ return ENOMEM;
+ }
+
+ (*ktc)->smb_krb5_context = talloc_reference(*ktc, smb_krb5_context);
+ if ((*ktc)->smb_krb5_context == NULL) {
+ TALLOC_FREE(*ktc);
+ return ENOMEM;
+ }
+
if (opt_keytab) {
keytab = opt_keytab;
} else {
@@ -467,16 +493,11 @@ krb5_error_code smb_krb5_get_keytab_container(TALLOC_CTX *mem_ctx,
smb_get_krb5_error_message(
smb_krb5_context->krb5_context,
ret, mem_ctx)));
+ TALLOC_FREE(*ktc);
return ret;
}
}
- *ktc = talloc(mem_ctx, struct keytab_container);
- if (!*ktc) {
- return ENOMEM;
- }
-
- (*ktc)->smb_krb5_context = talloc_reference(*ktc, smb_krb5_context);
(*ktc)->keytab = keytab;
(*ktc)->password_based = false;
talloc_set_destructor(*ktc, free_keytab_container);
diff --git a/source4/auth/kerberos/srv_keytab.c b/source4/auth/kerberos/srv_keytab.c
index 52e1e228669..8eaa1508a3a 100644
--- a/source4/auth/kerberos/srv_keytab.c
+++ b/source4/auth/kerberos/srv_keytab.c
@@ -236,10 +236,10 @@ krb5_error_code smb_krb5_update_keytab(TALLOC_CTX *parent_ctx,
krb5_keytab *_keytab,
const char **perror_string)
{
- krb5_keytab keytab;
+ krb5_keytab keytab = NULL;
krb5_error_code ret;
bool found_previous = false;
- TALLOC_CTX *tmp_ctx;
+ TALLOC_CTX *tmp_ctx = NULL;
krb5_principal *principals = NULL;
uint32_t num_principals = 0;
char *upper_realm;
@@ -262,15 +262,16 @@ krb5_error_code smb_krb5_update_keytab(TALLOC_CTX *parent_ctx,
if (!tmp_ctx) {
*perror_string = talloc_strdup(parent_ctx,
"Failed to allocate memory context");
- return ENOMEM;
+ ret = ENOMEM;
+ goto done;
}
upper_realm = strupper_talloc(tmp_ctx, realm);
if (upper_realm == NULL) {
*perror_string = talloc_strdup(parent_ctx,
"Cannot allocate memory to upper case realm");
- talloc_free(tmp_ctx);
- return ENOMEM;
+ ret = ENOMEM;
+ goto done;
}
ret = smb_krb5_create_principals_array(tmp_ctx,
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 5fa9f65e247..21837710f0b 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -5277,6 +5277,27 @@ int dsdb_replace(struct ldb_context *ldb, struct ldb_message *msg, uint32_t dsdb
return dsdb_modify(ldb, msg, dsdb_flags);
}
+const char *dsdb_search_scope_as_string(enum ldb_scope scope)
+{
+ const char *scope_str;
+
+ switch (scope) {
+ case LDB_SCOPE_BASE:
+ scope_str = "BASE";
+ break;
+ case LDB_SCOPE_ONELEVEL:
+ scope_str = "ONE";
+ break;
+ case LDB_SCOPE_SUBTREE:
+ scope_str = "SUB";
+ break;
+ default:
+ scope_str = "<Invalid scope>";
+ break;
+ }
+ return scope_str;
+}
+
/*
search for attrs on one DN, allowing for dsdb_flags controls
@@ -5291,9 +5312,11 @@ int dsdb_search_dn(struct ldb_context *ldb,
int ret;
struct ldb_request *req;
struct ldb_result *res;
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
- res = talloc_zero(mem_ctx, struct ldb_result);
+ res = talloc_zero(tmp_ctx, struct ldb_result);
if (!res) {
+ talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
@@ -5307,13 +5330,13 @@ int dsdb_search_dn(struct ldb_context *ldb,
ldb_search_default_callback,
NULL);
if (ret != LDB_SUCCESS) {
- talloc_free(res);
+ talloc_free(tmp_ctx);
return ret;
}
ret = dsdb_request_add_controls(req, dsdb_flags);
if (ret != LDB_SUCCESS) {
- talloc_free(res);
+ talloc_free(tmp_ctx);
return ret;
}
@@ -5324,11 +5347,26 @@ int dsdb_search_dn(struct ldb_context *ldb,
talloc_free(req);
if (ret != LDB_SUCCESS) {
- talloc_free(res);
+ DBG_INFO("flags=0x%08x %s -> %s (%s)\n",
+ dsdb_flags,
+ basedn?ldb_dn_get_extended_linearized(tmp_ctx,
+ basedn,
+ 1):"NULL",
+ ldb_errstring(ldb), ldb_strerror(ret));
+ talloc_free(tmp_ctx);
return ret;
}
- *_result = res;
+ DBG_DEBUG("flags=0x%08x %s -> %d\n",
+ dsdb_flags,
+ basedn?ldb_dn_get_extended_linearized(tmp_ctx,
+ basedn,
+ 1):"NULL",
+ res->count);
+
+ *_result = talloc_steal(mem_ctx, res);
+
+ talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
@@ -5424,17 +5462,39 @@ int dsdb_search(struct ldb_context *ldb,
}
if (ret != LDB_SUCCESS) {
+ DBG_INFO("%s flags=0x%08x %s %s -> %s (%s)\n",
+ dsdb_search_scope_as_string(scope),
+ dsdb_flags,
+ basedn?ldb_dn_get_extended_linearized(tmp_ctx,
+ basedn,
+ 1):"NULL",
+ expression?expression:"NULL",
+ ldb_errstring(ldb), ldb_strerror(ret));
talloc_free(tmp_ctx);
return ret;
}
if (dsdb_flags & DSDB_SEARCH_ONE_ONLY) {
if (res->count == 0) {
+ DBG_INFO("%s SEARCH_ONE_ONLY flags=0x%08x %s %s -> %u results\n",
+ dsdb_search_scope_as_string(scope),
+ dsdb_flags,
+ basedn?ldb_dn_get_extended_linearized(tmp_ctx,
+ basedn,
+ 1):"NULL",
+ expression?expression:"NULL", res->count);
talloc_free(tmp_ctx);
ldb_reset_err_string(ldb);
return ldb_error(ldb, LDB_ERR_NO_SUCH_OBJECT, __func__);
}
if (res->count != 1) {
+ DBG_INFO("%s SEARCH_ONE_ONLY flags=0x%08x %s %s -> %u (expected 1) results\n",
+ dsdb_search_scope_as_string(scope),
+ dsdb_flags,
+ basedn?ldb_dn_get_extended_linearized(tmp_ctx,
+ basedn,
+ 1):"NULL",
+ expression?expression:"NULL", res->count);
talloc_free(tmp_ctx);
ldb_reset_err_string(ldb);
return LDB_ERR_CONSTRAINT_VIOLATION;
@@ -5442,8 +5502,16 @@ int dsdb_search(struct ldb_context *ldb,
}
*_result = talloc_steal(mem_ctx, res);
- talloc_free(tmp_ctx);
+ DBG_DEBUG("%s flags=0x%08x %s %s -> %d\n",
+ dsdb_search_scope_as_string(scope),
+ dsdb_flags,
+ basedn?ldb_dn_get_extended_linearized(tmp_ctx,
+ basedn,
+ 1):"NULL",
+ expression?expression:"NULL",
+ res->count);
+ talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
index dbb9c1e7a0a..a32856506be 100644
--- a/source4/ldap_server/ldap_backend.c
+++ b/source4/ldap_server/ldap_backend.c
@@ -770,15 +770,12 @@ static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call)
switch (req->scope) {
case LDAP_SEARCH_SCOPE_BASE:
- scope_str = "BASE";
scope = LDB_SCOPE_BASE;
break;
case LDAP_SEARCH_SCOPE_SINGLE:
- scope_str = "ONE";
scope = LDB_SCOPE_ONELEVEL;
break;
case LDAP_SEARCH_SCOPE_SUB:
- scope_str = "SUB";
scope = LDB_SCOPE_SUBTREE;
break;
default:
@@ -790,6 +787,8 @@ static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call)
"%s. Invalid scope", errstr);
goto reply;
}
+ scope_str = dsdb_search_scope_as_string(scope);
+
DEBUG(10,("SearchRequest: scope: [%s]\n", scope_str));
if (req->num_attributes >= 1) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list