[SCM] Samba Shared Repository - branch v4-18-test updated
Jule Anger
janger at samba.org
Fri Sep 22 21:08:01 UTC 2023
The branch, v4-18-test has been updated
via c4fd0850c5e smbd: Fix BZ15481
via 7de498a38d9 tests: Add reproducer for BZ15481
via 7b57cfb1a93 s4:kdc: Add correct Asserted Identity SID in response to an S4U2Self request
via d96cd43df01 s4:kdc: Avoid copying data if not needed
via f1b7a21a7f6 s4:kdc: Don't pass a NULL pointer into krb5_pac_add_buffer()
from f869013c616 s3: smbd: Ensure we remove any pending aio values for named pipes on forced shutdown.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-test
- Log -----------------------------------------------------------------
commit c4fd0850c5e855af326913147c10dea70f8e7322
Author: Volker Lendecke <vl at samba.org>
Date: Tue Sep 19 17:44:56 2023 -0700
smbd: Fix BZ15481
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15481
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Sep 20 22:42:48 UTC 2023 on atb-devel-224
(cherry picked from commit 3481bbfede5127e3664bcf464a0ae3dec9247ab7)
Autobuild-User(v4-18-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-18-test): Fri Sep 22 21:07:52 UTC 2023 on atb-devel-224
commit 7de498a38d93411cb4810456b6bd42e9a5ead4ce
Author: Volker Lendecke <vl at samba.org>
Date: Wed Sep 20 10:53:52 2023 -0700
tests: Add reproducer for BZ15481
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15481
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 56df75d44795582dcecb8676a0d80d6f4a46c7e9)
commit 7b57cfb1a9328072e090b5e05c9b0cb09cd2d883
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 4 13:20:34 2023 +1200
s4:kdc: Add correct Asserted Identity SID in response to an S4U2Self request
I’m not sure exactly how this check was supposed to work. But in any
case, within fast_unwrap_request() the Heimdal KDC replaces the outer
padata with the padata from the inner FAST request. Hence, this check
does not accomplish anything useful: at no point should the KDC plugin
see the outer padata.
A couple of unwanted consequences resulted from this check. One was that
a client who sent empty FX‐FAST padata within the inner FAST request
would receive the *Authentication Authority* Asserted Identity SID
instead of the *Service* Asserted Identity SID. Another consequence was
that a client could in the same manner bypass the restriction on
performing S4U2Self with an RODC‐issued TGT.
Overall, samba_wdc_is_s4u2self_req() is somewhat of a hack. But the
Heimdal plugin API gives us nothing better to work with.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5c580dbdb3e6a70c8d2f5059e2b7293a7e780414)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15477
commit d96cd43df01ff30df6962f481ade1eca895feab5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 17 09:16:17 2023 +1300
s4:kdc: Avoid copying data if not needed
krb5_pac_add_buffer() makes its own copy of the data we pass in. We
don't need to make yet another copy.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit fa901e7346d36ae64a7ceab5dcf76bc210a67c93)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15476
commit f1b7a21a7f6e47377ab4f41a9741a87907438c01
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 17 09:25:52 2023 +1300
s4:kdc: Don't pass a NULL pointer into krb5_pac_add_buffer()
Heimdal contains an assertion that the data pointer is not NULL. We need
to pass in a pointer to some dummy data instead.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 47ef49fd91f050ce4a79a8471b3e66c808f48752)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15476
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/libsmb-basic.py | 27 +++++++++++++++++++++++++++
source3/smbd/filename.c | 12 +++++++++++-
source4/kdc/pac-glue.c | 26 +++++++++++++++-----------
source4/kdc/wdc-samba4.c | 22 ----------------------
4 files changed, 53 insertions(+), 34 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/libsmb-basic.py b/python/samba/tests/libsmb-basic.py
index cbe7cce5bae..163c5b09ea9 100644
--- a/python/samba/tests/libsmb-basic.py
+++ b/python/samba/tests/libsmb-basic.py
@@ -215,6 +215,33 @@ class LibsmbTestCase(samba.tests.libsmb.LibsmbTests):
c1.unlink("x")
c1 = None
+ def test_gencache_pollution_bz15481(self):
+ c = libsmb.Conn(self.server_ip, "tmp", self.lp, self.creds)
+ fh = c.create("file",
+ DesiredAccess=security.SEC_STD_DELETE,
+ CreateDisposition=libsmb.FILE_CREATE)
+
+ # prime the gencache File->file
+ fh_upper = c.create("File",
+ DesiredAccess=security.SEC_FILE_READ_ATTRIBUTE,
+ CreateDisposition=libsmb.FILE_OPEN)
+ c.close(fh_upper)
+
+ c.delete_on_close(fh, 1)
+ c.close(fh)
+
+ fh = c.create("File",
+ DesiredAccess=security.SEC_STD_DELETE,
+ CreateDisposition=libsmb.FILE_CREATE)
+
+ directory = c.list("\\", "File")
+
+ c.delete_on_close(fh, 1)
+ c.close(fh)
+
+ # Without the bugfix for 15481 we get 'file' not 'File'
+ self.assertEqual(directory[0]['name'], 'File')
+
if __name__ == "__main__":
import unittest
unittest.main()
diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index 98506775bce..77f5e3dee4e 100644
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -785,6 +785,7 @@ static NTSTATUS openat_pathref_fsp_case_insensitive(
if (lp_stat_cache()) {
char *base_name = smb_fname_rel->base_name;
+ char *original_relname = NULL;
DATA_BLOB value = { .data = NULL };
ok = get_real_filename_cache_key(
@@ -806,7 +807,13 @@ static NTSTATUS openat_pathref_fsp_case_insensitive(
}
DO_PROFILE_INC(statcache_hits);
- TALLOC_FREE(smb_fname_rel->base_name);
+ /*
+ * For the "new filename" case we need to preserve the
+ * capitalization the client sent us, see
+ * https://bugzilla.samba.org/show_bug.cgi?id=15481
+ */
+ original_relname = smb_fname_rel->base_name;
+
smb_fname_rel->base_name = talloc_memdup(
smb_fname_rel, value.data, value.length);
if (smb_fname_rel->base_name == NULL) {
@@ -824,10 +831,13 @@ static NTSTATUS openat_pathref_fsp_case_insensitive(
status = openat_pathref_fsp(dirfsp, smb_fname_rel);
if (NT_STATUS_IS_OK(status)) {
TALLOC_FREE(cache_key.data);
+ TALLOC_FREE(original_relname);
return NT_STATUS_OK;
}
memcache_delete(NULL, GETREALFILENAME_CACHE, cache_key);
+ TALLOC_FREE(smb_fname_rel->base_name);
+ smb_fname_rel->base_name = original_relname;
}
lookup:
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index f844b08d513..b792fbbf5aa 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -1793,6 +1793,9 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
DATA_BLOB type_blob = data_blob_null;
uint32_t type;
+ static char null_byte = '\0';
+ const krb5_data null_data = smb_krb5_make_data(&null_byte, 0);
+
if (forced_next_type != 0) {
/*
* We need to inject possible missing types
@@ -1936,12 +1939,9 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
}
if (type_blob.length != 0) {
- code = smb_krb5_copy_data_contents(&type_data,
- type_blob.data,
- type_blob.length);
- if (code != 0) {
- goto done;
- }
+ type_data = smb_krb5_data_from_blob(type_blob);
+ code = krb5_pac_add_buffer(context, new_pac,
+ type, &type_data);
} else {
code = krb5_pac_get_buffer(context,
old_pac,
@@ -1950,13 +1950,17 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
if (code != 0) {
goto done;
}
+ /*
+ * Passing a NULL pointer into krb5_pac_add_buffer() is
+ * not allowed, so pass null_data instead if needed.
+ */
+ code = krb5_pac_add_buffer(context,
+ new_pac,
+ type,
+ (type_data.data != NULL) ? &type_data : &null_data);
+ smb_krb5_free_data_contents(context, &type_data);
}
- code = krb5_pac_add_buffer(context,
- new_pac,
- type,
- &type_data);
- smb_krb5_free_data_contents(context, &type_data);
if (code != 0) {
goto done;
}
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index 1c10f13972f..bbc8e9154e8 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -67,7 +67,6 @@ static int samba_wdc_pac_options(astgs_request_t r, PAC_OPTIONS_FLAGS *flags)
static bool samba_wdc_is_s4u2self_req(astgs_request_t r)
{
- krb5_kdc_configuration *config = kdc_request_get_config((kdc_request_t)r);
const KDC_REQ *req = kdc_request_get_req(r);
const PA_DATA *pa_for_user = NULL;
@@ -75,27 +74,6 @@ static bool samba_wdc_is_s4u2self_req(astgs_request_t r)
return false;
}
- if (config->enable_fast && req->padata != NULL) {
- const PA_DATA *pa_fx_fast = NULL;
- int idx = 0;
-
- pa_fx_fast = krb5_find_padata(req->padata->val,
- req->padata->len,
- KRB5_PADATA_FX_FAST,
- &idx);
- if (pa_fx_fast != NULL) {
- /*
- * We're in the outer request
- * with KRB5_PADATA_FX_FAST
- * if fast is enabled we'll
- * process the s4u2self
- * request only in the
- * inner request.
- */
- return false;
- }
- }
-
if (req->padata != NULL) {
int idx = 0;
--
Samba Shared Repository
More information about the samba-cvs
mailing list