mirror of
https://github.com/samba-team/samba.git
synced 2025-01-08 21:18:16 +03:00
CVE-2021-20251: s4:auth: fix use after free in authsam_logon_success_accounting()
This fixes a use after free problem introduced by commit7b8e32efc3
, which has msg = current; which means the lifetime of the 'msg' memory is no longer in the scope of th caller. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15253 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit1414269dcc
) Autobuild-User(v4-16-test): Stefan Metzmacher <metze@samba.org> Autobuild-Date(v4-16-test): Mon Dec 12 15:52:22 UTC 2022 on sn-devel-184
This commit is contained in:
parent
2736d267aa
commit
a1136ed2e0
@ -589,6 +589,7 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,
|
|||||||
nt_status = authsam_logon_success_accounting(auth_context->sam_ctx,
|
nt_status = authsam_logon_success_accounting(auth_context->sam_ctx,
|
||||||
msg, domain_dn,
|
msg, domain_dn,
|
||||||
interactive,
|
interactive,
|
||||||
|
tmp_ctx,
|
||||||
&send_to_sam);
|
&send_to_sam);
|
||||||
|
|
||||||
if (send_to_sam != NULL) {
|
if (send_to_sam != NULL) {
|
||||||
|
@ -256,7 +256,7 @@ static void winbind_check_password_done(struct tevent_req *subreq)
|
|||||||
ctx->auth_ctx->sam_ctx, msg,
|
ctx->auth_ctx->sam_ctx, msg,
|
||||||
domain_dn,
|
domain_dn,
|
||||||
user_info->flags & USER_INFO_INTERACTIVE_LOGON,
|
user_info->flags & USER_INFO_INTERACTIVE_LOGON,
|
||||||
NULL);
|
NULL, NULL);
|
||||||
if (tevent_req_nterror(req, status)) {
|
if (tevent_req_nterror(req, status)) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -1396,6 +1396,7 @@ NTSTATUS authsam_logon_success_accounting(struct ldb_context *sam_ctx,
|
|||||||
const struct ldb_message *msg,
|
const struct ldb_message *msg,
|
||||||
struct ldb_dn *domain_dn,
|
struct ldb_dn *domain_dn,
|
||||||
bool interactive_or_kerberos,
|
bool interactive_or_kerberos,
|
||||||
|
TALLOC_CTX *send_to_sam_mem_ctx,
|
||||||
struct netr_SendToSamBase **send_to_sam)
|
struct netr_SendToSamBase **send_to_sam)
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
@ -1612,7 +1613,13 @@ get_transaction:
|
|||||||
if (dbBadPwdCount != 0 && send_to_sam != NULL) {
|
if (dbBadPwdCount != 0 && send_to_sam != NULL) {
|
||||||
struct netr_SendToSamBase *base_msg;
|
struct netr_SendToSamBase *base_msg;
|
||||||
struct GUID guid = samdb_result_guid(msg, "objectGUID");
|
struct GUID guid = samdb_result_guid(msg, "objectGUID");
|
||||||
base_msg = talloc_zero(msg, struct netr_SendToSamBase);
|
|
||||||
|
base_msg = talloc_zero(send_to_sam_mem_ctx,
|
||||||
|
struct netr_SendToSamBase);
|
||||||
|
if (base_msg == NULL) {
|
||||||
|
status = NT_STATUS_NO_MEMORY;
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
|
||||||
base_msg->message_type = SendToSamResetBadPasswordCount;
|
base_msg->message_type = SendToSamResetBadPasswordCount;
|
||||||
base_msg->message_size = 16;
|
base_msg->message_size = 16;
|
||||||
|
@ -1446,7 +1446,7 @@ static void test_success_accounting_start_txn_failed(void **state) {
|
|||||||
ldb_transaction_start_ret = LDB_ERR_OPERATIONS_ERROR;
|
ldb_transaction_start_ret = LDB_ERR_OPERATIONS_ERROR;
|
||||||
|
|
||||||
status = authsam_logon_success_accounting(
|
status = authsam_logon_success_accounting(
|
||||||
ldb, msg, domain_dn, true, NULL);
|
ldb, msg, domain_dn, true, NULL, NULL);
|
||||||
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_ERROR));
|
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_ERROR));
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -1502,7 +1502,7 @@ static void test_success_accounting_reread_failed(void **state) {
|
|||||||
will_return(__wrap_dsdb_search_dn, LDB_ERR_NO_SUCH_OBJECT);
|
will_return(__wrap_dsdb_search_dn, LDB_ERR_NO_SUCH_OBJECT);
|
||||||
|
|
||||||
status = authsam_logon_success_accounting(
|
status = authsam_logon_success_accounting(
|
||||||
ldb, msg, domain_dn, true, NULL);
|
ldb, msg, domain_dn, true, NULL, NULL);
|
||||||
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_ERROR));
|
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_ERROR));
|
||||||
assert_true(transaction_cancelled);
|
assert_true(transaction_cancelled);
|
||||||
|
|
||||||
@ -1561,7 +1561,7 @@ static void test_success_accounting_ldb_msg_new_failed(void **state) {
|
|||||||
ldb_msg_new_fail = true;
|
ldb_msg_new_fail = true;
|
||||||
|
|
||||||
status = authsam_logon_success_accounting(
|
status = authsam_logon_success_accounting(
|
||||||
ldb, msg, domain_dn, true, NULL);
|
ldb, msg, domain_dn, true, NULL, NULL);
|
||||||
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY));
|
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY));
|
||||||
assert_true(transaction_cancelled);
|
assert_true(transaction_cancelled);
|
||||||
|
|
||||||
@ -1612,7 +1612,7 @@ static void test_success_accounting_samdb_rodc_failed(void **state) {
|
|||||||
samdb_rodc_ret = LDB_ERR_OPERATIONS_ERROR;
|
samdb_rodc_ret = LDB_ERR_OPERATIONS_ERROR;
|
||||||
|
|
||||||
status = authsam_logon_success_accounting(
|
status = authsam_logon_success_accounting(
|
||||||
ldb, msg, domain_dn, true, NULL);
|
ldb, msg, domain_dn, true, NULL, NULL);
|
||||||
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_ERROR));
|
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_ERROR));
|
||||||
assert_false(in_transaction);
|
assert_false(in_transaction);
|
||||||
assert_false(transaction_cancelled);
|
assert_false(transaction_cancelled);
|
||||||
@ -1675,7 +1675,7 @@ static void test_success_accounting_update_lastlogon_failed(void **state) {
|
|||||||
will_return(__wrap_samdb_msg_add_int64, LDB_ERR_OPERATIONS_ERROR);
|
will_return(__wrap_samdb_msg_add_int64, LDB_ERR_OPERATIONS_ERROR);
|
||||||
|
|
||||||
status = authsam_logon_success_accounting(
|
status = authsam_logon_success_accounting(
|
||||||
ldb, msg, domain_dn, true, NULL);
|
ldb, msg, domain_dn, true, NULL, NULL);
|
||||||
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY));
|
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY));
|
||||||
assert_true(transaction_cancelled);
|
assert_true(transaction_cancelled);
|
||||||
|
|
||||||
@ -1737,7 +1737,7 @@ static void test_success_accounting_build_mod_req_failed(void **state) {
|
|||||||
will_return(__wrap_samdb_msg_add_int64, LDB_SUCCESS);
|
will_return(__wrap_samdb_msg_add_int64, LDB_SUCCESS);
|
||||||
|
|
||||||
status = authsam_logon_success_accounting(
|
status = authsam_logon_success_accounting(
|
||||||
ldb, msg, domain_dn, true, NULL);
|
ldb, msg, domain_dn, true, NULL, NULL);
|
||||||
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_ERROR));
|
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_ERROR));
|
||||||
assert_true(transaction_cancelled);
|
assert_true(transaction_cancelled);
|
||||||
|
|
||||||
@ -1800,7 +1800,7 @@ static void test_success_accounting_add_control_failed(void **state) {
|
|||||||
will_return(__wrap_samdb_msg_add_int64, LDB_SUCCESS);
|
will_return(__wrap_samdb_msg_add_int64, LDB_SUCCESS);
|
||||||
|
|
||||||
status = authsam_logon_success_accounting(
|
status = authsam_logon_success_accounting(
|
||||||
ldb, msg, domain_dn, true, NULL);
|
ldb, msg, domain_dn, true, NULL, NULL);
|
||||||
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_ERROR));
|
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_ERROR));
|
||||||
assert_true(transaction_cancelled);
|
assert_true(transaction_cancelled);
|
||||||
|
|
||||||
@ -1863,7 +1863,7 @@ static void test_success_accounting_ldb_request_failed(void **state) {
|
|||||||
will_return(__wrap_samdb_msg_add_int64, LDB_SUCCESS);
|
will_return(__wrap_samdb_msg_add_int64, LDB_SUCCESS);
|
||||||
|
|
||||||
status = authsam_logon_success_accounting(
|
status = authsam_logon_success_accounting(
|
||||||
ldb, msg, domain_dn, true, NULL);
|
ldb, msg, domain_dn, true, NULL, NULL);
|
||||||
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_ERROR));
|
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_ERROR));
|
||||||
assert_true(transaction_cancelled);
|
assert_true(transaction_cancelled);
|
||||||
|
|
||||||
@ -1926,7 +1926,7 @@ static void test_success_accounting_ldb_wait_failed(void **state) {
|
|||||||
will_return(__wrap_samdb_msg_add_int64, LDB_SUCCESS);
|
will_return(__wrap_samdb_msg_add_int64, LDB_SUCCESS);
|
||||||
|
|
||||||
status = authsam_logon_success_accounting(
|
status = authsam_logon_success_accounting(
|
||||||
ldb, msg, domain_dn, true, NULL);
|
ldb, msg, domain_dn, true, NULL, NULL);
|
||||||
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_ERROR));
|
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_ERROR));
|
||||||
assert_true(transaction_cancelled);
|
assert_true(transaction_cancelled);
|
||||||
|
|
||||||
@ -1989,7 +1989,7 @@ static void test_success_accounting_commit_failed(void **state) {
|
|||||||
will_return(__wrap_samdb_msg_add_int64, LDB_SUCCESS);
|
will_return(__wrap_samdb_msg_add_int64, LDB_SUCCESS);
|
||||||
|
|
||||||
status = authsam_logon_success_accounting(
|
status = authsam_logon_success_accounting(
|
||||||
ldb, msg, domain_dn, true, NULL);
|
ldb, msg, domain_dn, true, NULL, NULL);
|
||||||
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_ERROR));
|
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_ERROR));
|
||||||
assert_true(in_transaction);
|
assert_true(in_transaction);
|
||||||
assert_false(transaction_cancelled);
|
assert_false(transaction_cancelled);
|
||||||
@ -2055,7 +2055,7 @@ static void test_success_accounting_rollback_failed(void **state) {
|
|||||||
will_return(__wrap_samdb_msg_add_int64, LDB_SUCCESS);
|
will_return(__wrap_samdb_msg_add_int64, LDB_SUCCESS);
|
||||||
|
|
||||||
status = authsam_logon_success_accounting(
|
status = authsam_logon_success_accounting(
|
||||||
ldb, msg, domain_dn, true, NULL);
|
ldb, msg, domain_dn, true, NULL, NULL);
|
||||||
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_ERROR));
|
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_ERROR));
|
||||||
assert_true(in_transaction);
|
assert_true(in_transaction);
|
||||||
assert_false(transaction_cancelled);
|
assert_false(transaction_cancelled);
|
||||||
@ -2124,7 +2124,7 @@ static void test_success_accounting_spurious_bad_pwd_indicator(void **state) {
|
|||||||
ldb_build_mod_req_res = talloc_zero(ctx, struct ldb_request);
|
ldb_build_mod_req_res = talloc_zero(ctx, struct ldb_request);
|
||||||
|
|
||||||
status = authsam_logon_success_accounting(
|
status = authsam_logon_success_accounting(
|
||||||
ldb, msg, domain_dn, true, NULL);
|
ldb, msg, domain_dn, true, NULL, NULL);
|
||||||
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_OK));
|
assert_true(NT_STATUS_EQUAL(status, NT_STATUS_OK));
|
||||||
assert_false(in_transaction);
|
assert_false(in_transaction);
|
||||||
assert_false(transaction_cancelled);
|
assert_false(transaction_cancelled);
|
||||||
|
@ -649,7 +649,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
|
|||||||
* in the PAC here or re-calculate it.
|
* in the PAC here or re-calculate it.
|
||||||
*/
|
*/
|
||||||
status = authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg,
|
status = authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg,
|
||||||
domain_dn, true, &send_to_sam);
|
domain_dn, true, frame, &send_to_sam);
|
||||||
if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
|
if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
|
||||||
final_ret = KRB5KDC_ERR_CLIENT_REVOKED;
|
final_ret = KRB5KDC_ERR_CLIENT_REVOKED;
|
||||||
r->error_code = final_ret;
|
r->error_code = final_ret;
|
||||||
|
@ -1281,7 +1281,7 @@ out:
|
|||||||
|
|
||||||
void mit_samba_zero_bad_password_count(krb5_db_entry *db_entry)
|
void mit_samba_zero_bad_password_count(krb5_db_entry *db_entry)
|
||||||
{
|
{
|
||||||
struct netr_SendToSamBase *send_to_sam = NULL;
|
/* struct netr_SendToSamBase *send_to_sam = NULL; */
|
||||||
struct samba_kdc_entry *p =
|
struct samba_kdc_entry *p =
|
||||||
talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
|
talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
|
||||||
struct ldb_dn *domain_dn;
|
struct ldb_dn *domain_dn;
|
||||||
@ -1292,7 +1292,7 @@ void mit_samba_zero_bad_password_count(krb5_db_entry *db_entry)
|
|||||||
p->msg,
|
p->msg,
|
||||||
domain_dn,
|
domain_dn,
|
||||||
true,
|
true,
|
||||||
&send_to_sam);
|
NULL, NULL);
|
||||||
/* TODO: RODC support */
|
/* TODO: RODC support */
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user