[PATCH] Update masked_match in source4 to support IPv6 addresses (resend)
Jeremy Allison
jra at samba.org
Mon Nov 14 19:53:45 UTC 2016
On Fri, Nov 11, 2016 at 05:41:26PM -0600, Heath Kehoe wrote:
> On 11/11/16 15:39, Jeremy Allison wrote:
>
>
> >Slightly better version of the patch (also attached
> >to the bug report above). Splits out the first part
> >into several micro-patches so I'm not moving code
> >and re-formatting that the same time (although the
> >result is the same). Passing make test here.
> >
> >Let me know if this fixes it for you ?
> >
> >Cheers,
> >
> >Jeremy.
>
> I've built 4.5.1 and 4.3.11 using your original patch. The site
> matching is working properly; however there are DEBUG 0 messages
> "Denied connection from" appearing whenever the site is looked up,
> since samdb_client_site_name() iterates over all defined subnets
> until it finds a match. You should probably remove the DEBUGs from
> allow_access() and instead have the callers do the "denied
> connection" logging.
Created a new function allow_access_nolog() and changed the samdb_client_site_name()
code to call that. The regular allow_access() now calls allow_access_nolog() and
then logs after :-).
Can you confirm this is good for you, then I'll propose
for master and back-ports !
Cheers,
Jeremy.
-------------- next part --------------
From b9beed9ffc95ebab1e432d6c2488900f4dcbe2e2 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Fri, 11 Nov 2016 10:21:10 -0800
Subject: [PATCH 01/10] s3: lib - Fix formatting of unix_wild_match()
sub-function to README.Coding standards.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419
Signed-off-by: Jeremy Allison <jra at samba.org>
---
source3/lib/util.c | 61 ++++++++++++++++++++++++++++++++++++------------------
1 file changed, 41 insertions(+), 20 deletions(-)
diff --git a/source3/lib/util.c b/source3/lib/util.c
index bab3998..1af05cd 100644
--- a/source3/lib/util.c
+++ b/source3/lib/util.c
@@ -1804,28 +1804,35 @@ static bool unix_do_match(const char *regexp, const char *str)
case '*':
/*
- * Look for a character matching
+ * Look for a character matching
* the one after the '*'.
*/
p++;
- if(!*p)
+ if(!*p) {
return true; /* Automatic match */
+ }
while(*str) {
- while(*str && (*p != *str))
+ while(*str && (*p != *str)) {
str++;
+ }
/*
- * Patch from weidel at multichart.de. In the case of the regexp
- * '*XX*' we want to ensure there are at least 2 'X' characters
- * in the string after the '*' for a match to be made.
+ * Patch from weidel at multichart.de.
+ * In the case of the regexp
+ * '*XX*' we want to ensure there are
+ * at least 2 'X' characters in the
+ * string after the '*' for a match to
+ * be made.
*/
{
int matchcount=0;
/*
- * Eat all the characters that match, but count how many there were.
+ * Eat all the characters that
+ * match, but count how many
+ * there were.
*/
while(*str && (*p == *str)) {
@@ -1834,54 +1841,68 @@ static bool unix_do_match(const char *regexp, const char *str)
}
/*
- * Now check that if the regexp had n identical characters that
- * matchcount had at least that many matches.
+ * Now check that if the regexp
+ * had n identical characters
+ * that matchcount had at least
+ * that many matches.
*/
- while ( *(p+1) && (*(p+1) == *p)) {
+ while (*(p+1) && (*(p+1)==*p)) {
p++;
matchcount--;
}
- if ( matchcount <= 0 )
+ if ( matchcount <= 0 ) {
return false;
+ }
}
- str--; /* We've eaten the match char after the '*' */
+ /*
+ * We've eaten the match char
+ * after the '*'
+ */
+ str--;
- if(unix_do_match(p, str))
+ if(unix_do_match(p, str)) {
return true;
+ }
- if(!*str)
+ if(!*str) {
return false;
- else
+ } else {
str++;
+ }
}
return false;
default:
- if(*str != *p)
+ if(*str != *p) {
return false;
+ }
str++;
p++;
break;
}
}
- if(!*p && !*str)
+ if(!*p && !*str) {
return true;
+ }
- if (!*p && str[0] == '.' && str[1] == 0)
+ if (!*p && str[0] == '.' && str[1] == 0) {
return true;
+ }
if (!*str && *p == '?') {
- while (*p == '?')
+ while (*p == '?') {
p++;
+ }
return(!*p);
}
- if(!*str && (*p == '*' && p[1] == '\0'))
+ if(!*str && (*p == '*' && p[1] == '\0')) {
return true;
+ }
return false;
}
--
2.8.0.rc3.226.g39d4020
From 561f978ff6eda1f6de1fefcc1c392ef74b24795e Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Fri, 11 Nov 2016 10:22:52 -0800
Subject: [PATCH 02/10] s3: util: Remove unneeded strequal() call. Convert to
simple character check.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419
Signed-off-by: Jeremy Allison <jra at samba.org>
---
source3/lib/util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/lib/util.c b/source3/lib/util.c
index 1af05cd..7e3f455 100644
--- a/source3/lib/util.c
+++ b/source3/lib/util.c
@@ -1942,7 +1942,7 @@ bool unix_wild_match(const char *pattern, const char *string)
}
}
- if (strequal(p2,"*")) {
+ if (p2[0] == '*' && p2[1] == '\0') {
TALLOC_FREE(ctx);
return true;
}
--
2.8.0.rc3.226.g39d4020
From bcf5ab857981dd48fdedc67906175b0e82058465 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Fri, 11 Nov 2016 10:24:40 -0800
Subject: [PATCH 03/10] s3: lib: Move from talloc_strdup then lower to
strlower_talloc()
Do things in one go.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419
Signed-off-by: Jeremy Allison <jra at samba.org>
---
source3/lib/util.c | 12 ++----------
1 file changed, 2 insertions(+), 10 deletions(-)
diff --git a/source3/lib/util.c b/source3/lib/util.c
index 7e3f455..6142b1d 100644
--- a/source3/lib/util.c
+++ b/source3/lib/util.c
@@ -1920,20 +1920,12 @@ bool unix_wild_match(const char *pattern, const char *string)
char *p;
bool ret = false;
- p2 = talloc_strdup(ctx,pattern);
- s2 = talloc_strdup(ctx,string);
+ p2 = strlower_talloc(ctx,pattern);
+ s2 = strlower_talloc(ctx,string);
if (!p2 || !s2) {
TALLOC_FREE(ctx);
return false;
}
- if (!strlower_m(p2)) {
- TALLOC_FREE(ctx);
- return false;
- }
- if (!strlower_m(s2)) {
- TALLOC_FREE(ctx);
- return false;
- }
/* Remove any *? and ** from the pattern as they are meaningless */
for(p = p2; *p; p++) {
--
2.8.0.rc3.226.g39d4020
From acf29df41a7f3ff0eeff32e2641da1d7d865e1cc Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Fri, 11 Nov 2016 10:35:01 -0800
Subject: [PATCH 04/10] lib/util: Move unix_wild_match() from source3/lib/util
to lib/util/
Use top-level functions instead of source3 specific ones.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419
Signed-off-by: Jeremy Allison <jra at samba.org>
---
lib/util/unix_match.c | 183 ++++++++++++++++++++++++++++++++++++++++++++++++
lib/util/unix_match.h | 25 +++++++
lib/util/wscript_build | 2 +-
source3/include/proto.h | 2 +-
source3/lib/util.c | 159 -----------------------------------------
5 files changed, 210 insertions(+), 161 deletions(-)
create mode 100644 lib/util/unix_match.c
create mode 100644 lib/util/unix_match.h
diff --git a/lib/util/unix_match.c b/lib/util/unix_match.c
new file mode 100644
index 0000000..43112b7
--- /dev/null
+++ b/lib/util/unix_match.c
@@ -0,0 +1,183 @@
+/*
+ Unix SMB/CIFS implementation.
+ Samba utility functions
+ Copyright (C) Jeremy Allison 2001
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "replace.h"
+#include <talloc.h>
+#include "lib/util/talloc_stack.h"
+#include "lib/util/charset/charset.h"
+#include "lib/util/unix_match.h"
+
+/*********************************************************
+ Recursive routine that is called by unix_wild_match.
+*********************************************************/
+
+static bool unix_do_match(const char *regexp, const char *str)
+{
+ const char *p;
+
+ for( p = regexp; *p && *str; ) {
+
+ switch(*p) {
+ case '?':
+ str++;
+ p++;
+ break;
+
+ case '*':
+
+ /*
+ * Look for a character matching
+ * the one after the '*'.
+ */
+ p++;
+ if(!*p) {
+ return true; /* Automatic match */
+ }
+ while(*str) {
+
+ while(*str && (*p != *str)) {
+ str++;
+ }
+
+ /*
+ * Patch from weidel at multichart.de.
+ * In the case of the regexp
+ * '*XX*' we want to ensure there are
+ * at least 2 'X' characters in the
+ * string after the '*' for a match to
+ * be made.
+ */
+
+ {
+ int matchcount=0;
+
+ /*
+ * Eat all the characters that
+ * match, but count how many
+ * there were.
+ */
+
+ while(*str && (*p == *str)) {
+ str++;
+ matchcount++;
+ }
+
+ /*
+ * Now check that if the regexp
+ * had n identical characters
+ * that matchcount had at least
+ * that many matches.
+ */
+
+ while (*(p+1) && (*(p+1)==*p)) {
+ p++;
+ matchcount--;
+ }
+
+ if ( matchcount <= 0 ) {
+ return false;
+ }
+ }
+
+ /*
+ * We've eaten the match char
+ * after the '*'
+ */
+ str--;
+
+ if(unix_do_match(p, str)) {
+ return true;
+ }
+
+ if(!*str) {
+ return false;
+ } else {
+ str++;
+ }
+ }
+ return false;
+
+ default:
+ if(*str != *p) {
+ return false;
+ }
+ str++;
+ p++;
+ break;
+ }
+ }
+
+ if(!*p && !*str) {
+ return true;
+ }
+
+ if (!*p && str[0] == '.' && str[1] == 0) {
+ return true;
+ }
+
+ if (!*str && *p == '?') {
+ while (*p == '?') {
+ p++;
+ }
+ return(!*p);
+ }
+
+ if(!*str && (*p == '*' && p[1] == '\0')) {
+ return true;
+ }
+
+ return false;
+}
+
+/*******************************************************************
+ Simple case insensitive interface to a UNIX wildcard matcher.
+ Returns True if match, False if not.
+*******************************************************************/
+
+bool unix_wild_match(const char *pattern, const char *string)
+{
+ TALLOC_CTX *ctx = talloc_stackframe();
+ char *p2;
+ char *s2;
+ char *p;
+ bool ret = false;
+
+ p2 = strlower_talloc(ctx,pattern);
+ s2 = strlower_talloc(ctx,string);
+ if (!p2 || !s2) {
+ TALLOC_FREE(ctx);
+ return false;
+ }
+
+ /* Remove any *? and ** from the pattern as they are meaningless */
+ for(p = p2; *p; p++) {
+ while( *p == '*' && (p[1] == '?' ||p[1] == '*')) {
+ memmove(&p[1], &p[2], strlen(&p[2])+1);
+ }
+ }
+
+ if (p2[0] == '*' && p2[1] == '\0') {
+ TALLOC_FREE(ctx);
+ return true;
+ }
+
+ ret = unix_do_match(p2, s2);
+ TALLOC_FREE(ctx);
+ return ret;
+}
diff --git a/lib/util/unix_match.h b/lib/util/unix_match.h
new file mode 100644
index 0000000..a7b6935
--- /dev/null
+++ b/lib/util/unix_match.h
@@ -0,0 +1,25 @@
+/*
+ Unix SMB/CIFS implementation.
+ Utility functions for Samba
+ Copyright (C) Jeremy Allison 2001
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _UNIX_MASK_H_
+#define _UNIX_MASK_H_
+
+bool unix_wild_match(const char *pattern, const char *string);
+
+#endif
diff --git a/lib/util/wscript_build b/lib/util/wscript_build
index 6d2ab4a..e2ae411 100755
--- a/lib/util/wscript_build
+++ b/lib/util/wscript_build
@@ -120,7 +120,7 @@ else:
idtree_random.c base64.c
util_str.c util_str_common.c ms_fnmatch.c
server_id.c dprintf.c bitmap.c pidfile.c
- tevent_debug.c memcache.c''',
+ tevent_debug.c memcache.c unix_match.c''',
deps='samba-util-core DYNCONFIG close-low-fd tini tiniparser genrand',
public_deps='talloc tevent execinfo pthread LIBCRYPTO charset util_setid systemd systemd-daemon',
public_headers='debug.h attr.h byteorder.h data_blob.h memory.h safe_string.h time.h talloc_stack.h xfile.h string_wrappers.h idtree.h idtree_random.h blocking.h signal.h substitute.h fault.h genrand.h',
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 0b0a2b5..2758dc5 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -411,7 +411,7 @@ bool ms_has_wild_w(const smb_ucs2_t *s);
bool mask_match(const char *string, const char *pattern, bool is_case_sensitive);
bool mask_match_search(const char *string, const char *pattern, bool is_case_sensitive);
bool mask_match_list(const char *string, char **list, int listLen, bool is_case_sensitive);
-bool unix_wild_match(const char *pattern, const char *string);
+#include "lib/util/unix_match.h"
bool name_to_fqdn(fstring fqdn, const char *name);
uint32_t map_share_mode_to_deny_mode(uint32_t share_access, uint32_t private_options);
diff --git a/source3/lib/util.c b/source3/lib/util.c
index 6142b1d..85cb9b3 100644
--- a/source3/lib/util.c
+++ b/source3/lib/util.c
@@ -1785,165 +1785,6 @@ bool mask_match_list(const char *string, char **list, int listLen, bool is_case_
return False;
}
-/*********************************************************
- Recursive routine that is called by unix_wild_match.
-*********************************************************/
-
-static bool unix_do_match(const char *regexp, const char *str)
-{
- const char *p;
-
- for( p = regexp; *p && *str; ) {
-
- switch(*p) {
- case '?':
- str++;
- p++;
- break;
-
- case '*':
-
- /*
- * Look for a character matching
- * the one after the '*'.
- */
- p++;
- if(!*p) {
- return true; /* Automatic match */
- }
- while(*str) {
-
- while(*str && (*p != *str)) {
- str++;
- }
-
- /*
- * Patch from weidel at multichart.de.
- * In the case of the regexp
- * '*XX*' we want to ensure there are
- * at least 2 'X' characters in the
- * string after the '*' for a match to
- * be made.
- */
-
- {
- int matchcount=0;
-
- /*
- * Eat all the characters that
- * match, but count how many
- * there were.
- */
-
- while(*str && (*p == *str)) {
- str++;
- matchcount++;
- }
-
- /*
- * Now check that if the regexp
- * had n identical characters
- * that matchcount had at least
- * that many matches.
- */
-
- while (*(p+1) && (*(p+1)==*p)) {
- p++;
- matchcount--;
- }
-
- if ( matchcount <= 0 ) {
- return false;
- }
- }
-
- /*
- * We've eaten the match char
- * after the '*'
- */
- str--;
-
- if(unix_do_match(p, str)) {
- return true;
- }
-
- if(!*str) {
- return false;
- } else {
- str++;
- }
- }
- return false;
-
- default:
- if(*str != *p) {
- return false;
- }
- str++;
- p++;
- break;
- }
- }
-
- if(!*p && !*str) {
- return true;
- }
-
- if (!*p && str[0] == '.' && str[1] == 0) {
- return true;
- }
-
- if (!*str && *p == '?') {
- while (*p == '?') {
- p++;
- }
- return(!*p);
- }
-
- if(!*str && (*p == '*' && p[1] == '\0')) {
- return true;
- }
-
- return false;
-}
-
-/*******************************************************************
- Simple case insensitive interface to a UNIX wildcard matcher.
- Returns True if match, False if not.
-*******************************************************************/
-
-bool unix_wild_match(const char *pattern, const char *string)
-{
- TALLOC_CTX *ctx = talloc_stackframe();
- char *p2;
- char *s2;
- char *p;
- bool ret = false;
-
- p2 = strlower_talloc(ctx,pattern);
- s2 = strlower_talloc(ctx,string);
- if (!p2 || !s2) {
- TALLOC_FREE(ctx);
- return false;
- }
-
- /* Remove any *? and ** from the pattern as they are meaningless */
- for(p = p2; *p; p++) {
- while( *p == '*' && (p[1] == '?' ||p[1] == '*')) {
- memmove(&p[1], &p[2], strlen(&p[2])+1);
- }
- }
-
- if (p2[0] == '*' && p2[1] == '\0') {
- TALLOC_FREE(ctx);
- return true;
- }
-
- ret = unix_do_match(p2, s2);
- TALLOC_FREE(ctx);
- return ret;
-}
-
/**********************************************************************
Converts a name to a fully qualified domain name.
Returns true if lookup succeeded, false if not (then fqdn is set to name)
--
2.8.0.rc3.226.g39d4020
From bac0d76a07f8a9d23e1c09c58a4080b36381f312 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 10 Nov 2016 17:02:08 -0800
Subject: [PATCH 05/10] s3: lib: Change masked_match() from SMB_STRDUP macro to
underlying smb_xstrdup function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419
Signed-off-by: Jeremy Allison <jra at samba.org>
---
source3/lib/access.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/source3/lib/access.c b/source3/lib/access.c
index ad868fa..49c4f8e 100644
--- a/source3/lib/access.c
+++ b/source3/lib/access.c
@@ -13,6 +13,7 @@
#include "includes.h"
#include "../lib/util/memcache.h"
#include "lib/socket/interfaces.h"
+#include "lib/util/samba_util.h"
#define NAME_INDEX 0
#define ADDR_INDEX 1
@@ -31,14 +32,14 @@ static bool masked_match(const char *tok, const char *slash, const char *s)
if (*tok == '[') {
/* IPv6 address - remove braces. */
- tok_copy = SMB_STRDUP(tok+1);
+ tok_copy = smb_xstrdup(tok+1);
if (!tok_copy) {
return false;
}
/* Remove the terminating ']' */
tok_copy[PTR_DIFF(slash,tok)-1] = '\0';
} else {
- tok_copy = SMB_STRDUP(tok);
+ tok_copy = smb_xstrdup(tok);
if (!tok_copy) {
return false;
}
@@ -128,7 +129,7 @@ static bool string_match(const char *tok,const char *s)
DEBUG(0,("Unable to get default yp domain. "
"Try without it.\n"));
}
- if (!(hostname = SMB_STRDUP(s))) {
+ if (!(hostname = smb_xstrdup(s))) {
DEBUG(1,("out of memory for strdup!\n"));
return false;
}
--
2.8.0.rc3.226.g39d4020
From 4912275e7b8249cef67112180e2adb05c26a460b Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 10 Nov 2016 17:07:11 -0800
Subject: [PATCH 06/10] s3: lib: Use top level function strequal_m not the s3
strequal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419
Signed-off-by: Jeremy Allison <jra at samba.org>
---
source3/lib/access.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/source3/lib/access.c b/source3/lib/access.c
index 49c4f8e..2875b03 100644
--- a/source3/lib/access.c
+++ b/source3/lib/access.c
@@ -97,7 +97,7 @@ static bool string_match(const char *tok,const char *s)
if (tok[0] == '.') { /* domain: match last fields */
if ((str_len = strlen(s)) > (tok_len = strlen(tok))
- && strequal(tok, s + str_len - tok_len)) {
+ && strequal_m(tok, s + str_len - tok_len)) {
return true;
}
} else if (tok[0] == '@') { /* netgroup: look it up */
@@ -150,15 +150,15 @@ static bool string_match(const char *tok,const char *s)
DEBUG(0,("access: netgroup support is not configured\n"));
return false;
#endif
- } else if (strequal(tok, "ALL")) { /* all: match any */
+ } else if (strequal_m(tok, "ALL")) { /* all: match any */
return true;
- } else if (strequal(tok, "FAIL")) { /* fail: match any */
+ } else if (strequal_m(tok, "FAIL")) { /* fail: match any */
return true;
- } else if (strequal(tok, "LOCAL")) { /* local: no dots */
- if (strchr_m(s, '.') == 0 && !strequal(s, "unknown")) {
+ } else if (strequal_m(tok, "LOCAL")) { /* local: no dots */
+ if (strchr_m(s, '.') == 0 && !strequal_m(s, "unknown")) {
return true;
}
- } else if (strequal(tok, s)) { /* match host name or address */
+ } else if (strequal_m(tok, s)) { /* match host name or address */
return true;
} else if (tok[(tok_len = strlen(tok)) - 1] == '.') { /* network */
if (strncmp(tok, s, tok_len) == 0) {
@@ -236,7 +236,7 @@ bool list_match(const char **list,const void *item,
*/
for (; *list ; list++) {
- if (strequal(*list, "EXCEPT")) {
+ if (strequal_m(*list, "EXCEPT")) {
/* EXCEPT: give up */
break;
}
@@ -248,7 +248,7 @@ bool list_match(const char **list,const void *item,
/* Process exceptions to true or FAIL matches. */
if (match != false) {
- while (*list && !strequal(*list, "EXCEPT")) {
+ while (*list && !strequal_m(*list, "EXCEPT")) {
list++;
}
--
2.8.0.rc3.226.g39d4020
From f79f13eb73795a27a8948605779376e09dc6fe1a Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 10 Nov 2016 17:09:33 -0800
Subject: [PATCH 07/10] s3: lib: Replace s3 strnequal with top level
strncasecmp_m.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419
Signed-off-by: Jeremy Allison <jra at samba.org>
---
source3/lib/access.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/source3/lib/access.c b/source3/lib/access.c
index 2875b03..5e5f43f 100644
--- a/source3/lib/access.c
+++ b/source3/lib/access.c
@@ -192,11 +192,11 @@ bool client_match(const char *tok, const void *item)
* Bug #5311 and #7383.
*/
- if (strnequal(tok_addr, "::ffff:",7)) {
+ if (strncasecmp_m(tok_addr, "::ffff:",7) == 0) {
tok_addr += 7;
}
- if (strnequal(cli_addr,"::ffff:",7)) {
+ if (strncasecmp_m(cli_addr,"::ffff:",7) == 0) {
cli_addr += 7;
}
--
2.8.0.rc3.226.g39d4020
From 95ea3386710642afc8e67c69ae5a4ce8c1a38121 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 10 Nov 2016 17:15:20 -0800
Subject: [PATCH 08/10] Move source3/lib/access.c to toplevel lib/util/access.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419
Signed-off-by: Jeremy Allison <jra at samba.org>
---
{source3/lib => lib/util}/access.c | 5 +++++
lib/util/access.h | 24 ++++++++++++++++++++++++
lib/util/wscript_build | 5 +++++
source3/include/proto.h | 10 +---------
source3/wscript_build | 3 ++-
5 files changed, 37 insertions(+), 10 deletions(-)
rename {source3/lib => lib/util}/access.c (98%)
create mode 100644 lib/util/access.h
diff --git a/source3/lib/access.c b/lib/util/access.c
similarity index 98%
rename from source3/lib/access.c
rename to lib/util/access.c
index 5e5f43f..e73f1b7 100644
--- a/source3/lib/access.c
+++ b/lib/util/access.c
@@ -14,6 +14,11 @@
#include "../lib/util/memcache.h"
#include "lib/socket/interfaces.h"
#include "lib/util/samba_util.h"
+#include "lib/util/util_net.h"
+#include "lib/util/samba_util.h"
+#include "lib/util/memory.h"
+#include "lib/util/access.h"
+#include "lib/util/unix_match.h"
#define NAME_INDEX 0
#define ADDR_INDEX 1
diff --git a/lib/util/access.h b/lib/util/access.h
new file mode 100644
index 0000000..b4dce15
--- /dev/null
+++ b/lib/util/access.h
@@ -0,0 +1,24 @@
+/*
+ This module is an adaption of code from the tcpd-1.4 package written
+ by Wietse Venema, Eindhoven University of Technology, The Netherlands.
+
+ The code is used here with permission.
+
+ The code has been considerably changed from the original. Bug reports
+ should be sent to samba-technical at lists.samba.org
+
+ Updated for IPv6 by Jeremy Allison (C) 2007.
+*/
+
+#ifndef _UTIL_ACCESS_H_
+#define _UTIL_ACCESS_H_
+
+bool client_match(const char *tok, const void *item);
+bool list_match(const char **list,const void *item,
+ bool (*match_fn)(const char *, const void *));
+bool allow_access(const char **deny_list,
+ const char **allow_list,
+ const char *cname,
+ const char *caddr);
+
+#endif
diff --git a/lib/util/wscript_build b/lib/util/wscript_build
index e2ae411..41201a5 100755
--- a/lib/util/wscript_build
+++ b/lib/util/wscript_build
@@ -29,6 +29,11 @@ bld.SAMBA_SUBSYSTEM('close-low-fd',
deps='replace',
local_include=False)
+bld.SAMBA_SUBSYSTEM('access',
+ source='access.c',
+ deps='interfaces samba-util',
+ local_include=False)
+
samba_debug_add_deps = ''
samba_debug_add_inc = ''
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 2758dc5..33e3f6c 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -26,15 +26,7 @@
#include <sys/types.h>
#include <regex.h>
-/* The following definitions come from lib/access.c */
-
-bool client_match(const char *tok, const void *item);
-bool list_match(const char **list,const void *item,
- bool (*match_fn)(const char *, const void *));
-bool allow_access(const char **deny_list,
- const char **allow_list,
- const char *cname,
- const char *caddr);
+#include "lib/util/access.h"
/* The following definitions come from lib/adt_tree.c */
diff --git a/source3/wscript_build b/source3/wscript_build
index 22e1a62..d6d2be2 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -334,7 +334,7 @@ bld.SAMBA3_SUBSYSTEM('samba3core',
lib/dumpcore.c
lib/interface.c
lib/username.c
- lib/access.c lib/smbrun.c
+ lib/smbrun.c
lib/wins_srv.c
lib/substitute.c
lib/substitute_generic.c
@@ -374,6 +374,7 @@ bld.SAMBA3_SUBSYSTEM('samba3core',
messages_util
messages_dgm
talloc_report
+ access
TDB_LIB''')
bld.SAMBA3_LIBRARY('smbd_shim',
--
2.8.0.rc3.226.g39d4020
From af46feb9d2d1d73926666aa445f291b00fc30efe Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Mon, 14 Nov 2016 11:48:32 -0800
Subject: [PATCH 09/10] lib: util: Add allow_access_nolog().
Make allow_access() call allow_access_nolog(), then log.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419
Signed-off-by: Jeremy Allison <jra at samba.org>
---
lib/util/access.c | 23 ++++++++++++++++++-----
lib/util/access.h | 4 ++++
2 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/lib/util/access.c b/lib/util/access.c
index e73f1b7..21156f1 100644
--- a/lib/util/access.c
+++ b/lib/util/access.c
@@ -327,8 +327,8 @@ static bool allow_access_internal(const char **deny_list,
return true;
}
-/* return true if access should be allowed */
-bool allow_access(const char **deny_list,
+/* return true if access should be allowed - doesn't print log message */
+bool allow_access_nolog(const char **deny_list,
const char **allow_list,
const char *cname,
const char *caddr)
@@ -339,11 +339,24 @@ bool allow_access(const char **deny_list,
ret = allow_access_internal(deny_list, allow_list, nc_cname, nc_caddr);
+ SAFE_FREE(nc_cname);
+ SAFE_FREE(nc_caddr);
+ return ret;
+}
+
+/* return true if access should be allowed - prints log message */
+bool allow_access(const char **deny_list,
+ const char **allow_list,
+ const char *cname,
+ const char *caddr)
+{
+ bool ret;
+
+ ret = allow_access_nolog(deny_list, allow_list, cname, caddr);
+
DEBUG(ret ? 3 : 0,
("%s connection from %s (%s)\n",
- ret ? "Allowed" : "Denied", nc_cname, nc_caddr));
+ ret ? "Allowed" : "Denied", cname, caddr));
- SAFE_FREE(nc_cname);
- SAFE_FREE(nc_caddr);
return ret;
}
diff --git a/lib/util/access.h b/lib/util/access.h
index b4dce15..73f71b6 100644
--- a/lib/util/access.h
+++ b/lib/util/access.h
@@ -16,6 +16,10 @@
bool client_match(const char *tok, const void *item);
bool list_match(const char **list,const void *item,
bool (*match_fn)(const char *, const void *));
+bool allow_access_nolog(const char **deny_list,
+ const char **allow_list,
+ const char *cname,
+ const char *caddr);
bool allow_access(const char **deny_list,
const char **allow_list,
const char *cname,
--
2.8.0.rc3.226.g39d4020
From 0b69c9b85e0ad34a7f4a8c7514bcc0c79ddae081 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 10 Nov 2016 20:33:17 -0800
Subject: [PATCH 10/10] source4: Change to use lib/util/access functions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419
Signed-off-by: Jeremy Allison <jra at samba.org>
---
source4/dsdb/common/util.c | 3 +-
source4/lib/socket/access.c | 237 +--------------------------------------
source4/lib/socket/socket.h | 3 -
source4/lib/socket/wscript_build | 2 +-
4 files changed, 5 insertions(+), 240 deletions(-)
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index d1396e4..8f74b45 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -46,6 +46,7 @@
#include "librpc/gen_ndr/irpc.h"
#include "libds/common/flag_mapping.h"
#include "../lib/util/util_runcmd.h"
+#include "lib/util/access.h"
/*
search the sam for the specified attributes in a specific domain, filter on
@@ -1869,7 +1870,7 @@ const char *samdb_client_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
allow_list[0] = l_subnet_name;
- if (socket_allow_access(mem_ctx, NULL, allow_list, "", ip_address)) {
+ if (allow_access_nolog(NULL, allow_list, "", ip_address)) {
sites_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx,
res->msgs[i],
"siteObject");
diff --git a/source4/lib/socket/access.c b/source4/lib/socket/access.c
index adc8105..c019fd6 100644
--- a/source4/lib/socket/access.c
+++ b/source4/lib/socket/access.c
@@ -33,241 +33,8 @@
#include "includes.h"
#include "system/network.h"
#include "lib/socket/socket.h"
-#include "system/locale.h"
#include "lib/util/util_net.h"
-
-#define FAIL (-1)
-#define ALLONES ((uint32_t)0xFFFFFFFF)
-
-/* masked_match - match address against netnumber/netmask */
-static bool masked_match(TALLOC_CTX *mem_ctx, const char *tok, const char *slash, const char *s)
-{
- uint32_t net;
- uint32_t mask;
- uint32_t addr;
- char *tok_cpy;
-
- if ((addr = interpret_addr(s)) == INADDR_NONE)
- return false;
-
- tok_cpy = talloc_strdup(mem_ctx, tok);
- tok_cpy[PTR_DIFF(slash,tok)] = '\0';
- net = interpret_addr(tok_cpy);
- talloc_free(tok_cpy);
-
- if (strlen(slash + 1) > 2) {
- mask = interpret_addr(slash + 1);
- } else {
- mask = (uint32_t)((ALLONES >> atoi(slash + 1)) ^ ALLONES);
- /* convert to network byte order */
- mask = htonl(mask);
- }
-
- if (net == INADDR_NONE || mask == INADDR_NONE) {
- DEBUG(0,("access: bad net/mask access control: %s\n", tok));
- return false;
- }
-
- return (addr & mask) == (net & mask);
-}
-
-/* string_match - match string against token */
-static bool string_match(TALLOC_CTX *mem_ctx, const char *tok,const char *s, char *invalid_char)
-{
- size_t tok_len;
- size_t str_len;
- const char *cut;
-
- *invalid_char = '\0';
-
- /* Return true if a token has the magic value "ALL". Return
- * FAIL if the token is "FAIL". If the token starts with a "."
- * (domain name), return true if it matches the last fields of
- * the string. If the token has the magic value "LOCAL",
- * return true if the string does not contain a "."
- * character. If the token ends on a "." (network number),
- * return true if it matches the first fields of the
- * string. If the token begins with a "@" (netgroup name),
- * return true if the string is a (host) member of the
- * netgroup. Return true if the token fully matches the
- * string. If the token is a netnumber/netmask pair, return
- * true if the address is a member of the specified subnet.
- */
-
- if (tok[0] == '.') { /* domain: match last fields */
- if ((str_len = strlen(s)) > (tok_len = strlen(tok))
- && strcasecmp(tok, s + str_len - tok_len)==0) {
- return true;
- }
- } else if (tok[0] == '@') { /* netgroup: look it up */
- DEBUG(0,("access: netgroup support is not available\n"));
- return false;
- } else if (strcmp(tok, "ALL")==0) { /* all: match any */
- return true;
- } else if (strcmp(tok, "FAIL")==0) { /* fail: match any */
- return FAIL;
- } else if (strcmp(tok, "LOCAL")==0) { /* local: no dots */
- if (strchr(s, '.') == 0 && strcasecmp(s, "unknown") != 0) {
- return true;
- }
- } else if (strcasecmp(tok, s)==0) { /* match host name or address */
- return true;
- } else if (tok[(tok_len = strlen(tok)) - 1] == '.') { /* network */
- if (strncmp(tok, s, tok_len) == 0)
- return true;
- } else if ((cut = strchr(tok, '/')) != 0) { /* netnumber/netmask */
- if (isdigit((int)s[0]) && masked_match(mem_ctx, tok, cut, s))
- return true;
- } else if (strchr(tok, '*') != 0) {
- *invalid_char = '*';
- } else if (strchr(tok, '?') != 0) {
- *invalid_char = '?';
- }
- return false;
-}
-
-struct client_addr {
- const char *cname;
- const char *caddr;
-};
-
-/* client_match - match host name and address against token */
-static bool client_match(TALLOC_CTX *mem_ctx, const char *tok, struct client_addr *client)
-{
- bool match;
- char invalid_char = '\0';
-
- /*
- * Try to match the address first. If that fails, try to match the host
- * name if available.
- */
-
- if ((match = string_match(mem_ctx, tok, client->caddr, &invalid_char)) == 0) {
- if(invalid_char)
- DEBUG(0,("client_match: address match failing due to invalid character '%c' found in \
-token '%s' in an allow/deny hosts line.\n", invalid_char, tok ));
-
- if (client->cname[0] != 0)
- match = string_match(mem_ctx, tok, client->cname, &invalid_char);
-
- if(invalid_char)
- DEBUG(0,("client_match: address match failing due to invalid character '%c' found in \
-token '%s' in an allow/deny hosts line.\n", invalid_char, tok ));
- }
-
- return (match);
-}
-
-/* list_match - match an item against a list of tokens with exceptions */
-static bool list_match(TALLOC_CTX *mem_ctx, const char **list, struct client_addr *client)
-{
- bool match = false;
-
- if (!list)
- return false;
-
- /*
- * Process tokens one at a time. We have exhausted all possible matches
- * when we reach an "EXCEPT" token or the end of the list. If we do find
- * a match, look for an "EXCEPT" list and recurse to determine whether
- * the match is affected by any exceptions.
- */
-
- for (; *list ; list++) {
- if (strcmp(*list, "EXCEPT")==0) /* EXCEPT: give up */
- break;
- if ((match = client_match(mem_ctx, *list, client))) /* true or FAIL */
- break;
- }
-
- /* Process exceptions to true or FAIL matches. */
- if (match != false) {
- while (*list && strcmp(*list, "EXCEPT")!=0)
- list++;
-
- for (; *list; list++) {
- if (client_match(mem_ctx, *list, client)) /* Exception Found */
- return false;
- }
- }
-
- return match;
-}
-
-/* return true if access should be allowed */
-static bool allow_access_internal(TALLOC_CTX *mem_ctx,
- const char **deny_list,const char **allow_list,
- const char *cname, const char *caddr)
-{
- struct client_addr client;
-
- client.cname = cname;
- client.caddr = caddr;
-
- /* if it is loopback then always allow unless specifically denied */
- if (strcmp(caddr, "127.0.0.1") == 0) {
- /*
- * If 127.0.0.1 matches both allow and deny then allow.
- * Patch from Steve Langasek vorlon at netexpress.net.
- */
- if (deny_list &&
- list_match(mem_ctx, deny_list, &client) &&
- (!allow_list ||
- !list_match(mem_ctx, allow_list, &client))) {
- return false;
- }
- return true;
- }
-
- /* if theres no deny list and no allow list then allow access */
- if ((!deny_list || *deny_list == 0) &&
- (!allow_list || *allow_list == 0)) {
- return true;
- }
-
- /* if there is an allow list but no deny list then allow only hosts
- on the allow list */
- if (!deny_list || *deny_list == 0)
- return list_match(mem_ctx, allow_list, &client);
-
- /* if theres a deny list but no allow list then allow
- all hosts not on the deny list */
- if (!allow_list || *allow_list == 0)
- return !list_match(mem_ctx, deny_list, &client);
-
- /* if there are both types of list then allow all hosts on the
- allow list */
- if (list_match(mem_ctx, allow_list, &client))
- return true;
-
- /* if there are both types of list and it's not on the allow then
- allow it if its not on the deny */
- if (list_match(mem_ctx, deny_list, &client))
- return false;
-
- return true;
-}
-
-/* return true if access should be allowed */
-bool socket_allow_access(TALLOC_CTX *mem_ctx,
- const char **deny_list, const char **allow_list,
- const char *cname, const char *caddr)
-{
- bool ret;
- char *nc_cname = talloc_strdup(mem_ctx, cname);
- char *nc_caddr = talloc_strdup(mem_ctx, caddr);
-
- if (!nc_cname || !nc_caddr) {
- return false;
- }
-
- ret = allow_access_internal(mem_ctx, deny_list, allow_list, nc_cname, nc_caddr);
-
- talloc_free(nc_cname);
- talloc_free(nc_caddr);
-
- return ret;
-}
+#include "lib/util/access.h"
/* return true if the char* contains ip addrs only. Used to avoid
gethostbyaddr() calls */
@@ -346,7 +113,7 @@ bool socket_check_access(struct socket_context *sock,
return false;
}
- ret = socket_allow_access(mem_ctx, deny_list, allow_list, name, addr->addr);
+ ret = allow_access(deny_list, allow_list, name, addr->addr);
if (ret) {
DEBUG(2,("socket_check_access: Allowed connection to '%s' from %s (%s)\n",
diff --git a/source4/lib/socket/socket.h b/source4/lib/socket/socket.h
index 403a723..50a20d9 100644
--- a/source4/lib/socket/socket.h
+++ b/source4/lib/socket/socket.h
@@ -183,9 +183,6 @@ _PUBLIC_ void socket_address_set_port(struct socket_address *a,
struct socket_address *socket_address_copy(TALLOC_CTX *mem_ctx,
const struct socket_address *oaddr);
const struct socket_ops *socket_getops_byname(const char *name, enum socket_type type);
-bool socket_allow_access(TALLOC_CTX *mem_ctx,
- const char **deny_list, const char **allow_list,
- const char *cname, const char *caddr);
bool socket_check_access(struct socket_context *sock,
const char *service_name,
const char **allow_list, const char **deny_list);
diff --git a/source4/lib/socket/wscript_build b/source4/lib/socket/wscript_build
index 1cb89c6..e243824 100644
--- a/source4/lib/socket/wscript_build
+++ b/source4/lib/socket/wscript_build
@@ -24,6 +24,6 @@ bld.SAMBA_MODULE('socket_unix',
bld.SAMBA_SUBSYSTEM('samba_socket',
source='socket.c access.c connect_multi.c connect.c',
public_deps='talloc LIBTSOCKET',
- deps='cli_composite LIBCLI_RESOLVE socket_ip socket_unix'
+ deps='cli_composite LIBCLI_RESOLVE socket_ip socket_unix access'
)
--
2.8.0.rc3.226.g39d4020
More information about the samba-technical
mailing list