IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
We later subtract 8 when calculating the length of the output message
buffer. If padlength is excessively high, this calculation can underflow
and result in a very large positive value.
Now we properly constrain the value of padlength so underflow shouldn't
be possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We should make sure that the result of 'total_len - mech_len' won't
overflow, and that we don't memcmp() past the end of the buffer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
By decrementing 'pad' only when we know it's safe, we ensure we can't
stray backwards past the start of a buffer, which would be undefined
behaviour.
In the previous version of the loop, 'i' is the number of bytes left to
check, and 'pad' is the current byte we're checking. 'pad' was
decremented at the end of each loop iteration. If 'i' was 1 (so we
checked the final byte), 'pad' could potentially be pointing to the
first byte of the input buffer, and the decrement would put it one
byte behind the buffer.
That would be undefined behaviour.
The patch changes it so that 'pad' is the byte we previously checked,
which allows us to ensure that we only decrement it when we know we
have a byte to check.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The surrounding checks all use ct_memcmp(), so this one was presumably
meant to as well.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This allows us to access (and so test) functions internal to GSSAPI by
depending on this subsystem.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
As described by the C standard, __func__ is a variable, not a macro.
Hence this #ifndef check does not work as intended, and only serves to
unconditionally disable __func__. A nonoperating __func__ prevents
cmocka operating correctly, so remove this definition.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
imessaging_client_init() is for temporary stuff only, so we should drop
(unexpected) incoming messages unless we expect irpc responses.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15201
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Oct 13 13:32:30 UTC 2022 on sn-devel-184
(cherry picked from commit 266bcedc18)
Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Wed Oct 19 09:45:53 UTC 2022 on sn-devel-184
Otherwise we'll generate a memory leak of imessaging_post_state/
tevent_immediate structures per incoming message!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15201
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 32df5e4961)
We often create imessaging contexts just for sending messages,
but we'll never process incoming messages because a temporary event
context was used and we just queue a lot of imessaging_post_state
structures with immediate events.
With imessaging_init_discard_incoming() we'll discard any incoming messages
unless we have pending irpc requests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15201
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit a120fb1c72)
follow to commit 4b15d8c2a5
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Oct 17 19:49:37 UTC 2022 on sn-devel-184
(cherry picked from commit 0326549a05)
popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.
==6357== Command: ./bin/regpatch file
==6357==
Can't load /home/npower/samba-back/INSTALL_DIR/etc/smb.conf - run testparm to debug it
==6357== Syscall param openat(filename) points to unaddressable byte(s)
==6357== at 0x4BFE535: open (in /usr/lib64/libc.so.6)
==6357== by 0x4861432: reg_diff_load (patchfile.c:345)
==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357== by 0x10ADF9: main (regpatch.c:114)
==6357== Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x10ADCF: main (regpatch.c:111)
==6357== Block was alloc'd at
==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4B5D50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357== by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357== by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357== by 0x4AD33F2: dbgtext (debug.c:1925)
==6357== by 0x4861515: reg_diff_load (patchfile.c:353)
==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357== by 0x10ADF9: main (regpatch.c:114)
==6357== Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x10ADCF: main (regpatch.c:111)
==6357== Block was alloc'd at
==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4B5D50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357== by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357== by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357== by 0x4AD33F2: dbgtext (debug.c:1925)
==6357== by 0x4861515: reg_diff_load (patchfile.c:353)
==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357== by 0x10ADF9: main (regpatch.c:114)
==6357== Address 0x70f79d1 is 1 bytes inside a block of size 5 free'd
==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x10ADCF: main (regpatch.c:111)
==6357== Block was alloc'd at
==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357== at 0x4B83DD0: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6357== by 0x4B5D39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357== by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357== by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357== by 0x4AD33F2: dbgtext (debug.c:1925)
==6357== by 0x4861515: reg_diff_load (patchfile.c:353)
==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357== by 0x10ADF9: main (regpatch.c:114)
==6357== Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x10ADCF: main (regpatch.c:111)
==6357== Block was alloc'd at
==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357== at 0x4B83DDF: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6357== by 0x4B5D39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357== by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357== by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357== by 0x4AD33F2: dbgtext (debug.c:1925)
==6357== by 0x4861515: reg_diff_load (patchfile.c:353)
==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357== by 0x10ADF9: main (regpatch.c:114)
==6357== Address 0x70f79d2 is 2 bytes inside a block of size 5 free'd
==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x10ADCF: main (regpatch.c:111)
==6357== Block was alloc'd at
==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357== by 0x10ACBD: main (regpatch.c:79)
==6357==
Error reading registry patch file `file'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Oct 14 13:38:55 UTC 2022 on sn-devel-184
(cherry picked from commit 7e0e3f47cd)
popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.
==6055== Command: ./bin/testparm /etc/samba/smb.conf
==6055==
==6055== Invalid read of size 1
==6055== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4C1E50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6055== by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
==6055== by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
==6055== by 0x10EBFA: main (testparm.c:862)
==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4C1E50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6055== by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
==6055== by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
==6055== by 0x10EBFA: main (testparm.c:862)
==6055== Address 0x72dab71 is 1 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055== at 0x4C44DD0: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6055== by 0x4C1E39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6055== by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
==6055== by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
==6055== by 0x10EBFA: main (testparm.c:862)
==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055== at 0x4C44DDF: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6055== by 0x4C1E39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6055== by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
==6055== by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
==6055== by 0x10EBFA: main (testparm.c:862)
==6055== Address 0x72dab72 is 2 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
Load smb config files from /etc/samba/smb.conf
==6055== Invalid read of size 1
==6055== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4927E1C: talloc_strdup (talloc.c:2470)
==6055== by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055== by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055== by 0x10EC06: main (testparm.c:864)
==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4927E1C: talloc_strdup (talloc.c:2470)
==6055== by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055== by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055== by 0x10EC06: main (testparm.c:864)
==6055== Address 0x72dab71 is 1 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 8
==6055== at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055== by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055== by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055== by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055== by 0x10EC06: main (testparm.c:864)
==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 2
==6055== at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055== by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055== by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055== by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055== by 0x10EC06: main (testparm.c:864)
==6055== Address 0x72dab80 is 16 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055== at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055== by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055== by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055== by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055== by 0x10EC06: main (testparm.c:864)
==6055== Address 0x72dab82 is 18 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4927E1C: talloc_strdup (talloc.c:2470)
==6055== by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055== by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055== by 0x10EC06: main (testparm.c:864)
==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4927E1C: talloc_strdup (talloc.c:2470)
==6055== by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055== by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055== by 0x10EC06: main (testparm.c:864)
==6055== Address 0x72dab71 is 1 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 8
==6055== at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055== by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055== by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055== by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055== by 0x10EC06: main (testparm.c:864)
==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 2
==6055== at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055== by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055== by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055== by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055== by 0x10EC06: main (testparm.c:864)
==6055== Address 0x72dab80 is 16 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055== at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055== by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055== by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055== by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055== by 0x10EC06: main (testparm.c:864)
==6055== Address 0x72dab82 is 18 bytes inside a block of size 20 free'd
==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EBAC: main (testparm.c:854)
==6055== Block was alloc'd at
==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055== by 0x10EB2E: main (testparm.c:830)
==6055==
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 4b15d8c2a5)
popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.
==5914== Invalid read of size 1
==5914== at 0x4FDF740: strlcpy (in /usr/lib64/libbsd.so.0.11.6)
==5914== by 0x49E09A9: tdbsam_getsampwnam (pdb_tdb.c:583)
==5914== by 0x49D94E5: pdb_getsampwnam (pdb_interface.c:340)
==5914== by 0x10DED1: print_user_info (pdbedit.c:372)
==5914== by 0x111413: main (pdbedit.c:1324)
==5914== Address 0x73b6750 is 0 bytes inside a block of size 7 free'd
==5914== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5914== by 0x4C508B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5914== by 0x4C515D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5914== by 0x1113E6: main (pdbedit.c:1323)
==5914== Block was alloc'd at
==5914== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5914== by 0x4C522EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5914== by 0x110AE5: main (pdbedit.c:1137)
==5914==
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit e82699fcca)
popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.
==5325== Invalid read of size 1
==5325== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4859E1C: talloc_strdup (talloc.c:2470)
==5325== by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325== by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325== by 0x10ABD7: main (test_lp_load.c:98)
==5325== Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB8E: main (test_lp_load.c:90)
==5325== Block was alloc'd at
==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4859E1C: talloc_strdup (talloc.c:2470)
==5325== by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325== by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325== by 0x10ABD7: main (test_lp_load.c:98)
==5325== Address 0x72da8b1 is 1 bytes inside a block of size 20 free'd
==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB8E: main (test_lp_load.c:90)
==5325== Block was alloc'd at
==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 8
==5325== at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325== by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325== by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325== by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325== by 0x10ABD7: main (test_lp_load.c:98)
==5325== Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB8E: main (test_lp_load.c:90)
==5325== Block was alloc'd at
==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 2
==5325== at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325== by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325== by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325== by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325== by 0x10ABD7: main (test_lp_load.c:98)
==5325== Address 0x72da8c0 is 16 bytes inside a block of size 20 free'd
==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB8E: main (test_lp_load.c:90)
==5325== Block was alloc'd at
==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325== at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325== by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325== by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325== by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325== by 0x10ABD7: main (test_lp_load.c:98)
==5325== Address 0x72da8c2 is 18 bytes inside a block of size 20 free'd
==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB8E: main (test_lp_load.c:90)
==5325== Block was alloc'd at
==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4859E1C: talloc_strdup (talloc.c:2470)
==5325== by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325== by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325== by 0x10ABD7: main (test_lp_load.c:98)
==5325== Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB8E: main (test_lp_load.c:90)
==5325== Block was alloc'd at
==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4859E1C: talloc_strdup (talloc.c:2470)
==5325== by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325== by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325== by 0x10ABD7: main (test_lp_load.c:98)
==5325== Address 0x72da8b1 is 1 bytes inside a block of size 20 free'd
==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB8E: main (test_lp_load.c:90)
==5325== Block was alloc'd at
==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 8
==5325== at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325== by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325== by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325== by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325== by 0x10ABD7: main (test_lp_load.c:98)
==5325== Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB8E: main (test_lp_load.c:90)
==5325== Block was alloc'd at
==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 2
==5325== at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325== by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325== by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325== by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325== by 0x10ABD7: main (test_lp_load.c:98)
==5325== Address 0x72da8c0 is 16 bytes inside a block of size 20 free'd
==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB8E: main (test_lp_load.c:90)
==5325== Block was alloc'd at
==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325== at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325== by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325== by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325== by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325== by 0x10ABD7: main (test_lp_load.c:98)
==5325== Address 0x72da8c2 is 18 bytes inside a block of size 20 free'd
==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB8E: main (test_lp_load.c:90)
==5325== Block was alloc'd at
==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325== by 0x10AB49: main (test_lp_load.c:74)
==5325==
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit ff003fc87b)
popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.
==4407== Invalid read of size 1
==4407== at 0x146263: main (rpcclient.c:1262)
==4407== Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x146227: main (rpcclient.c:1251)
==4407== Block was alloc'd at
==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x1461BC: main (rpcclient.c:1219)
==4407==
==4407== Invalid read of size 1
==4407== at 0x14627D: main (rpcclient.c:1263)
==4407== Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x146227: main (rpcclient.c:1251)
==4407== Block was alloc'd at
==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x1461BC: main (rpcclient.c:1219)
==4407==
==4407== Invalid read of size 1
==4407== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x4980E1C: talloc_strdup (talloc.c:2470)
==4407== by 0x488CD96: dcerpc_parse_binding (binding.c:320)
==4407== by 0x1462B1: main (rpcclient.c:1267)
==4407== Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x146227: main (rpcclient.c:1251)
==4407== Block was alloc'd at
==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x1461BC: main (rpcclient.c:1219)
==4407==
==4407== Invalid read of size 1
==4407== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x4980E1C: talloc_strdup (talloc.c:2470)
==4407== by 0x488CD96: dcerpc_parse_binding (binding.c:320)
==4407== by 0x1462B1: main (rpcclient.c:1267)
==4407== Address 0x7b67cd1 is 1 bytes inside a block of size 10 free'd
==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x146227: main (rpcclient.c:1251)
==4407== Block was alloc'd at
==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x1461BC: main (rpcclient.c:1219)
==4407==
==4407== Invalid read of size 8
==4407== at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x4980DC2: __talloc_strlendup (talloc.c:2457)
==4407== by 0x4980E32: talloc_strdup (talloc.c:2470)
==4407== by 0x488CD96: dcerpc_parse_binding (binding.c:320)
==4407== by 0x1462B1: main (rpcclient.c:1267)
==4407== Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x146227: main (rpcclient.c:1251)
==4407== Block was alloc'd at
==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x1461BC: main (rpcclient.c:1219)
==4407==
==4407== Invalid read of size 1
==4407== at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x4980DC2: __talloc_strlendup (talloc.c:2457)
==4407== by 0x4980E32: talloc_strdup (talloc.c:2470)
==4407== by 0x488CD96: dcerpc_parse_binding (binding.c:320)
==4407== by 0x1462B1: main (rpcclient.c:1267)
==4407== Address 0x7b67cd8 is 8 bytes inside a block of size 10 free'd
==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x146227: main (rpcclient.c:1251)
==4407== Block was alloc'd at
==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407== by 0x1461BC: main (rpcclient.c:1219)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit d26d3d9bff)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15182
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
(cherry picked from commit a7fba3ff59)
Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Tue Oct 18 09:41:37 UTC 2022 on sn-devel-184
For type == ADOUBLE_META, fio->fake_fd is true so
writes are already synchronous, just call tevent_req_post().
For type == ADOUBLE_RSRC we know we are configured
with FRUIT_RSRC_ADFILE (because fruit_must_handle_aio_stream()
returned true), so we can just call SMB_VFS_NEXT_FSYNC_SEND()
after replacing fsp with fio->ad_fsp.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15182
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
(cherry picked from commit 35c637f2e6)
This shows we currently hang when sending an SMB2_OP_FLUSH on
an AFP_Resource fork.
Adds knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15182
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
(cherry picked from commit 1b8a873284)
If we get NT_STATUS_OBJECT_NOT_FOUND from smb2srv_client_connection_{pass,drop}()
we should just keep the connection and overwrite the stale record in
smbXsrv_client_global.tdb. It's basically a race with serverid_exists()
and a process that doesn't cleanly teardown.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15200
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 5d66d5b84f)
dbwrap_watched_watch_send() should typically be the last thing to call
before the db record is unlocked, as it's not that easy to undo.
In future we want to recover from smb2srv_client_connection_{pass,drop}()
returning NT_STATUS_OBJECT_NAME_NOT_FOUND and it would add complexity if
would need to undo dbwrap_watched_watch_send() at that point.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15200
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 56c597bc2b)
DBG_WARNING() already adds the function name as prefix.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15200
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit acb3d821de)
If we hit a race, when a client disconnects the connection after the initial
SMB2 Negotiate request, before the connection is completely passed to
process serving the given client guid, the temporary smbd which accepted the
new connection may already detected the disconnect and exitted before
the long term smbd servicing the client guid was able to send the
MSG_SMBXSRV_CONNECTION_PASSED message.
The result was a log message like this:
smbXsrv_client_connection_pass_loop: smb2srv_client_connection_passed() failed => NT_STATUS_OBJECT_NAME_NOT_FOUND
and all connections belonging to the client guid were dropped,
because we called exit_server_cleanly().
Now we ignore NT_STATUS_OBJECT_NAME_NOT_FOUND from
smb2srv_client_connection_passed() and let the normal
event loop detect the broken connection, so that only
that connection is terminated (not the whole smbd process).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15200
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 636ec45c93)
If a client disconnected all its interfaces and reconnects when
the come back, it will likely start from any ip address returned
dns, which means it can try to connect to a different ctdb node.
The old node may not have noticed the disconnect and still holds
the client_guid based smbd.
Up unil now the new node returned NT_STATUS_NOT_SUPPORTED to
the SMB2 Negotiate request, as messaging_send_iov[_from]() will
return -1/ENOSYS if a file descriptor os passed to a process on
a different node.
Now we tell the other node to teardown all client connections
belonging to the client-guid.
Note that this is not authenticated, but if an attacker can
capture the client-guid, he can also inject TCP resets anyway,
to get the same effect.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15159
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Sep 2 20:59:15 UTC 2022 on sn-devel-184
(cherry picked from commit 8591d94243)
Samba 4.5 and earlier will fail to do GET_ANC correctly and will not
replicate non-critical parents of objects with isCriticalSystemObject=TRUE
when DRSUAPI_DRS_CRITICAL_ONLY is set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit bff2bc9c7d)
Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Fri Oct 7 09:56:12 UTC 2022 on sn-devel-184
The chgdcpass server now emulates older verions of Samba that
fail to implement DRSUAPI_DRS_GET_ANC correctly and totally fails to support
DRSUAPI_DRS_GET_TGT.
We now show this is in effect by the fact that tests now fail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit b0bbc94d41)
This emulates older verions of Samba that fail to implement
DRSUAPI_DRS_GET_ANC correctly and totally fails to support
DRSUAPI_DRS_GET_TGT.
This will allow testing of a client-side fallback, allowing migration
from sites that run very old Samba versions over DRSUAPI (currently
the only option is to attempt an in-place upgrade).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 314bc44fa9)
This test, compared with the direct to RPC tests, will succeed, then fail once the
server is changed to emulate Samba 4.5 and and again succeed once the python code
changes to allow skipping the DRSUAPI_DRS_CRITICAL_ONLY step
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 7ff743d65d)
The chgdcpass environment will emulate older verions of Samba
that fail to implement DRSUAPI_DRS_GET_ANC correctly and
totally fails to support DRSUAPI_DRS_GET_TGT.
This will allow testing of a client-side fallback, allowing migration
from sites that run very old Samba versions over DRSUAPI (currently
the only option is to attempt an in-place upgrade).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 62b426243f)
In several places we end a test by deleting a number of files and
directories, but we do it rather haphazardly with unintentionally
differing error handling. For example, in some tests we currently have
something like:
try:
shutil.rmtree(os.path.join(self.tempdir, "a"))
os.remove(os.path.join(self.tempdir, "b"))
shutil.rmtree(os.path.join(self.tempdir, "c"))
except Exception:
pass
where if, for example, the removal of "b" fails, the removal of "c" will
not be attempted. That will result in the tearDown method raising an
exception, and we're no better off. If the above code is replaced with
self.rm_files('b')
self.rm_dirs('a', 'c')
the failure to remove 'b' will cause a test error, *unless* the failure
was due to a FileNotFoundError (a.k.a. an OSError with errno ENOENT),
in which case we ignore it, as was probably the original intention.
If on the other hand, we have
self.rm_files('b', must_exist=True)
self.rm_dirs('a', 'c')
then the FileNotFoundError causes a failure (not an error).
We take a little bit of care to stay within self.tempdir, to protect
test authors who accidentally write something like `self.rm_dirs('/')`.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit 2359741b28)
Example valgrind output:
==22502== 22,747,002 bytes in 21,049 blocks are possibly lost in loss record 1,075 of 1,075
==22502== at 0x4C29F73: malloc (vg_replace_malloc.c:309)
==22502== by 0x11D7089C: _talloc_pooled_object (in /usr/lib64/libtalloc.so.2.1.16)
==22502== by 0x9027834: tcopy_passwd (in /usr/lib64/libsmbconf.so.0)
==22502== by 0x6A1E1A3: pdb_copy_sam_account (in /usr/lib64/libsamba-passdb.so.0.27.2)
==22502== by 0x6A28AB7: pdb_getsampwnam (in /usr/lib64/libsamba-passdb.so.0.27.2)
==22502== by 0x65D0BC4: check_sam_security (in /usr/lib64/samba/libauth-samba4.so)
==22502== by 0x65C70F0: ??? (in /usr/lib64/samba/libauth-samba4.so)
==22502== by 0x65C781A: auth_check_ntlm_password (in /usr/lib64/samba/libauth-samba4.so)
==22502== by 0x14E464: ??? (in /usr/sbin/winbindd)
==22502== by 0x151CED: winbind_dual_SamLogon (in /usr/sbin/winbindd)
==22502== by 0x152072: winbindd_dual_pam_auth_crap (in /usr/sbin/winbindd)
==22502== by 0x167DE0: ??? (in /usr/sbin/winbindd)
==22502== by 0x12F29B12: tevent_common_invoke_fd_handler (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F30086: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F2E056: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F2925C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x16A243: ??? (in /usr/sbin/winbindd)
==22502== by 0x16AA04: ??? (in /usr/sbin/winbindd)
==22502== by 0x12F29F68: tevent_common_invoke_immediate_handler (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F29F8F: tevent_common_loop_immediate (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F2FE3C: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F2E056: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F2925C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.39)
==22502== by 0x12F4C7: main (in /usr/sbin/winbindd)
You can find one for each string in pdb_copy_sam_account(), in total
this already has 67 MB in total for this valgrind run.
pdb_getsampwnam() -> memcache_add_talloc(NULL, PDB_GETPWSID_CACHE, ...)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15169
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Sep 16 20:30:31 UTC 2022 on sn-devel-184
(cherry picked from commit 9ef2f7345f)
The function smbd_server_connection_terminate_done() does not free subreq
which is allocated in smbXsrv_connection_shutdown_send, this can be a
memory leakage if multi-channel is enabled.
Suggested fix by haihua yang <hhyangdev@gmail.com>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15174
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Fri Sep 23 09:51:20 UTC 2022 on sn-devel-184
(cherry picked from commit b600b0c8d9)
Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Wed Sep 28 20:10:04 UTC 2022 on sn-devel-184
In addition to b954d181cd we should also protect against timestamps
before the epoch.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15151
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Sep 23 06:50:17 UTC 2022 on sn-devel-184
(cherry picked from commit f6b391e04a)