1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

8551 Commits

Author SHA1 Message Date
Joseph Sutton
fe86989fcc lib:printer_driver: Check return value of gp_inifile_enum_section() (CID 1444835)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 02:18:30 +00:00
Joseph Sutton
03ca8c25d0 lib:compression: Correctly fix sign extension of long matches (CID 1517275)
Commit 6b4d94c987 was a previous attempt
to fix this issue.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 02:18:30 +00:00
Andrew Bartlett
3cf1beed5d CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default
The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Joseph Sutton
da202eb209 lib:krb5_wrap: Include missing headers
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
1f92b5f150 lib/util: Fix building with FORTIFY_SOURCE=2
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
a77b90d808 ldb: Fix building with FORTIFY_SOURCE=2
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
50c208fc53 lib/ldb-samba: Fix building with FORTIFY_SOURCE=2
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
e961783add lib:compression: Fix building with FORTIFY_SOURCE=2
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
2f6083f59f lib:audit_logging: Initialize ‘tm’ structure
‘tm’ must be initialized prior to calling strptime().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
58bd2f525b lib/krb5_wrap: Simplify assignments
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
0bd7863ec0 lib/krb5_wrap: Make use of smb_krb5_make_data()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Douglas Bagnall
3be69fc3dc fuzzing: fuzz_sddl_parse forgives bad utf-8
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:36 +00:00
Douglas Bagnall
e4da279b1c util/str: helper to check for utf-8 validity
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:36 +00:00
Douglas Bagnall
b3f92b475c lib/fuzzing: fuzz_sddl_parse: allow non-round-trip with long strings
There is a borderline case where a conditional ACE unicode string
becomes longer than the SDDL parser wants to handle when control
characters are given canonical escaping. This can make the round trip
fail, but it isn't really a problem.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:36 +00:00
Andrew Bartlett
793b86f4cb conditional_aces: Avoid manual parsing for ace_condition_bytes, use DATA_BLOB
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-26 23:45:36 +00:00
Andrew Bartlett
1223b89d81 docs-xml: Add new parameter "acl claims evaluation"
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
cc17c3e21d lib/fuzzing: adjust access-check seed patch
Now that access_check.c includes headers for conditional ACEs, the patch
should take that into account.

Also, we check for a talloc failure.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
ea4caa45ab lib/fuzzing: fuzz_conditional_ace_blob
This parses the blob as a conditional ACE, and if possible tries
decompiling it into SDDL.

There are not many round-trip assertions we can honestly make, but we
keep the trip going as long as possible, in case it reveals anything.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
c6a62d69ca lib/fuzzing: adapt fuzz_sddl_access_check for claims
The token has more stuff in it.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
295c609f5a lib/fuzzing: fuzz SDDL conditional ACEs
Here we're not compiling the whole SD, just the single conditional
ACE.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Volker Lendecke
3b8cfda1c9 lib: Avoid a tdb handle leak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-25 19:01:34 +00:00
Volker Lendecke
46f710c95f lib: Modernize tdb_fetch_lifetime()
Just came across this, avoid mallocs.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-25 19:01:34 +00:00
Joseph Sutton
477dc8f246 ldb: Prefer explicit initialization to ZERO_STRUCT()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
187d74d9c0 lib:krb5_wrap: Remove Heimdal‐only krb5_princ_component() implementation
This implementation is no longer called: using a variable of static
storage duration as a conduit for return values is only asking for
trouble.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
229d26e25e lib:krb5_wrap: Add Heimdal‐specific smb_krb5_princ_component() implementation
This implementation doesn’t rely on a variable of static storage
duration being used as a conduit for the return value.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
eec9e54592 lib:krb5_wrap: Add smb_krb5_princ_component()
For now this function is a mere wrapper round krb5_princ_component(),
but one whose interface allows for a more sensible implementation.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
d901fe9c67 lib:krb5_wrap: Have smb_krb5_principal_get_realm() check the return values of intermediate functions
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
b8ca4dead2 lib:krb5_wrap: Eliminate redundant code from smb_krb5_sockaddr_to_kaddr()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
0bcf44c8b7 lib:tdr: Remove unnecessary cast
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:28 +00:00
Joseph Sutton
74e1bb0571 lib:mscat: Remove unnecessary casts
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:28 +00:00
Joseph Sutton
dd2b568721 lib:charset: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-11 02:42:41 +00:00
Joseph Sutton
6a303be56c tevent: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-11 02:42:41 +00:00
Joseph Sutton
53caec3c36 tdb: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-11 02:42:41 +00:00
Joseph Sutton
9d699895ad lib:printer_driver: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-11 02:42:41 +00:00
Joseph Sutton
5fbbf9b9ba ldb: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-11 02:42:41 +00:00
Joseph Sutton
7d9edb82c4 lib:krb5_wrap: Fix spelling in documentation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-11 02:42:41 +00:00
Joseph Sutton
74580daac9 lib:crypto: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-11 02:42:41 +00:00
Joseph Sutton
1c35195ff7 lib:compression: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-11 02:42:41 +00:00
Stefan Metzmacher
a9c53b9eff lib/util: inline iov_{buflen,buf,advance}()
The main reason for this change was the use of
iov_advance() in the next commits in
source3/smbd/smb2_server.c

And the function calls to iov_advance() showed up
in profiling with callgrind.

While there iov_buf() and iov_buflen() are moved as
well, as they are also used there.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-06 19:30:35 +00:00
Joseph Sutton
5de640fc58 ldb: Heed return code from Python testsuite
When we added a second run of the Python testsuite, the return code from
the first run began to go ignored.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
b440732e7f ldb: Remove unused import
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
e4ab1de4e4 lib:ldb:tests: Remove explicit comparison with False
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
6668d213e7 pyldb: Fix leaks
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:28 +00:00
Joseph Sutton
5e9187baf9 pyldb: Check return values of Python functions
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:28 +00:00
Joseph Sutton
e5794b8c8a pyldb: Check return values of talloc functions
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:28 +00:00
Joseph Sutton
93d37f8bfc pyldb: Check whether Python object is a list
If we’re going to call PyList_Size() on an object, we should be sure
that it is a list first.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:28 +00:00
Martin Schwenke
c767277912 util: Avoid logging to multiple backends for stdout/stderr
Commit 83fe7a0316 converted the
stdout/stderr logging  types to DEBUG_FILE to get a header when using
DEBUG_SYSLOG_FORMAT_ALWAYS.  However, this causes all configured
backends to be invoked.  When syslog is one of those backends then
this is almost certainly not what is intended.

Instead, call debug_file_log() directly in that special case and
revert the parts of the above commit that convert to file logging.

Most of the changes to debughdrclass() still seem necessary, since
they handle the change of debug_syslog_format from a bool to an enum.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15460

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Mon Aug 28 01:21:07 UTC 2023 on atb-devel-224
2023-08-28 01:21:07 +00:00
Douglas Bagnall
4504324ea4 lib/util: strhex_to_data_blob checks talloc
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:30 +00:00
Joseph Sutton
d608dc175e lib:krb5_wrap: Fix references to incorrect function names
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-21 23:37:29 +00:00
Joseph Sutton
02b546778f lib:krb5_wrap: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-21 23:37:29 +00:00
Volker Lendecke
42e4691cf5 audit_logging: Simplify json_add_stringn() with json_stringn()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Aug 14 20:51:11 UTC 2023 on atb-devel-224
2023-08-14 20:51:11 +00:00
Volker Lendecke
a9f358f7d7 tevent: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-08-14 19:53:37 +00:00
Volker Lendecke
0382e07222 dbwrap: Simplify dbwrap_change_int32_atomic_action()
Use dbwrap_do_locked()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-08-14 19:53:37 +00:00
Volker Lendecke
ad0986652d dbwrap: Simplify dbwrap_change_uint32_atomic_action()
Use dbwrap_do_locked()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-08-14 19:53:37 +00:00
Joseph Sutton
d35e7f10af tsocket: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 04:57:34 +00:00
Joseph Sutton
a643ac45c1 lib/replace: Ensure that __STDC_WANT_LIB_EXT1__ is set to 1
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 04:57:34 +00:00
Joseph Sutton
5b3a8aa544 lib:krb5_wrap: Remove unnecessary cast
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 04:57:34 +00:00
Joseph Sutton
578c1d39f5 ldb:ldb_sqlite3: Access correct member of union
Accessing the wrong member of a union invokes undefined behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 04:57:34 +00:00
Joseph Sutton
993ff0353b ldb: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 04:57:34 +00:00
Douglas Bagnall
269738d6ce lib/replace: fix strlcat/strlcpy compile for Honggfuzz
Otherwise we getthis kind of thing:

../../lib/replace/replace.c:837:3: error: implicit declaration of function 'strlcpy' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
                strlcpy(buf, s, buflen);

../../third_party/heimdal/lib/roken/getarg.c:288:6: error: implicit declaration of function 'strlcat' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
            strlcat(buf, "]", sizeof(buf));

because we found the symbol names in libc, but didn't check that the
functions are declared in <string.h>. We already include
<bsd/string.h> whenever we have it.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Aug  8 05:35:08 UTC 2023 on atb-devel-224
2023-08-08 05:35:08 +00:00
Douglas Bagnall
17e35c2691 fuzz: add fuzzer for ldb_comparison_fold
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:39 +00:00
Douglas Bagnall
019bee54c6 fuzz: add fuzzer for sess_crypt_blob
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:39 +00:00
Douglas Bagnall
5c007600dc util/base64: add a note about zero length strings
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Douglas Bagnall
c3ded9d934 lib/fuzzing:fuzz_sddl_access_check fix nul-term check
We were wanting to ensure the string contains a zero byte, but
instead were checking for a non-zero byte.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Douglas Bagnall
5c81f34935 lib/fuzzing: LLVMFuzzerTestOneInput() takes const uint8_t*
We have been using `uint8_t *`, which works fine as far as
linking goes, but leads fuzz target developers to sometimes
forget why they can't just modify the passed in string instead of
copying it for modification (e.g. to NUL-terminate).

REF: https://llvm.org/docs/LibFuzzer.html#fuzz-target

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
8ff5c51419 lib/util: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
6ee008d2d9 lib:socket: Add missing newlines to logging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
ea888d6901 lib:mscat: Add missing newlines to logging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
f14d5a0187 talloc: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
355fd3c7bf lib:charset: Update NUM_CHARSETS to reflect true value
CH_DISPLAY was removed in commit
125a2ff262, but NUM_CHARSETS was not
updated to match.

By assigning to NUM_CHARSETS the last enumeration value in charset_t, we
guard against its falling out of sync again.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
150d457b55 ldb: Work around inconsistent behaviour in PyObject_AsMessageElement()
PyObject_AsMessageElement() has ‘flags’ and ‘attr_name’ parameters to
set properties of the returned MessageElement, but they apply only
*sometimes*.

‘attr_name’ not being set can result in cryptic and misleading error
messages from various ldb operations.

Changing the function’s behaviour to be more consistent could break
existing code, so we work around the issue instead.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
d278f97d5e ldb: Clarify documentation for PyObject_AsMessageElement()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
77015f3ca0 ldb: Don’t leak ‘el’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
229d270deb ldb: Check talloc_zero_array() return value
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
dc89fabbb5 ldb: Don’t leak ‘msg’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
5820558592 ldb: Check talloc_strdup() return value
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
41e0951d91 ldb: Don’t decrement reference count until object is no longer needed
If ‘tmp’ happens to be garbage-collected, ‘name’ will become invalid.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
1cb91c6a78 ldb: Fix leaks
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
d5c309a547 ldb: Account for ‘name’ possibly being NULL
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
6ce9c6a306 ldb: Don’t pass NULL pointer into strcasecmp()
Doing so is undefined behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
f47aef7743 python: Use correct function signatures
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
8090e59541 lib/ldb-samba: Add missing newline to logging message
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:36 +00:00
Joseph Sutton
5c67b45221 lib/util: Add missing newlines to logging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:36 +00:00
Joseph Sutton
aa9ca51946 lib/replace: Const-qualify sys_errlist
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:36 +00:00
Joseph Sutton
8ed6955365 lib:dbwrap: Remove unneeded space in debug message
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:36 +00:00
Andreas Schneider
edcebcd48a lib:tevent: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-08-03 14:31:34 +00:00
Andreas Schneider
d0b2c27d2f lib:fuzzing: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-08-03 14:31:34 +00:00
Andrew Bartlett
5cc861603a lib/util: Move DEBUG() calls in gendb_search_v to common levels and new DBG_*() pattern
This moves success logs 6 -> 10, failure logs 4 -> 5.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 10:56:54 +00:00
Pavel Filipenský
c58a714232 lib:krb5_wrap: Fix resource leak in smb_krb5_kt_seek_and_delete_old_entries
Reported by Red Hat internal covscan
leaked_storage: Variable "cursor" going out of scope leaks the storage it points to.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 10:56:54 +00:00
Jule Anger
7319c7596e ldb: change the version to 2.9.0 for Samba 4.20
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jul 28 11:49:02 UTC 2023 on atb-devel-224
2023-07-28 11:49:02 +00:00
Jule Anger
94f11c3c21 ldb: release 2.8.0 for use in Samba 4.19.x
* CVE-2023-0614 Not-secret but access controlled LDAP attributes can be discovered (bug 15270)
* pyldb: Raise an exception if ldb_dn_get_parent() fails
* Implement ldap_whoami in pyldb and add the RFC4532 LDB_EXTENDED_WHOAMI_OID definition
* Documentation and spelling fixes
* Add ldb_val -> bool,uint64,int64 parsing functions
* Split out ldb_val_as_dn() helper function
* add LDB_CHANGETYPE_MODRDN support to ldb_ldif_to_pyobject()
* add LDB_CHANGETYPE_DELETE support to ldb_ldif_to_pyobject()
* let ldb_ldif_parse_modrdn() handle names without 'rdn_name=' prefix
* Don't create error string if there is no error
* Avoid allocation and memcpy() for every wildcard match candidate
* Make ldb_msg_remove_attr O(n)
* pyldb: Throw error on invalid controls
* pyldb: remove py2 ifdefs
* Call tevent_set_max_debug_level(TEVENT_DEBUG_TRACE)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2023-07-28 10:48:33 +00:00
Andrew Bartlett
e36a4149d8 librpc/idl: Remove DCOM and WMI IDL
As hinted in f2416493c0 the DCOM and WMI
IDL is now unused.  These generate code with PIDL, costing a small
amount of build time but more importantly are fuzzed, which costs an
ongoing amount of CPU time as oss-fuzz tries to find parsing issues.

We do not need to continue this waste, and these can be restored
if this effort is ever to start again.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-28 10:48:32 +00:00
Pavel Filipenský
c5778a0fbd krb5_wrap: add krb5_free_string()
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-28 10:48:32 +00:00
Pavel Filipenský
75139445c2 krb5_wrap: add krb5_free_enctypes()
MIT Kerberos implements krb5_free_enctypes(), Heimdal is missing it and
offers krb5_xfree() instead.
This introduces a wrapper krb5_free_enctypes() around krb5_xfree() for
Heimdal.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-28 10:48:32 +00:00
Andrew Bartlett
76ad44f446 lib/cmdline: Also redact --newpassword in samba_cmdline_burn()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 21 06:16:30 UTC 2023 on atb-devel-224
2023-07-21 06:16:30 +00:00
Andrew Bartlett
414b3803bb lib/cmdline: Also burn the --password2 parameter if given
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-07-21 05:23:32 +00:00
Andrew Bartlett
848fea1a01 lib/cmdline: Return if the commandline was redacted in samba_cmdline_burn()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-07-21 05:23:32 +00:00
Andrew Bartlett
3109899299 lib/fault: During smb_panic() print process comment and setprocname() title
The purpose of this is to make it clear which part of the AD DC (in particular)
has faulted without having to deduce it from the stacktrace.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-07-21 01:25:37 +00:00
Stefan Metzmacher
24120728bb ldb: call tevent_set_max_debug_level(TEVENT_DEBUG_TRACE) together with ldb_tevent_debug()
This means ldb_tevent_debug() is only called for TEVENT_DEBUG_TRACE.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-07-19 08:02:33 +00:00
Stefan Metzmacher
0031a102c3 lib/util: call tevent_set_max_debug_level() in samba_tevent_set_debug()
This means samba_tevent_debug() is only called when needed.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-07-19 08:02:33 +00:00
Stefan Metzmacher
6a80d170bc tevent: version 0.15.0
- remove py2 ifdefs
- python: Safely clear structure members
- the tevent_thread_call_depth API is updated
  in order to allow better tracing.
- add tevent_set_max_debug_level() only and don't
  pass TEVENT_DEBUG_TRACE to tevent_debug() callbacks by default.
- Spelling fixes
- Make use of epoll_create1() for epoll backend
- Optimize overhead in the epoll backend

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-07-19 08:02:33 +00:00
Stefan Metzmacher
0ddf8b5645 tevent: add tevent_common_fd_str() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-07-19 08:02:33 +00:00
Stefan Metzmacher
2645be60d7 tevent: avoid calling epoll_update_event() again if epoll_check_reopen() already did it
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-07-19 08:02:33 +00:00
Stefan Metzmacher
e9d9809734 tevent: let epoll_check_reopen() clear all events before reopening them
This is clearer for multiplexed fdes as it means both sides are
already cleared before we call epoll_update_event() again.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-07-19 08:02:33 +00:00
Stefan Metzmacher
3217d5dc1d tevent: avoid epoll_check_reopen() overhead unless required
The preparation, function call and cleanup for epoll_check_reopen()
is quite some overhead and not needed most of the time!

So check the pid in the caller avoids most of it.

Review with: git show -w

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-07-19 08:02:33 +00:00
Stefan Metzmacher
d94b9c8124 tevent: make use of TEVENT_DEBUG() when using TEVENT_DEBUG_TRACE
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-07-19 08:02:33 +00:00
Stefan Metzmacher
812313f1c8 tevent: add TEVENT_DEBUG() avoid argument overhead when log is not active...
It can be very costly to calculate the arguments passed to
tevent_debug(), just to drop the message within tevent_debug()
or the callback function.

So we add a way to avoid the overhead, it will be used in the
next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-07-19 08:02:33 +00:00
Stefan Metzmacher
2c78a4f527 tevent: introduce tevent_set_max_debug_level() (default TEVENT_DEBUG_WARNING)
Allow an application to decide which log levels it wants to get
in the callback function passed to tevent_set_debug().

By default TEVENT_DEBUG_WARNING is the maximal reported level
and TEVENT_DEBUG_TRACE message no longer reach the callback function
by default.

It seems Samba is the only consumer of tevent_set_debug(), so it
should not be a huge problem, as Samba only reports TEVENT_DEBUG_TRACE
message with log level 50 anyway. And future Samba versions will
call tevent_set_max_debug_level() if needed.

Note the change to tevent-0.14.1.sigs will be reverted
with the release of tevent 0.15.0.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-07-19 08:02:33 +00:00
Stefan Metzmacher
86140d7c38 tevent: add fd_speed test
This is similar to the "context" test, but without signal handlers.

It also creates a constant load instead of being time limited,
which makes it useful to analyse using callgrind and other tools.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-07-19 08:02:33 +00:00
Pavel Filipenský
d7b29125c0 tevent: Flow: add tevent_thread_call_depth_set_callback()
Note the tevent-0.14.1.sigs changes will be reverted in
the 'tevent 0.15.0' commit.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-19 08:02:33 +00:00
Stefan Metzmacher
0c4d6e630f tevent: Flow: store cleanup function name in tevent_req
Note the tevent-0.14.1.sigs changes will be reverted in
the 'tevent 0.15.0' commit.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
2023-07-19 08:02:33 +00:00
Stefan Metzmacher
85e43e70b2 tevent: Flow: store cancel function name in tevent_req
Note the tevent-0.14.1.sigs changes will be reverted in
the 'tevent 0.15.0' commit.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
2023-07-19 08:02:33 +00:00
Pavel Filipenský
5e83691d1e tevent: Flow: store trigger function name in tevent_queue_entry
Note the tevent-0.14.1.sigs changes will be reverted in
the 'tevent 0.15.0' commit.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-19 08:02:33 +00:00
Pavel Filipenský
deec9994eb tevent: Flow: store callback function name in tevent_req
Note the tevent-0.14.1.sigs changes will be reverted in
the 'tevent 0.15.0' commit.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-19 08:02:33 +00:00
Pavel Filipenský
fb3a9cd732 tevent: Flow: pass function name to tevent_req_create()
Note the tevent-0.14.1.sigs changes will be reverted in
the 'tevent 0.15.0' commit.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-19 08:02:33 +00:00
Pavel Filipenský
1c9e9f4604 tevent: Deprecate some tevent_thread_call_depth_*() functions
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-19 08:02:33 +00:00
Pavel Filipenský
e9f38f6e6d tevent: Move definition of _DEPRECATED_ to the top of tevent.h
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-19 08:02:33 +00:00
Stefan Metzmacher
c1124ec8e5 tevent: add tevent_dlinklist.h as copy from lib/util/dlinklist.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-07-19 08:02:33 +00:00
Stefan Metzmacher
e3c77030fe lib/util: dlinklist.h sync with LGPL copy from lib/ldb/include/dlinklist.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-07-19 08:02:33 +00:00
Stefan Metzmacher
8edb16a396 ldb: clarify LGPL scope of include/dlinklist.h
Removing the explicit notice about ldb in order to
have the same content in all copies of dlinklist.h
in the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-07-19 08:02:33 +00:00
Stefan Metzmacher
18e18006ad ldb: remove trailing whitespaces from include/dlinklist.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-07-19 08:02:33 +00:00
Dmitry Antipov
a665d44f22 tevent: rely on epoll_create1() for epoll interface
Prefer epoll_create1(2) over epoll_create(2) and
always require the former to use epoll(7) interface,
thus saving extra fcntl(2) call to set FD_CLOEXEC.

Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-19 08:02:33 +00:00
Dmitry Antipov
0daa9ebc23 lib:replace: rely on epoll_create1() for epoll interface
Prefer epoll_create1(2) over epoll_create(2) and
always require the former to use epoll(7) interface.

Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-19 08:02:33 +00:00
Stefan Metzmacher
b649c7d3c2 tdb: release 1.4.9
* Remove remaining, but broken python2 support
* Spelling fixes
* python: Safely clear structure members

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-07-19 08:02:33 +00:00
Stefan Metzmacher
791e2817e1 talloc: release 2.4.1
* Remove remaining, but broken python2 support
* Spelling fixes
* Remove unneeded va_copy()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-07-19 08:02:33 +00:00
Douglas Bagnall
f050124a96 lib/fuzzing: patch for collecting fuzz_security_token_vs_descriptor seeds
If this patch is applied, and an environment variable is set, all
access_check calls will be recorded as seeds for
fuzz_security_token_vs_descriptor. See the patch for details.

You probably will never want to apply this patch, but it is here just
in case.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 03:31:30 +00:00
Douglas Bagnall
9ea606dad1 lib/fuzzing: adapt fuzz_sddl_access_check for AD variant
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 03:31:30 +00:00
Douglas Bagnall
89b02bad3e lib/fuzzing: adapt fuzz_security_token_vs_descriptor for AD variant
This of course doesn't exercise the object tree or default SID code,
but it still covers a lot to the *_ds access_check functions.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 03:31:30 +00:00
Douglas Bagnall
eb2bed3899 lib/fuzzing: add fuzzer for arbitrary token/sd access checks
The token and descriptor are stored in NDR format; for this purpose we
add a new IDL struct containing this pair (along with a desired access
mask).

An upcoming commit will show how to collect seeds for this fuzzer.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 03:31:30 +00:00
Douglas Bagnall
5ad28bd760 lib/fuzzing: add fuzz_sddl_access_check
This fuzzer parses SDDL into a security descriptor and runs an access
check on it using a known security token. This is purely for crash
detection -- we don't know enough to assert whether the check should
succeed or not.

The seed strings used are compatible with those of fuzz_sddl_parse --
anything found by fuzz_sddl_parse is worth trying as a seed here, and
vice versa.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 03:31:30 +00:00
Douglas Bagnall
05e2ec1d8b configure: ensure sizeof(int) >= 4
There are multiple places we make this assumption. For example, in
source3/lib/tldap.c, we have this line

      if (ld->msgid == 2147483647) {

where ld->msgid is an int. And in librpc/idl/security.idl we have
several lines like:

      const int SEC_MASK_GENERIC        = 0xF0000000;

In lib/replace/inet_pton.c and inet_ntop.c we have

  /*
   * WARNING: Don't even consider trying to compile this on a system where
   * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
   */

but no attempt to enforce that as far as I can see, until now.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul 11 22:44:15 UTC 2023 on atb-devel-224
2023-07-11 22:44:15 +00:00
Andrew Bartlett
acd081a70d build: Remove unused check for SHA1_Update and SHA1_RENAME_NEEDED
I can not find the code that required this, even in the history.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jun 30 14:59:46 UTC 2023 on atb-devel-224
2023-06-30 14:59:46 +00:00
Andrew Bartlett
11b3c6826d Remove redundant check and fallback for AES CMAC 128 as we now require GnuTLS 3.6.13
This allows us to remove a lot of conditionally compiled code and so
know with more certainly that our tests are covering our code-paths.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-30 14:00:38 +00:00
Andrew Bartlett
95c843de92 crypto: Remove aesni-intel accelerated AES crypto functions
These will shortly be unused as we will rely on GnuTLS for all AES cryptography
now that we require GnuTLS 3.6.13

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-30 14:00:38 +00:00
Andrew Bartlett
055318d7e7 Remove rudundent check for gnutls_pkcs7_get_embedded_data_oid as we now require GnuTLS 3.6.13
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-30 14:00:38 +00:00
Andrew Bartlett
eda1022b59 crypto: Rely on GnuTLS 3.6.13 and gnutls_pbkdf2()
This removes a lot of inline #ifdef and means this feature is always tested.

We can do this as we have chosen GnuTLS 3.6.13 as the new minimum version.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-30 14:00:38 +00:00
Joseph Sutton
f9c55b84ef lib:audit_logging: Add function to return the JSON null object
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:32 +00:00
Christof Schmitt
34b9c54ff2 gpfswrap: Add wrapper for gpfs_register_cifs_export
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15381

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-25 15:09:34 +00:00
Stefan Metzmacher
48cc2862c2 docs-xml/smbdotconf: also allow 2012[_R2] for 'ad dc functional level'
We may not jump to 2016 directly...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-21 19:08:37 +00:00
Volker Lendecke
a4972336f1 lib: Add a few required #includes
You find them if you try to #include these files directly

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-06-16 16:14:30 +00:00
Joseph Sutton
9325c14b7e lib:audit_logging: Add function to create JSON object containing auditing information
This can be included in logged authentications and authorizations.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-15 05:29:28 +00:00
Joseph Sutton
f8f0ee5354 param: Remove reference to unrecognized parameter ‘directory name cache size’
This parameter was removed in commit
c37d6be2db.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
2eda24663f pyldb: Check for allocation failure in py_ldb_dn_get_parent()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
5905a63307 pyldb: Raise an exception if ldb_dn_get_parent() fails
Such a failure could be caused by situations other than memory errors,
but a simple indication of failure is all that ldb_dn_get_parent() gives
us to work with.

We keep the old behaviour of returning None if the DN has no components,
which an existing test (ldb.python.api.DnTests.test_parent_nonexistent)
expects.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Pavel Filipenský
d8f7d244f4 lib:dbwrap: Add dbwrap_merge_dbs()
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-13 12:15:32 +00:00
Pavel Filipenský
6bdd29a7a4 lib:dbwrap: Fix trailing whitespace in lib/dbwrap/dbwrap.h
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-13 12:15:32 +00:00
Stefan Metzmacher
77c925681d lib/replace: check for valgrind/callgrind.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2023-06-01 07:20:31 +00:00
Stefan Metzmacher
bfb1494e81 lib/util: use RUNNING_ON_VALGRIND to check if valgrind is used
We should not skip all of close_low_fd() just because we
detected valgrind headers at build time.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2023-06-01 07:20:31 +00:00
Joseph Sutton
c9e12a8d98 pyldb: Fix leak
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
3ce2803f6d lib:audit_logging:tests: Check return value of json_new_{object,array}()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
281b616ac7 lib:audit_logging: Check return value of json_new_object()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
32b49d8a56 lib:audit_logging: Fix typo in log message
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
d7b68236ec lib:audit_logging: Add function to add a formatted time value to a JSON message
json_add_timestamp() is limited to adding a ‘timestamp’ field with the
current time. The new function can add an arbitrary timestamp with an
arbitrary field name.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
0080148483 lib:audit_logging: Add function to add an optional boolean value to a JSON message
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
4440f1db54 lib:audit_logging: Add function to add flags to a JSON message
This replaces a couple of calls to snprintf() in
log_authentication_event_json() and log_successful_authz_event_json()
respectively.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
f573177c35 python: Safely clear structure members
Using Py_CLEAR() ensures that these structures are observed in a
consistent state by any Python code that may run during deconstruction.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16 23:29:32 +00:00
Dmitry Antipov
cea9b25571 lib:util: prefer size_t for random data generation functions
Prefer 'size_t' over 'int' in generate_random_buffer(),
generate_secret_buffer() and generate_nonce_buffer() to
match an underlying gnutls_rnd() calls.

Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16 23:29:32 +00:00
Andrew Bartlett
e5c3e076c8 param: Add new parameter "ad dc functional level"
This allows the new unsupported functional levels to be unlocked, but with an smb.conf
option that is easily seen.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-05-16 23:29:32 +00:00
Dmitry Antipov
46ae5568fa lib:ldb: do not offset against NULL pointer in ldb_ldif_read()
Fix the following error observed running samba.test.registry
compiled with clang-17 and UBsan:

lib/ldb/common/ldb_ldif.c:881:9: runtime error: applying non-zero offset 137438953440 to null pointer
    #0 0x7faa0eb3932f in ldb_ldif_read lib/ldb/common/ldb_ldif.c:881
    #1 0x7faa0eb3aec6 in ldb_ldif_read_string lib/ldb/common/ldb_ldif.c:1004
    #2 0x7faa077ed759 in dsdb_set_schema_from_ldif source4/dsdb/schema/schema_set.c:1113
    #3 0x7faa068fcbbf in py_dsdb_set_schema_from_ldif source4/dsdb/pydsdb.c:929
    #4 0x7faa1d1d4507 in cfunction_call (/lib64/libpython3.11.so.1.0+0x1d4507)
    [... a lot of Python calls skipped...]

I.e. number of elements should be checked against zero
before making an attempt to access an element by index.

Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-09 01:59:32 +00:00
Joseph Sutton
2eb458118c lib:addns: Don’t call memcpy() with a NULL pointer
Doing so is undefined behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
443d70ee58 lib:util: Fix undefined bitshift
runtime error: left shift of 65535 by 16 places cannot be represented in type 'int'

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Douglas Bagnall
9ab0d65fc0 lib/fuzzing: add fuzzer for sddl_parse
Apart from catching crashes in the actual parsing, we abort if the SD
we end up with will not round trip back through SDDL to an identical
SD.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Andreas Schneider
3e6a6c00cc lib:krb5_wrap: Fix debug statements when princ_s is NULL
In file included from source4/include/includes.h:61,
                 from lib/krb5_wrap/krb5_samba.c:23:
lib/krb5_wrap/krb5_samba.c: In function ‘smb_krb5_kt_seek_and_delete_old_entries’:
lib/util/debug.h:200:12: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
  200 |        && (dbgtext body) )
      |           ~^~~~~~~~~~~~~
lib/krb5_wrap/krb5_samba.c:1753:25: note: in expansion of macro ‘DEBUG’
 1753 |                         DEBUG(5, (__location__ ": Saving previous (kvno %d) "
      |                         ^~~~~
lib/util/debug.h:200:12: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
  200 |        && (dbgtext body) )
      |           ~^~~~~~~~~~~~~
lib/krb5_wrap/krb5_samba.c:1763:25: note: in expansion of macro ‘DEBUG’
 1763 |                         DEBUG(5, (__location__ ": Saving entry with kvno [%d] "
      |                         ^~~~~
lib/util/debug.h:200:12: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
  200 |        && (dbgtext body) )
      |           ~^~~~~~~~~~~~~
lib/krb5_wrap/krb5_samba.c:1769:17: note: in expansion of macro ‘DEBUG’
 1769 |                 DEBUG(5, (__location__ ": Found old entry for principal: %s "
      |                 ^~~~~
lib/util/debug.h:200:12: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
  200 |        && (dbgtext body) )
      |           ~^~~~~~~~~~~~~
lib/krb5_wrap/krb5_samba.c:1787:17: note: in expansion of macro ‘DEBUG’
 1787 |                 DEBUG(5, (__location__ ": removed old entry for principal: "
      |                 ^~~~~

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-27 07:21:33 +00:00
Volker Lendecke
e88332cbe4 ldb: Implement ldap_whoami in pyldb
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-26 06:27:31 +00:00
Volker Lendecke
0575cc4b85 ldb: Allow extended operations through ildap
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-26 06:27:31 +00:00
Volker Lendecke
8aab8d6caf ldb: Add the RFC4532 LDB_EXTENDED_WHOAMI_OID definition
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-26 06:27:31 +00:00
Alexander Bokovoy
d5b8b804fe Add ROLE_IPA_DC into two more places
Missed two more places originally when introduced ROLE_IPA_DC.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Tue Apr 25 07:46:36 UTC 2023 on atb-devel-224
2023-04-25 07:46:36 +00:00
Christof Schmitt
45f026c45c debug: Only initialize gpfs wrapper when gpfs logging is enabled
This avoids unnecessary attempts to load libgpfs.so when it is not
needed.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Apr 14 12:28:23 UTC 2023 on atb-devel-224
2023-04-14 12:28:23 +00:00
Andreas Schneider
cfa53c8a80 lib:util: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-14 05:25:33 +00:00
Andreas Schneider
b327160377 lib:util: Remove trailing white spaces in byteorder.h
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-14 05:25:33 +00:00
Andreas Schneider
89d5c0dc5c lib:tsocket: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-14 05:25:33 +00:00
Andreas Schneider
6eed0c128c lib:tevent: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-14 05:25:33 +00:00
Andreas Schneider
2afd7b1bb8 lib:tdb: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-14 05:25:33 +00:00
Andreas Schneider
b6de03c74c lib:talloc: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-14 05:25:33 +00:00
Andreas Schneider
c6e1a94915 lib:socket: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-14 05:25:33 +00:00
Andreas Schneider
189f156c8c lib:smbconf: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-14 05:25:33 +00:00
Andreas Schneider
8d647f2f7c lib:replace: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-14 05:25:33 +00:00
Andreas Schneider
9d42ba7661 lib:replace: Remove trailing white spaces in xattr.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-14 05:25:33 +00:00
Joseph Sutton
44d03bf479 lib/torture: Don't overwrite test outcomes
If a test fails an assertion, and later calls torture_skip() to skip
part of the test, the TORTURE_SKIP result will overwrite the
TORTURE_FAIL result, and the overall outcome will be successful.

To avoid this, we now arrange possible outcomes in order of priority,
and ensure we always keep the higher priority one.

This reveals some failing tests.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:32 +00:00
Joseph Sutton
894500b670 pyldb: Handle allocation failure
If we don't check for NULL after each loop iteration, the failure could
be masked in the next iteration by talloc_asprintf_append() allocating
on the NULL context. That could result in values getting lost.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
6ef23456c3 ldb: Avoid undefined pointer arithmetic
Computing a pointer that points outside of an array, and not to one past
the last element, is undefined behaviour. To avoid this, do our
comparisons in terms of lengths, not pointers.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
aedbee5fd2 ldb: Fix function documentation to be consistent
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
0ff26aa0c5 ldb: Don't wrongly claim to return message elements
If the LDB_UNPACK_DATA_FLAG_NO_ATTRS flag is set, we don't return any
elements, so we should set num_elements accordingly. This ensures
callers don't try to access elements that aren't there.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
cb3c344a64 ldb: Remove misleading comment
That an attribute has been access checked doesn't mean that the user has
the right to view it.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
3d935fdcb9 ldb: Remove old misleading comments
Commit bed9efa6cd introduced
ldb_msg_add_linearized_dn() to replace ldb_msg_add_dn(), but retained
the now-incorrect associated comment. The comment later made its way
into a function added later by commit 'CVE-2022-32746 ldb: Add functions
for appending to an ldb_message'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
064d8a3d12 talloc: Remove unneeded va_copy()
We don't use 'ap' again after this.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
90a042e9a9 talloc: Put comment back in appropriate place
This comment originally referred, not to a va_copy() call, but to the
use of &c with vsnprintf() rather than passing in NULL with a length of
zero.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Andreas Schneider
ad7418d23f lib:replace: Fix snprintf of rep_inet_ntop()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Apr 11 10:08:54 UTC 2023 on atb-devel-224
2023-04-11 10:08:54 +00:00
Andreas Schneider
f1209a7a15 lib:replace: Fix code spelling
Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-11 09:06:36 +00:00
Andreas Schneider
8c32a475e4 lib:pthreadpool: Fix code spelling
Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-11 09:06:36 +00:00
Andreas Schneider
25e1987e15 lib:param: Fix code spelling
Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-11 09:06:36 +00:00
Andreas Schneider
4b12dc1fb5 lib:messaging: Fix code spelling
Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-11 09:06:36 +00:00
Andreas Schneider
5e9bfcf4b2 lib:ldb: Fix code spelling
Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-11 09:06:35 +00:00
Andrew Bartlett
83fe7a0316 lib/util: Add "debug syslog format = always", which logs to stdout in syslog style
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-04-06 12:51:30 +00:00
Andreas Schneider
e5ef368fb6 lib:ldb:tests: Fix signedness build error
lib/ldb/tests/ldb_filter_attrs_in_place_test.c:836:55: error: pointer
targets in passing argument 1 of ‘_assert_string_equal’ differ in
signedness [-Werror=pointer-sign]
  836 |         assert_string_equal(msg->elements[0].values[0].data,
      |                                                       ^
      |                                                       |
      |                                                       uint8_t * {aka unsigned char *}

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-04-06 12:51:30 +00:00
Rob van der Linde
b74b9f4b06 CVE-2023-0922 set default ldap client sasl wrapping to seal
This avoids sending new or reset passwords in the clear
(integrity protected only) from samba-tool in particular.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15315

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr  5 03:08:51 UTC 2023 on atb-devel-224
2023-04-05 03:08:51 +00:00
Joseph Sutton
d2bbb47a7c ldb: Use correct member of union
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Andrew Bartlett
dfe7b05730 CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated on SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN
Setting the LDB_HANDLE_FLAG_UNTRUSTED tells the acl_read module to operate on this request.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-05 02:10:35 +00:00
Andrew Bartlett
9b8dd83fd0 CVE-2023-0614 lib/ldb-samba: Add test for SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN with and ACL hidden attributes
The chain for transitive evaluation does consider ACLs, avoiding the disclosure of
confidential information.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-05 02:10:35 +00:00
Andrew Bartlett
f6e93e2b3d CVE-2023-0614 dsdb: Add pre-cleanup and self.addCleanup() of OU created in match_rules tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-05 02:10:35 +00:00