1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

129141 Commits

Author SHA1 Message Date
Joseph Sutton
6519d1d8fa CVE-2023-0614 ldb:tests: Ensure all tests are accounted for
Add ldb_filter_attrs_test to the list of tests so that it actually gets
run.

Remove a duplicate ldb_msg_test that was accidentally added in commit
5ca90e758a.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-20 10:03:38 +01:00
Joseph Sutton
7153af801e CVE-2023-0614 ldb:tests: Ensure ldb_val data is zero-terminated
If the value of an ldb message element is not zero-terminated, calling
ldb_msg_find_attr_as_string() will cause the function to read off the
end of the buffer in an attempt to verify that the value is
zero-terminated. This can cause unexpected behaviour and make the test
randomly fail.

To avoid this, we must have a terminating null byte that is *not*
counted as part of the length, and so we must calculate the length with
strlen() rather than sizeof.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-20 10:03:37 +01:00
Joseph Sutton
c3419c288c CVE-2023-0614 s4-acl: Use ldb functions for handling inaccessible message elements
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-20 10:03:37 +01:00
Joseph Sutton
0f8a334450 CVE-2023-0614 ldb: Add functions for handling inaccessible message elements
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-20 10:03:37 +01:00
Joseph Sutton
9469c41895 CVE-2023-0614 s4-acl: Make some parameters const
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

[abartlet@samba.org Adapted to code without newer
 acl_check_access_on_attribute_implicit_owner name]
2023-03-20 10:03:37 +01:00
Joseph Sutton
c91b81ecc9 CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more consistently
It is better to explicitly abort than to dereference a NULL pointer or
try to read data cast to the wrong type.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-20 10:03:37 +01:00
Joseph Sutton
26b79d2749 CVE-2023-0614 libcli/security: Make some parameters const
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

[abartlet@samba.org Updated to add const to sec_access_check_ds()
instead of the sec_access_check_ds_implicit_owner() wrapper
found in 4.18 and later]
2023-03-20 10:03:37 +01:00
Andrew Bartlett
8712a2dc97 CVE-2023-0614 dsdb: Alter timeout test in large_ldap.py to be slower by matching on large objects
This changes the slow aspect to be the object matching not the filter parsing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-03-20 10:03:37 +01:00
Andrew Bartlett
bf7b9d9d5e CVE-2023-0614 selftest: Use setUpClass() to reduce "make test TESTS=large_ldap" time
This reduces the elapsed time to 6m from 20m on my laptop.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15332
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 14 07:16:04 UTC 2023 on atb-devel-224

(cherry picked from commit b4a6c054ec)

[abartlet@samba.org Included in the security release as this
 makes working on the large_ldap test practical by reducing
 the elapsed time taken]
2023-03-20 10:03:37 +01:00
Andrew Bartlett
ae3d273794 CVE-2023-0614 lib/ldb: Avoid allocation and memcpy() for every wildcard match candidate
The value can be quite large, the allocation will take much
longer than the actual match and is repeated per candidate
record.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15331
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit cad96f59a0)

[abartlet@samba.org Included in the security release as this
 makes the new large_ldap.py timeout test more reliable]
2023-03-20 10:03:37 +01:00
Jule Anger
f2461834bb VERSION: Bump version up to Samba 4.16.10...
and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>
2023-02-16 17:30:41 +01:00
Jule Anger
63f92a37f0 VERSION: Disable GIT_SNAPSHOT for the 4.16.9 release.
Signed-off-by: Jule Anger <janger@samba.org>
2023-02-16 17:30:12 +01:00
Jule Anger
f50ab3415c WHATSNEW: Add release notes for Samba 4.16.9.
Signed-off-by: Jule Anger <janger@samba.org>
2023-02-16 17:28:06 +01:00
Ralph Boehme
2b1d412f55 mdssvc: fix kMDScopeArray parsing
In macOS Ventura marshalling of kMDScopeArray in the "openQueryWithParams"
request has changed from

  string: kMDScopeArray
  sl_array_t(#1): {
    string: /foo/bar
  }

to:

  string: kMDScopeArray
  sl_array_t(#1): {
    sl_array_t(#1): {
      string: /foo/bar
    }
  }

With this patch we check both encodings. Bug fixed according to user feedback.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15299
RN: Spotlight doesn't work with latest macOS Ventura

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 1dd0cd2f4e)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Fri Feb 10 12:15:02 UTC 2023 on sn-devel-184
2023-02-10 12:15:02 +00:00
Andrew Walker
eddd14cedb lib/replace - add extra check to bsd_attr_list
The FreeBSD extattr API may return success and truncated
namelist. We need to check for this in bsd_attr_list to
ensure that we don't accidentally read off the end of the
buffer. In the case of a truncated value, the pascal
strings for attr names will reflect the lengths as if
the value were not truncated. For example:
`58DosStrea`

In case of short read we now set error to ERANGE and
fail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15271

Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jan  2 14:27:23 UTC 2023 on sn-devel-184

(cherry picked from commit 01cdc5e00b)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Mon Jan 23 10:59:28 UTC 2023 on sn-devel-184
2023-01-23 10:59:28 +00:00
Jeremy Allison
1189604995 s3: smbd: Always use metadata_fsp() when processing fsctls.
Currently all fsctls we implement need the base fsp, not
an alternate data stream fsp. We may revisit this later
if we implement fsctls that operate on an ADS.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15236

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Walker <awalker@ixsystems.com>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov 14 18:13:31 UTC 2022 on sn-devel-184

(cherry picked from commit fa4eba131b)
2023-01-23 10:01:59 +00:00
Jeremy Allison
c6733cbe87 s3: smbd: Add test to show smbd crashes when doing an FSCTL on a named stream handle.
Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15236

Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(back-ported from commit abc4495e45)
2023-01-23 10:01:59 +00:00
Stefan Metzmacher
44ec3e4f29 s3:auth: call wbcFreeMemory(info) in auth3_generate_session_info_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit e27084f5d8c3a151c5d0b266118f0d71b641dc85)
2023-01-23 10:01:59 +00:00
Samuel Cabrero
02e56ac1bb CVE-2022-38023 s3:rpc_server/netlogon: Avoid unnecessary loadparm_context allocations
After s3 and s4 rpc servers merge the loadparm_context is available in
the dcesrv_context structure.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jan  9 15:17:14 UTC 2023 on sn-devel-184

(cherry picked from commit 56837f3d31)
2023-01-23 10:01:59 +00:00
Samuel Cabrero
3e7bbe047f CVE-2022-38023 docs-xml/smbdotconf: The "server schannel require seal[:COMPUTERACCOUNT]" options are also honoured by s3 netlogon server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 02fba22b8c)
2023-01-23 10:01:59 +00:00
Samuel Cabrero
5590057775 CVE-2022-38023 s3:rpc_server/netlogon: Check for global "server schannel require seal"
By default we'll now require schannel connections with privacy/sealing/encryption.

But we allow exceptions for specific computer/trust accounts.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit a0b97e2623)
2023-01-23 10:01:59 +00:00
Samuel Cabrero
7f4f9a3277 CVE-2022-38023 s3:rpc_server/netlogon: make sure all _netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
Some checks are also required for _netr_LogonSamLogonEx().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ca07f4340c)
2023-01-23 10:01:59 +00:00
Samuel Cabrero
080ff2cd28 CVE-2022-38023 s3:rpc_server/netlogon: Use dcesrv_netr_creds_server_step_check()
After s3 and s4 rpc servers merge we can avoid duplicated code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 25300d354c)
2023-01-23 10:01:59 +00:00
Samuel Cabrero
0d27e4b459 CVE-2022-38023 s4:rpc_server/netlogon: Move schannel and credentials check functions to librpc
Will be used later by s3 netlogon server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 121e7b0e39)
2023-01-23 10:01:59 +00:00
Samuel Cabrero
538dcc38fa CVE-2022-38023 s4:rpc_server:wscript: Reformat following pycodestyle
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit d9e6b490db)
2023-01-23 10:01:59 +00:00
Samuel Cabrero
71b22920a6 CVE-2022-38023 selftest:Samba3: avoid global 'server schannel = auto'
Instead of using the generic deprecated option use the specific
server require schannel:COMPUTERACCOUNT = no in order to allow
legacy tests for pass.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 3cd18690f8)
2023-01-23 10:01:59 +00:00
Samuel Cabrero
cc787d0bec CVE-2022-38023 s3:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind
Follow s4 netlogon server changes and move the checks to the RPC bind
hook. Next commits will remove the s3 netr_creds_server_step_check()
function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8141eae47a)
2023-01-23 10:01:59 +00:00
Jeremy Allison
7b49569afc s4: libcli: Ignore errors when getting A records after fetching AAAA records.
The target may only be available over IPv6.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15226

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Nov  9 20:34:07 UTC 2022 on sn-devel-184

(cherry picked from commit 10537a89bb)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Mon Jan 16 10:47:49 UTC 2023 on sn-devel-184
2023-01-16 10:47:49 +00:00
Jeremy Allison
627a9886da s3: smbd: In synthetic_pathref() change DBG_ERR -> DBG_NOTICE to avoid spamming the logs.
Can easily be seen by doing make test TESTS=fruit
and looking in st/nt4_dc/smbd_test.log.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15210

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Nov 16 06:00:56 UTC 2022 on sn-devel-184

(cherry picked from commit f0ca954610)
2023-01-16 09:40:17 +00:00
Jeremy Allison
e5e39bbc77 s3: smbd: Cause SMB2_OP_FLUSH to go synchronous in a compound anywhere but the last operation in the list.
Async read and write go synchronous in the same case,
so do the same here.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15172

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Nov 17 05:55:42 UTC 2022 on sn-devel-184

(cherry picked from commit 26adf33443)
2023-01-16 09:40:17 +00:00
Jeremy Allison
bfadcc893e s3: smbd: Add utility function smbd_smb2_is_last_in_compound().
Not yet used. Returns true if we're processing the last SMB2 request in a
compound.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15172

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit e668c3a82c)
2023-01-16 09:40:17 +00:00
Jeremy Allison
9b357c947f s4: torture: Add an async SMB2_OP_FLUSH + SMB2_OP_FLUSH test to smb2.compound_async.
Shows we fail sending an SMB2_OP_FLUSH + SMB2_OP_FLUSH
compound if we immediately close the file afterward.

Internally the flushes go async and we free the req, then
we process the close. When the flushes complete they try to access
already freed data.

Extra test which will allow me to test when the final
component (flush) of the compound goes async and returns
NT_STATUS_PENDING.

Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15172

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 6f149dfd9d)
2023-01-16 09:40:17 +00:00
Jeremy Allison
c9ed55b39e s4: torture: Add an async SMB2_OP_FLUSH + SMB2_OP_CLOSE test to smb2.compound_async.
Shows we fail sending an SMB2_OP_FLUSH + SMB2_OP_CLOSE
compound. Internally the flush goes async and
we free the req, then we process the close.
When the flush completes it tries to access
already freed data.

Found using the Apple MacOSX client at SNIA SDC 2022.

Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15172

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(back-ported from commit 17a110c1b5)
2023-01-16 09:40:17 +00:00
Andrew Walker
d7bcdfa6b8 nsswitch:libwbclient - fix leak in wbcCtxPingDc2
Memory allocated for response is never freed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15164

Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Sep  6 20:10:17 UTC 2022 on sn-devel-184

(cherry picked from commit aa9f3a2da9)
2023-01-16 09:40:17 +00:00
Jeremy Allison
113536e0d7 s3: libsmbclient: Fix smbc_getxattr() to return 0 on success.
Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14808

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Nov  1 18:31:22 UTC 2022 on sn-devel-184

(cherry picked from commit bdbb38d16c)
2023-01-16 09:40:17 +00:00
Jeremy Allison
628a1c3382 s4: torture: Show return value for smbc_getxattr() is incorrect (returns >0 for success, should return zero).
Add torture test to show smbc_getxattr() should return -1 on
failure, 0 on success.

Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14808

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
(cherry picked from commit 74636dfe24)
2023-01-16 09:40:17 +00:00
Stefan Metzmacher
a1fa2c18e5 s4:lib/messaging: fix interaction between imessaging_context_destructor and irpc_destructor
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15280

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 0d09693119)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Fri Jan 13 10:31:22 UTC 2023 on sn-devel-184
2023-01-13 10:31:22 +00:00
Stefan Metzmacher
6434e2df11 s3:rpc_server/srvsvc: make sure we (re-)load all shares as root.
This fixes a regression in commit f03665bb7e

The use of reload_services() has a lot of side effects, e.g. reopen of
log files and other things, which are only useful in smbd, but not in rpcd_classic.
It was also unloading the user and registry shares we loaded a few lines
above.

We need to do all (re-)loading as root, otherwise we won't be able
to read root only smb.conf files, access registry shares, ...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15266

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Walker <awalker@ixsystems.com>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Dec 29 21:14:02 UTC 2022 on sn-devel-184

(cherry picked from commit f28553105b)
2023-01-13 09:27:09 +00:00
Stefan Metzmacher
ccb8abb0e7 selftest: add samba3.blackbox.registry_share
This demonstrates the regression introduced by
f03665bb7e, where
registry shares are no longer listed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15266

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Walker <awalker@ixsystems.com>
(cherry picked from commit a00c7395fb)
2023-01-13 09:27:09 +00:00
Volker Lendecke
cf2643e020 testprogs: Add testit_grep_count() helper
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 55feb59301)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15266
2023-01-13 09:27:09 +00:00
Andreas Schneider
6c5bc77653 testprogs: Reformat subunit.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/subunit.sh

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
(cherry picked from commit 561e925655)
2023-01-13 09:27:09 +00:00
Andreas Schneider
78848f21a3 s3:client: Fix a use-after-free issue in smbclient
Detected by

    make test TESTS="samba3.blackbox.chdir-cache"

with an optimized build or with AddressSanitizer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15268

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 9c707b4be2)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Tue Jan  3 19:19:57 UTC 2023 on sn-devel-184
2023-01-03 19:19:57 +00:00
Andreas Schneider
eeeb1a476f s3:script: Improve test_chdir_cache.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15268

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 0d1961267c)
2023-01-03 18:21:10 +00:00
Andreas Schneider
4f9430f126 s3:tests: Reformat test_chdir_cache.sh
shfmt -f source3/script/| xargs shfmt -w -p -i 0 -fn

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-01-03 18:21:10 +00:00
Andrew Walker
810ae90aa6 s3:params:lp_do_section - protect against NULL deref
iServiceIndex may indicate an empty slot in the ServicePtrs
array. In this case, lpcfg_serivce_ok(ServicePtrs[iServiceIndex])
may trigger a NULL deref and crash. Skipping the check
here will cause a scan of the array in add_a_service() and the
NULL slot will be used safely.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15267

Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Dec 20 18:49:54 UTC 2022 on sn-devel-184

(cherry picked from commit 5b19288949)
2023-01-03 18:21:10 +00:00
Andrew
b9d02e857b rpc_server:srvsvc - retrieve share ACL via root context
share_info.tdb has permissions of 0o600 and so we need
to become_root() prior to retrieving the security info.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15265

Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Dec 19 20:41:15 UTC 2022 on sn-devel-184

(cherry picked from commit 80c0b41689)
2023-01-03 18:21:10 +00:00
Volker Lendecke
104fcaa89f ctdb: Fix a use-after-free in run_proc
If you happen to talloc_free(run_ctx) before all the tevent_req's
hanging off it, you run into the following:

==495196== Invalid read of size 8
==495196==    at 0x10D757: run_proc_state_destructor (run_proc.c:413)
==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x48538B1: tevent_req_received (tevent_req.c:293)
==495196==    by 0x4853429: tevent_req_destructor (tevent_req.c:129)
==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
==495196==    by 0x4890AF6: _tc_free_children_internal (talloc.c:1669)
==495196==    by 0x488F967: _tc_free_internal (talloc.c:1184)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x10DE62: main (run_proc_test.c:86)
==495196==  Address 0x55b77f8 is 152 bytes inside a block of size 160 free'd
==495196==    at 0x48399AB: free (vg_replace_malloc.c:538)
==495196==    by 0x488FB25: _tc_free_internal (talloc.c:1222)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x10D315: run_proc_context_destructor (run_proc.c:329)
==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x10DE62: main (run_proc_test.c:86)
==495196==  Block was alloc'd at
==495196==    at 0x483877F: malloc (vg_replace_malloc.c:307)
==495196==    by 0x488EAD9: __talloc_with_prefix (talloc.c:783)
==495196==    by 0x488EC73: __talloc (talloc.c:825)
==495196==    by 0x488F0FC: _talloc_named_const (talloc.c:982)
==495196==    by 0x48925B1: _talloc_zero (talloc.c:2421)
==495196==    by 0x10C8F2: proc_new (run_proc.c:61)
==495196==    by 0x10D4C9: run_proc_send (run_proc.c:381)
==495196==    by 0x10DDF6: main (run_proc_test.c:79)

This happens because run_proc_context_destructor() directly does a
talloc_free() on the struct proc_context's and not the enclosing
tevent_req's. run_proc_kill() makes sure that we don't follow
proc->req, but it forgets the "state->proc", which is free()'ed, but
later dereferenced in run_proc_state_destructor().

This is an attempt at a quick fix, I believe we should convert
run_proc_context->plist into an array of tevent_req's, so that we can
properly TALLOC_FREE() according to the "natural" hierarchy and not
just pull an arbitrary thread out of that heap.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15269

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Oct  6 15:10:20 UTC 2022 on sn-devel-184

(cherry picked from commit 688be0177b)
2023-01-03 18:21:10 +00:00
Jule Anger
cb4cbfc83f VERSION: Bump version up to Samba 4.16.9...
and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>
2022-12-15 17:04:23 +01:00
Jule Anger
6cc6e233b5 VERSION: Disable GIT_SNAPSHOT for the 4.16.8 release.
Signed-off-by: Jule Anger <janger@samba.org>
2022-12-15 17:03:50 +01:00
Jule Anger
64d7270f28 WHATSNEW: Add release notes for Samba 4.16.8.
Signed-off-by: Jule Anger <janger@samba.org>
2022-12-15 17:03:15 +01:00