[PATCHES] s4:rpc_server/lsa: bugs...

Stefan (metze) Metzmacher metze at samba.org
Thu Dec 18 13:07:38 MST 2014


Hi,

here're some fixes for bugs triggered by FreeIPA trying to establish a
forest trust against a Samba4 AD domain.

Please review and push.

Thanks!
metze
-------------- next part --------------
From 78a3a4908de68b75bc800149925e701f707ce6f6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 15 Dec 2014 16:03:49 +0100
Subject: [PATCH 1/4] s4:rpc_server/lsa: pass the correct variable to
 setInfoTrustedDomain_base()

This requires 'struct lsa_policy_state', we now pass this directly
instead of a instead of an opaque 'struct dcesrv_handle'.

dcesrv_lsa_SetInformationTrustedDomain() passes in a 'struct dcesrv_handle'
with 'struct lsa_trusted_domain_state' before, which results in segfaults.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source4/rpc_server/lsa/dcesrv_lsa.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 6c09649..40867dd 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -1600,13 +1600,12 @@ static NTSTATUS update_trust_user(TALLOC_CTX *mem_ctx,
 
 
 static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call,
-					  struct dcesrv_handle *p_handle,
+					  struct lsa_policy_state *p_state,
 					  TALLOC_CTX *mem_ctx,
 					  struct ldb_message *dom_msg,
 					  enum lsa_TrustDomInfoEnum level,
 					  union lsa_TrustedDomainInfo *info)
 {
-	struct lsa_policy_state *p_state = p_handle->data;
 	uint32_t *posix_offset = NULL;
 	struct lsa_TrustDomainInfoInfoEx *info_ex = NULL;
 	struct lsa_TrustDomainInfoAuthInfo *auth_info = NULL;
@@ -1942,7 +1941,7 @@ static NTSTATUS dcesrv_lsa_SetInformationTrustedDomain(
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	}
 
-	return setInfoTrustedDomain_base(dce_call, h, mem_ctx,
+	return setInfoTrustedDomain_base(dce_call, td_state->policy, mem_ctx,
 					 msgs[0], r->in.level, r->in.info);
 }
 
@@ -2160,7 +2159,7 @@ static NTSTATUS dcesrv_lsa_SetTrustedDomainInfoByName(struct dcesrv_call_state *
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	}
 
-	return setInfoTrustedDomain_base(dce_call, policy_handle, mem_ctx,
+	return setInfoTrustedDomain_base(dce_call, policy_state, mem_ctx,
 					 msgs[0], r->in.level, r->in.info);
 }
 
-- 
1.9.1


From 23c005d7e058fb27a220c49ff7159041e2c6b0a4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 15 Dec 2014 16:33:38 +0100
Subject: [PATCH 2/4] s4:rpc_server/lsa: remove
 trustAuthIncoming/trustAuthOutgoing when the related flag is removed.

When LSA_TRUST_DIRECTION_INBOUND or LSA_TRUST_DIRECTION_OUTBOUND flags is cleared
we should also remove the related credentials.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source4/rpc_server/lsa/dcesrv_lsa.c | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 40867dd..e0b1b1f 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -1830,28 +1830,32 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call,
 		}
 	}
 
-	if (add_incoming && trustAuthIncoming.data) {
+	if (add_incoming || del_incoming) {
 		ret = ldb_msg_add_empty(msg, "trustAuthIncoming",
 					LDB_FLAG_MOD_REPLACE, NULL);
 		if (ret != LDB_SUCCESS) {
 			return NT_STATUS_NO_MEMORY;
 		}
-		ret = ldb_msg_add_value(msg, "trustAuthIncoming",
-					&trustAuthIncoming, NULL);
-		if (ret != LDB_SUCCESS) {
-			return NT_STATUS_NO_MEMORY;
+		if (add_incoming && trustAuthIncoming.length != 0) {
+			ret = ldb_msg_add_value(msg, "trustAuthIncoming",
+						&trustAuthIncoming, NULL);
+			if (ret != LDB_SUCCESS) {
+				return NT_STATUS_NO_MEMORY;
+			}
 		}
 	}
-	if (add_outgoing && trustAuthOutgoing.data) {
+	if (add_outgoing && del_outgoing) {
 		ret = ldb_msg_add_empty(msg, "trustAuthOutgoing",
 					LDB_FLAG_MOD_REPLACE, NULL);
 		if (ret != LDB_SUCCESS) {
 			return NT_STATUS_NO_MEMORY;
 		}
-		ret = ldb_msg_add_value(msg, "trustAuthOutgoing",
-					&trustAuthOutgoing, NULL);
-		if (ret != LDB_SUCCESS) {
-			return NT_STATUS_NO_MEMORY;
+		if (add_outgoing && trustAuthOutgoing.length != 0) {
+			ret = ldb_msg_add_value(msg, "trustAuthOutgoing",
+						&trustAuthOutgoing, NULL);
+			if (ret != LDB_SUCCESS) {
+				return NT_STATUS_NO_MEMORY;
+			}
 		}
 	}
 
-- 
1.9.1


From c3431b37aae4b59b9226a7cc6ad274c7d911ec3b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 15 Dec 2014 16:37:17 +0100
Subject: [PATCH 3/4] s4:rpc_server/lsa: remove unused allow_warnings=True

We compile without warnings now.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source4/rpc_server/wscript_build | 1 -
 1 file changed, 1 deletion(-)

diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
index 2866257..c79c1827 100755
--- a/source4/rpc_server/wscript_build
+++ b/source4/rpc_server/wscript_build
@@ -103,7 +103,6 @@ bld.SAMBA_MODULE('dcerpc_netlogon',
 
 bld.SAMBA_MODULE('dcerpc_lsarpc',
 	source='lsa/dcesrv_lsa.c lsa/lsa_init.c lsa/lsa_lookup.c',
-	allow_warnings=True,
 	autoproto='lsa/proto.h',
 	subsystem='dcerpc_server',
 	init_function='dcerpc_server_lsa_init',
-- 
1.9.1


From 9b5c73fc285adbc99b5649fa669d33577f436af9 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 15 Dec 2014 16:47:50 +0100
Subject: [PATCH 4/4] s4:rpc_server/lsa: fix segfault in check_ft_info()

This is triggered by lsa_lsaRSetForestTrustInformation()
with ForestTrustInfo elements using FOREST_TRUST_TOP_LEVEL_NAME.

The nb_name variable was uninitialized and dereferenced without checking.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source4/rpc_server/lsa/dcesrv_lsa.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index e0b1b1f..43d7198 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -4155,6 +4155,7 @@ static NTSTATUS check_ft_info(TALLOC_CTX *mem_ctx,
 
 		nrec = &new_fti->records[new_fti_idx].record;
 		dns_name = NULL;
+		nb_name = NULL;
 		tln_conflict = false;
 		sid_conflict = false;
 		nb_conflict = false;
@@ -4233,6 +4234,7 @@ static NTSTATUS check_ft_info(TALLOC_CTX *mem_ctx,
 				sid_conflict = true;
 			}
 			if (!(trec->flags & LSA_NB_DISABLED_ADMIN) &&
+			    (nb_name != NULL) &&
 			    strcasecmp_m(trec->data.info.netbios_name.string,
 					 nb_name) == 0) {
 				nb_conflict = true;
-- 
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20141218/27ffdbc3/attachment.pgp>


More information about the samba-technical mailing list