IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Overflow is unlikely ever to occur, but you never know.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This matches the use of uint32_t for security_token::num_sids.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Also check whether the message is NULL. Passing NULL to vasprintf() is
undefined behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Wrapping a function this simple doesn’t gain us very much.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
As the server authentication policy will be non-NULL only for entries
looked up as servers, the krbtgt shouldn’t have an authentication policy
anyway. But we might as well be explicit.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This function doesn’t require a heap allocation.
We also check the result of the function, which we weren’t doing before.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This change ultimately won’t make much difference to responses, as
unrecognized codes are mapped to ERR_GENERIC in any case. But it might
provide some help for debugging.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If we’re going to zero the keys before freeing them, we might as well do
it properly.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If we exited this function early due to an error, h->len would contain
the number of elements that *ought* to be in h->val, but not all of
those elements must have been initialized. Subsequently trying to free
this partially-uninitialized structure with free_Keys() could have bad
results.
Avoid this by ensuring that h->len accurately reports the actual number
of initialized elements.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
To these conversion functions we sometimes pass malloc-allocated HDB
structures, which we free afterwards if conversion fails. If parts of
these structures are still uninitialized when we try to free them, all
sorts of fun things can result.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If the data was received over TCP, it would have had four bytes
subtracted from its length already, in kdc_tcp_call_loop().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This condition was written backwards — if samba_kdc_fetch() returned
zero, we would ignore any error code returned by
sdb_entry_to_hdb_entry().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Use a temporary context to allocate these variables. Each variable that
needs to be transferred to the caller is stolen onto an appropriate
talloc context just prior to the function’s returning.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This simplifies the ‘out’ paths.
Every code path that reaches ‘out’ via a goto ensures that ‘ret’ is set
to a nonzero value.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We should take the common ‘out’ path to ensure that we call
sdb_entry_free() on the entry.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The value of entry->etypes->len ought to be equal to that of
entry->keys.len, and so should be nonzero. But it’s safer not to rely on
that assumption.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We must not pass a NULL pointer into dom_sid_split_rid().
While we’re at it, switch to using samdb_result_dom_sid_buf(), which
doesn’t require a heap allocation.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If smb_krb5_make_principal() fails without setting the principal,
sdb_entry_free() will try to free whatever memory the uninitialized
member points to.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If an authentication policy enforces a maximum TGT lifetime for a
Protected User, that limit should stand in place of the four-hour limit
usually applied to Protected Users; we should nevertheless continue to
ensure that forwardable or proxiable tickets are not issued to such
users.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Accessing the wrong member of a union invokes undefined behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is the version we test with in CI after the image update
in the next commit. This addresses the issues that were
fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures
that Samba builds against the MIT version that allows us to
avoid that attack.
The hooks to allow these expectations to be disabled in the tests
are kept for now, to allow this to be reverted or to test
older servers.
With MIT 1.21 as the new test standard for the MIT KDC build
we update the knownfail_mit_kdc - this was required regadless
after the CI image update.
Any update to the CI image, even an unrelated one, brings in
a new MIT Krb5, version 1.21-3 in this case. This has new
behaviour that needs to be noted in the knownfail files or
else the tests, which haven't changed, will fail and
pipelines won't pass.
(The image generated by the earlier bootstrap commit brought
in krb5-1.21-2 which was buggy with CVE-2023-39975)
Further tweaks to tests or the server should reduce the number
of knownfail entries, but this keeps the pipelines passing for now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
We send the NC root first, as a special case for every chunk
that we send until the natural point where it belongs.
We do not bump the tmp_highest_usn in the highwatermark that
the client and server use (it is meant to be an opauqe cookie)
until the 'natural' point where the object appears, similar
to the cache for GET_ANC.
The issue is that without this, because the NC root was sorted
first in whatever chunk it appeared in but could have a 'high'
highwatermark, Azure AD Connect will send back the same
new_highwatermark->tmp_highest_usn, and due to a bug,
a zero reserved_usn, which makes Samba discard it.
The reserved_usn is now much less likely to ever be set because
the tmp_higest_usn is now always advancing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This is closer to our READDME.Coding style
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Because of the requirement to echo back the original string, we can
not force this to be a trustworthy value.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
