1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

129124 Commits

Author SHA1 Message Date
Jule Anger
620698353b WHATSNEW: Add release notes for Samba 4.16.6.
Signed-off-by: Jule Anger <janger@samba.org>
2022-10-24 12:26:09 +02:00
Joseph Sutton
5c31d5beb3 CVE-2022-3437 third_party/heimdal: Pass correct length to _gssapi_verify_pad()
We later subtract 8 when calculating the length of the output message
buffer. If padlength is excessively high, this calculation can underflow
and result in a very large positive value.

Now we properly constrain the value of padlength so underflow shouldn't
be possible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
22dd9072c9 CVE-2022-3437 third_party/heimdal: Check for overflow in _gsskrb5_get_mech()
If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
d16ac1f405 CVE-2022-3437 third_party/heimdal: Check buffer length against overflow for DES{,3} unwrap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
de77f01598 CVE-2022-3437 third_party/heimdal: Check the result of _gsskrb5_get_mech()
We should make sure that the result of 'total_len - mech_len' won't
overflow, and that we don't memcmp() past the end of the buffer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
e1c2e2836e CVE-2022-3437 third_party/heimdal: Avoid undefined behaviour in _gssapi_verify_pad()
By decrementing 'pad' only when we know it's safe, we ensure we can't
stray backwards past the start of a buffer, which would be undefined
behaviour.

In the previous version of the loop, 'i' is the number of bytes left to
check, and 'pad' is the current byte we're checking. 'pad' was
decremented at the end of each loop iteration. If 'i' was 1 (so we
checked the final byte), 'pad' could potentially be pointing to the
first byte of the input buffer, and the decrement would put it one
byte behind the buffer.

That would be undefined behaviour.

The patch changes it so that 'pad' is the byte we previously checked,
which allows us to ensure that we only decrement it when we know we
have a byte to check.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
c944773adc CVE-2022-3437 third_party/heimdal: Don't pass NULL pointers to memcpy() in DES unwrap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
9ca9408c5e CVE-2022-3437 third_party/heimdal: Use constant-time memcmp() in unwrap_des3()
The surrounding checks all use ct_memcmp(), so this one was presumably
meant to as well.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
e3c314ed69 CVE-2022-3437 third_party/heimdal: Use constant-time memcmp() for arcfour unwrap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
03eefa45d3 CVE-2022-3437 s4/auth/tests: Add unit tests for unwrap_des3()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
c5dd87f488 CVE-2022-3437 third_party/heimdal_build: Add gssapi-subsystem subsystem
This allows us to access (and so test) functions internal to GSSAPI by
depending on this subsystem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
0eaa68d193 CVE-2022-3437 third_party/heimdal: Remove __func__ compatibility workaround
As described by the C standard, __func__ is a variable, not a macro.
Hence this #ifndef check does not work as intended, and only serves to
unconditionally disable __func__. A nonoperating __func__ prevents
cmocka operating correctly, so remove this definition.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Stefan Metzmacher
c28d971b12 s4:messaging: let imessaging_client_init() use imessaging_init_discard_incoming()
imessaging_client_init() is for temporary stuff only, so we should drop
(unexpected) incoming messages unless we expect irpc responses.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15201

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Oct 13 13:32:30 UTC 2022 on sn-devel-184

(cherry picked from commit 266bcedc18)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Wed Oct 19 09:45:53 UTC 2022 on sn-devel-184
2022-10-19 09:45:53 +00:00
Stefan Metzmacher
04d0d5a036 s3:auth_samba4: make use of imessaging_init_discard_incoming()
Otherwise we'll generate a memory leak of imessaging_post_state/
tevent_immediate structures per incoming message!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15201

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 32df5e4961)
2022-10-19 08:39:17 +00:00
Stefan Metzmacher
6ba44033e3 s4:messaging: add imessaging_init_discard_incoming()
We often create imessaging contexts just for sending messages,
but we'll never process incoming messages because a temporary event
context was used and we just queue a lot of imessaging_post_state
structures with immediate events.

With imessaging_init_discard_incoming() we'll discard any incoming messages
unless we have pending irpc requests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15201

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit a120fb1c72)
2022-10-19 08:39:17 +00:00
Noel Power
4d7e31b981 s3/utils: check result of talloc_strdup
follow to commit 4b15d8c2a5

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Oct 17 19:49:37 UTC 2022 on sn-devel-184

(cherry picked from commit 0326549a05)
2022-10-19 08:39:17 +00:00
Noel Power
9a18da112c s3/utils: Check return of talloc_strdup
followup to e82699fcca

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 972127dadd)
2022-10-19 08:39:17 +00:00
Noel Power
e69d2b3f9d s3/param: Check return of talloc_strdup
followup to commit ff003fc87b

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 19eb88bc53)
2022-10-19 08:39:17 +00:00
Noel Power
7480f9c01d s4/lib/registry: Fix use after free with popt 1.19
popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.

==6357== Command: ./bin/regpatch file
==6357==
Can't load /home/npower/samba-back/INSTALL_DIR/etc/smb.conf - run testparm to debug it
==6357== Syscall param openat(filename) points to unaddressable byte(s)
==6357==    at 0x4BFE535: open (in /usr/lib64/libc.so.6)
==6357==    by 0x4861432: reg_diff_load (patchfile.c:345)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4B5D50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4B5D50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d1 is 1 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357==    at 0x4B83DD0: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6357==    by 0x4B5D39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357==    at 0x4B83DDF: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6357==    by 0x4B5D39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d2 is 2 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
Error reading registry patch file `file'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Oct 14 13:38:55 UTC 2022 on sn-devel-184

(cherry picked from commit 7e0e3f47cd)
2022-10-19 08:39:17 +00:00
Noel Power
5383d625cb s3/utils: Fix use after free with popt 1.19
popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.

==6055== Command: ./bin/testparm /etc/samba/smb.conf
==6055==
==6055== Invalid read of size 1
==6055==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4C1E50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6055==    by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x10EBFA: main (testparm.c:862)
==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4C1E50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6055==    by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x10EBFA: main (testparm.c:862)
==6055==  Address 0x72dab71 is 1 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x4C44DD0: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6055==    by 0x4C1E39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6055==    by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x10EBFA: main (testparm.c:862)
==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x4C44DDF: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6055==    by 0x4C1E39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6055==    by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x10EBFA: main (testparm.c:862)
==6055==  Address 0x72dab72 is 2 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
Load smb config files from /etc/samba/smb.conf
==6055== Invalid read of size 1
==6055==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927E1C: talloc_strdup (talloc.c:2470)
==6055==    by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055==    by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927E1C: talloc_strdup (talloc.c:2470)
==6055==    by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055==    by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab71 is 1 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 8
==6055==    at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055==    by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055==    by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 2
==6055==    at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055==    by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055==    by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab80 is 16 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055==    by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055==    by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab82 is 18 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927E1C: talloc_strdup (talloc.c:2470)
==6055==    by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055==    by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927E1C: talloc_strdup (talloc.c:2470)
==6055==    by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055==    by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab71 is 1 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 8
==6055==    at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055==    by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055==    by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 2
==6055==    at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055==    by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055==    by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab80 is 16 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055==    by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055==    by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab82 is 18 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 4b15d8c2a5)
2022-10-19 08:39:17 +00:00
Noel Power
4b35fa3f85 s3/utils: Fix use after free with popt 1.19
popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.

==5914== Invalid read of size 1
==5914==    at 0x4FDF740: strlcpy (in /usr/lib64/libbsd.so.0.11.6)
==5914==    by 0x49E09A9: tdbsam_getsampwnam (pdb_tdb.c:583)
==5914==    by 0x49D94E5: pdb_getsampwnam (pdb_interface.c:340)
==5914==    by 0x10DED1: print_user_info (pdbedit.c:372)
==5914==    by 0x111413: main (pdbedit.c:1324)
==5914==  Address 0x73b6750 is 0 bytes inside a block of size 7 free'd
==5914==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5914==    by 0x4C508B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5914==    by 0x4C515D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5914==    by 0x1113E6: main (pdbedit.c:1323)
==5914==  Block was alloc'd at
==5914==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5914==    by 0x4C522EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5914==    by 0x110AE5: main (pdbedit.c:1137)
==5914==

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit e82699fcca)
2022-10-19 08:39:17 +00:00
Noel Power
1efcc10c9d s3/utils: Add missing poptFreeContext
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 31d3d10b26)
2022-10-19 08:39:17 +00:00
Noel Power
da11c48d9b s3/param: Fix use after free with popt-1.19
popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.

==5325== Invalid read of size 1
==5325==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859E1C: talloc_strdup (talloc.c:2470)
==5325==    by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325==    by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859E1C: talloc_strdup (talloc.c:2470)
==5325==    by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325==    by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8b1 is 1 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 8
==5325==    at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325==    by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325==    by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 2
==5325==    at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325==    by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325==    by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8c0 is 16 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325==    at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325==    by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325==    by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8c2 is 18 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859E1C: talloc_strdup (talloc.c:2470)
==5325==    by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325==    by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859E1C: talloc_strdup (talloc.c:2470)
==5325==    by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325==    by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8b1 is 1 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 8
==5325==    at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325==    by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325==    by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 2
==5325==    at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325==    by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325==    by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8c0 is 16 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325==    at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325==    by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325==    by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8c2 is 18 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit ff003fc87b)
2022-10-19 08:39:17 +00:00
Noel Power
0503e0df3b s3/rpcclient: Duplicate string returned from poptGetArg
popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.

==4407== Invalid read of size 1
==4407==    at 0x146263: main (rpcclient.c:1262)
==4407==  Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
==4407==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x146227: main (rpcclient.c:1251)
==4407==  Block was alloc'd at
==4407==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x1461BC: main (rpcclient.c:1219)
==4407==
==4407== Invalid read of size 1
==4407==    at 0x14627D: main (rpcclient.c:1263)
==4407==  Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
==4407==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x146227: main (rpcclient.c:1251)
==4407==  Block was alloc'd at
==4407==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x1461BC: main (rpcclient.c:1219)
==4407==
==4407== Invalid read of size 1
==4407==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x4980E1C: talloc_strdup (talloc.c:2470)
==4407==    by 0x488CD96: dcerpc_parse_binding (binding.c:320)
==4407==    by 0x1462B1: main (rpcclient.c:1267)
==4407==  Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
==4407==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x146227: main (rpcclient.c:1251)
==4407==  Block was alloc'd at
==4407==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x1461BC: main (rpcclient.c:1219)
==4407==
==4407== Invalid read of size 1
==4407==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x4980E1C: talloc_strdup (talloc.c:2470)
==4407==    by 0x488CD96: dcerpc_parse_binding (binding.c:320)
==4407==    by 0x1462B1: main (rpcclient.c:1267)
==4407==  Address 0x7b67cd1 is 1 bytes inside a block of size 10 free'd
==4407==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x146227: main (rpcclient.c:1251)
==4407==  Block was alloc'd at
==4407==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x1461BC: main (rpcclient.c:1219)
==4407==
==4407== Invalid read of size 8
==4407==    at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x4980DC2: __talloc_strlendup (talloc.c:2457)
==4407==    by 0x4980E32: talloc_strdup (talloc.c:2470)
==4407==    by 0x488CD96: dcerpc_parse_binding (binding.c:320)
==4407==    by 0x1462B1: main (rpcclient.c:1267)
==4407==  Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
==4407==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x146227: main (rpcclient.c:1251)
==4407==  Block was alloc'd at
==4407==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x1461BC: main (rpcclient.c:1219)
==4407==
==4407== Invalid read of size 1
==4407==    at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x4980DC2: __talloc_strlendup (talloc.c:2457)
==4407==    by 0x4980E32: talloc_strdup (talloc.c:2470)
==4407==    by 0x488CD96: dcerpc_parse_binding (binding.c:320)
==4407==    by 0x1462B1: main (rpcclient.c:1267)
==4407==  Address 0x7b67cd8 is 8 bytes inside a block of size 10 free'd
==4407==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x146227: main (rpcclient.c:1251)
==4407==  Block was alloc'd at
==4407==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x1461BC: main (rpcclient.c:1219)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit d26d3d9bff)
2022-10-19 08:39:17 +00:00
Ralph Boehme
3e0ce4513b vfs_fruit: add missing calls to tevent_req_received()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15182

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
(cherry picked from commit a7fba3ff59)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Tue Oct 18 09:41:37 UTC 2022 on sn-devel-184
2022-10-18 09:41:37 +00:00
Jeremy Allison
6c7af40558 s3: VFS: fruit. Implement fsync_send()/fsync_recv().
For type == ADOUBLE_META, fio->fake_fd is true so
writes are already synchronous, just call tevent_req_post().

For type == ADOUBLE_RSRC we know we are configured
with FRUIT_RSRC_ADFILE (because fruit_must_handle_aio_stream()
returned true), so we can just call SMB_VFS_NEXT_FSYNC_SEND()
after replacing fsp with fio->ad_fsp.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15182

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
(cherry picked from commit 35c637f2e6)
2022-10-18 08:34:18 +00:00
Jeremy Allison
24bc377a0e s4: smbtorture: Add fsync_resource_fork test to fruit tests.
This shows we currently hang when sending an SMB2_OP_FLUSH on
an AFP_Resource fork.

Adds knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15182

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
(cherry picked from commit 1b8a873284)
2022-10-18 08:34:18 +00:00
Stefan Metzmacher
b3e8e8185f smbXsrv_client: handle NAME_NOT_FOUND from smb2srv_client_connection_{pass,drop}()
If we get NT_STATUS_OBJECT_NOT_FOUND from smb2srv_client_connection_{pass,drop}()
we should just keep the connection and overwrite the stale record in
smbXsrv_client_global.tdb. It's basically a race with serverid_exists()
and a process that doesn't cleanly teardown.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15200

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 5d66d5b84f)
2022-10-18 08:34:18 +00:00
Stefan Metzmacher
0fa03f112f smbXsrv_client: make sure we only wait for smb2srv_client_mc_negprot_filter once and only when needed
This will simplify the following changes...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15200

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 8c8d8cf01e)
2022-10-18 08:34:18 +00:00
Stefan Metzmacher
935f1ec476 smbXsrv_client: call smb2srv_client_connection_{pass,drop}() before dbwrap_watched_watch_send()
dbwrap_watched_watch_send() should typically be the last thing to call
before the db record is unlocked, as it's not that easy to undo.

In future we want to recover from smb2srv_client_connection_{pass,drop}()
returning NT_STATUS_OBJECT_NAME_NOT_FOUND and it would add complexity if
would need to undo dbwrap_watched_watch_send() at that point.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15200

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 56c597bc2b)
2022-10-18 08:34:17 +00:00
Stefan Metzmacher
68a233322b smbXsrv_client: fix a debug message in smbXsrv_client_global_verify_record()
DBG_WARNING() already adds the function name as prefix.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15200

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit acb3d821de)
2022-10-18 08:34:17 +00:00
Stefan Metzmacher
f806366dd4 smbXsrv_client: ignore NAME_NOT_FOUND from smb2srv_client_connection_passed
If we hit a race, when a client disconnects the connection after the initial
SMB2 Negotiate request, before the connection is completely passed to
process serving the given client guid, the temporary smbd which accepted the
new connection may already detected the disconnect and exitted before
the long term smbd servicing the client guid was able to send the
MSG_SMBXSRV_CONNECTION_PASSED message.

The result was a log message like this:

  smbXsrv_client_connection_pass_loop: smb2srv_client_connection_passed() failed => NT_STATUS_OBJECT_NAME_NOT_FOUND

and all connections belonging to the client guid were dropped,
because we called exit_server_cleanly().

Now we ignore NT_STATUS_OBJECT_NAME_NOT_FOUND from
smb2srv_client_connection_passed() and let the normal
event loop detect the broken connection, so that only
that connection is terminated (not the whole smbd process).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15200

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 636ec45c93)
2022-10-18 08:34:17 +00:00
Stefan Metzmacher
52dd57d4b3 smbXsrv_client: notify a different node to drop a connection by client guid.
If a client disconnected all its interfaces and reconnects when
the come back, it will likely start from any ip address returned
dns, which means it can try to connect to a different ctdb node.
The old node may not have noticed the disconnect and still holds
the client_guid based smbd.

Up unil now the new node returned NT_STATUS_NOT_SUPPORTED to
the SMB2 Negotiate request, as messaging_send_iov[_from]() will
return -1/ENOSYS if a file descriptor os passed to a process on
a different node.

Now we tell the other node to teardown all client connections
belonging to the client-guid.

Note that this is not authenticated, but if an attacker can
capture the client-guid, he can also inject TCP resets anyway,
to get the same effect.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15159

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Sep  2 20:59:15 UTC 2022 on sn-devel-184

(cherry picked from commit 8591d94243)
2022-10-18 08:34:17 +00:00
Stefan Metzmacher
ada5ef9d84 smbXsrv_client: correctly check in negotiate_request.length smbXsrv_client_connection_pass[ed]_*
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15159

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 21ef01e7b8)
2022-10-18 08:34:17 +00:00
Andrew Bartlett
1a4d3a2db7 python-drs: Add client-side debug and fallback for GET_ANC
Samba 4.5 and earlier will fail to do GET_ANC correctly and will not
replicate non-critical parents of objects with isCriticalSystemObject=TRUE
when DRSUAPI_DRS_CRITICAL_ONLY is set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit bff2bc9c7d)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Fri Oct  7 09:56:12 UTC 2022 on sn-devel-184
2022-10-07 09:56:12 +00:00
Andrew Bartlett
0a8330ab7d s4-libnet: Add messages to object count mismatch failures
This helps explain these better than WERR_GEN_FAILURE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 483c48f52d)
2022-10-07 08:45:15 +00:00
Andrew Bartlett
584a4c0057 selftest: Enable "old Samba" mode regarding GET_ANC/GET_TGT
The chgdcpass server now emulates older verions of Samba that
fail to implement DRSUAPI_DRS_GET_ANC correctly and totally fails to support
DRSUAPI_DRS_GET_TGT.

We now show this is in effect by the fact that tests now fail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit b0bbc94d41)
2022-10-07 08:45:15 +00:00
Andrew Bartlett
a0e0c7e989 s4-rpc_server:getncchanges Add "old Samba" mode regarding GET_ANC/GET_TGT
This emulates older verions of Samba that fail to implement
DRSUAPI_DRS_GET_ANC correctly and totally fails to support
DRSUAPI_DRS_GET_TGT.

This will allow testing of a client-side fallback, allowing migration
from sites that run very old Samba versions over DRSUAPI (currently
the only option is to attempt an in-place upgrade).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 314bc44fa9)
2022-10-07 08:45:15 +00:00
Andrew Bartlett
997b8f8341 selftest: Add tests for GetNCChanges GET_ANC using samba-tool drs clone-dc-database
This test, compared with the direct to RPC tests, will succeed, then fail once the
server is changed to emulate Samba 4.5 and and again succeed once the python code
changes to allow skipping the DRSUAPI_DRS_CRITICAL_ONLY step

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 7ff743d65d)
2022-10-07 08:45:15 +00:00
Andrew Bartlett
2d2156b01d selftest: Prepare for "old Samba" mode regarding getncchanges GET_ANC/GET_TGT
The chgdcpass environment will emulate older verions of Samba
that fail to implement DRSUAPI_DRS_GET_ANC correctly and
totally fails to support DRSUAPI_DRS_GET_TGT.

This will allow testing of a client-side fallback, allowing migration
from sites that run very old Samba versions over DRSUAPI (currently
the only option is to attempt an in-place upgrade).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 62b426243f)
2022-10-07 08:45:15 +00:00
Douglas Bagnall
dd2c5f9698 pytest/samba_tool_drs_no_dns: use TestCaseInTempDir.rm_files/.rm_dirs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit 24f7d71416)
2022-10-07 08:45:15 +00:00
Douglas Bagnall
42b5bfa68e pytest/samba_tool_drs: use TestCaseInTempDir.rm_files/.rm_dirs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit 3f0aab45c8)
2022-10-07 08:45:15 +00:00
Douglas Bagnall
6a6db20068 pytest/samdb: use TestCaseInTempDir.rm_files/.rm_dirs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit 251360d6e5)
2022-10-07 08:45:15 +00:00
Douglas Bagnall
fba1864d7a pytest/join: use TestCaseInTempDir.rm_files/dirs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit 7455c53fa4)
2022-10-07 08:45:15 +00:00
Douglas Bagnall
6e217c047d pytest/samdb_api: use TestCaseInTempDir.rm_files
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit 4e3dabad0b)
2022-10-07 08:45:15 +00:00
Douglas Bagnall
70de610892 pytest/downgradedatabase: use TestCaseInTempDir.rm_files
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit 85bc1552e3)
2022-10-07 08:45:15 +00:00
Douglas Bagnall
2003f7cf74 pytest: add file removal helpers for TestCaseInTempDir
In several places we end a test by deleting a number of files and
directories, but we do it rather haphazardly with unintentionally
differing error handling. For example, in some tests we currently have
something like:

        try:
            shutil.rmtree(os.path.join(self.tempdir, "a"))
            os.remove(os.path.join(self.tempdir, "b"))
            shutil.rmtree(os.path.join(self.tempdir, "c"))
        except Exception:
            pass

where if, for example, the removal of "b" fails, the removal of "c" will
not be attempted. That will result in the tearDown method raising an
exception, and we're no better off. If the above code is replaced with

        self.rm_files('b')
        self.rm_dirs('a', 'c')

the failure to remove 'b' will cause a test error, *unless* the failure
was due to a FileNotFoundError (a.k.a. an OSError with errno ENOENT),
in which case we ignore it, as was probably the original intention.

If on the other hand, we have

        self.rm_files('b', must_exist=True)
        self.rm_dirs('a', 'c')

then the FileNotFoundError causes a failure (not an error).

We take a little bit of care to stay within self.tempdir, to protect
test authors who accidentally write something like `self.rm_dirs('/')`.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit 2359741b28)
2022-10-07 08:45:15 +00:00
Andreas Schneider
7c2697e9c8 s3:auth: Flush the GETPWSID in memory cache for NTLM auth
Example valgrind output:

==22502== 22,747,002 bytes in 21,049 blocks are possibly lost in loss record 1,075 of 1,075
==22502==    at 0x4C29F73: malloc (vg_replace_malloc.c:309)
==22502==    by 0x11D7089C: _talloc_pooled_object (in /usr/lib64/libtalloc.so.2.1.16)
==22502==    by 0x9027834: tcopy_passwd (in /usr/lib64/libsmbconf.so.0)
==22502==    by 0x6A1E1A3: pdb_copy_sam_account (in /usr/lib64/libsamba-passdb.so.0.27.2)
==22502==    by 0x6A28AB7: pdb_getsampwnam (in /usr/lib64/libsamba-passdb.so.0.27.2)
==22502==    by 0x65D0BC4: check_sam_security (in /usr/lib64/samba/libauth-samba4.so)
==22502==    by 0x65C70F0: ??? (in /usr/lib64/samba/libauth-samba4.so)
==22502==    by 0x65C781A: auth_check_ntlm_password (in /usr/lib64/samba/libauth-samba4.so)
==22502==    by 0x14E464: ??? (in /usr/sbin/winbindd)
==22502==    by 0x151CED: winbind_dual_SamLogon (in /usr/sbin/winbindd)
==22502==    by 0x152072: winbindd_dual_pam_auth_crap (in /usr/sbin/winbindd)
==22502==    by 0x167DE0: ??? (in /usr/sbin/winbindd)
==22502==    by 0x12F29B12: tevent_common_invoke_fd_handler (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F30086: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F2E056: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F2925C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x16A243: ??? (in /usr/sbin/winbindd)
==22502==    by 0x16AA04: ??? (in /usr/sbin/winbindd)
==22502==    by 0x12F29F68: tevent_common_invoke_immediate_handler (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F29F8F: tevent_common_loop_immediate (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F2FE3C: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F2E056: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F2925C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F4C7: main (in /usr/sbin/winbindd)

You can find one for each string in pdb_copy_sam_account(), in total
this already has 67 MB in total for this valgrind run.

pdb_getsampwnam() -> memcache_add_talloc(NULL, PDB_GETPWSID_CACHE, ...)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15169

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Sep 16 20:30:31 UTC 2022 on sn-devel-184

(cherry picked from commit 9ef2f7345f)
2022-10-07 08:45:15 +00:00
Jeremy Allison
2f71273a73 s3: smbd: Fix memory leak in smbd_server_connection_terminate_done().
The function smbd_server_connection_terminate_done() does not free subreq
which is allocated in smbXsrv_connection_shutdown_send, this can be a
memory leakage if multi-channel is enabled.

Suggested fix by haihua yang <hhyangdev@gmail.com>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15174

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Fri Sep 23 09:51:20 UTC 2022 on sn-devel-184

(cherry picked from commit b600b0c8d9)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Wed Sep 28 20:10:04 UTC 2022 on sn-devel-184
2022-09-28 20:10:04 +00:00
Volker Lendecke
04e54799b2 vfs_gpfs: Protect against timestamps before the Unix epoch
In addition to b954d181cd we should also protect against timestamps
before the epoch.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15151
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Sep 23 06:50:17 UTC 2022 on sn-devel-184

(cherry picked from commit f6b391e04a)
2022-09-28 19:13:18 +00:00