1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

128953 Commits

Author SHA1 Message Date
Andreas Schneider
994464eee2 s3:utils: Fix stack smashing in net offlinejoin
Cast from 'uint32_t *' (aka 'unsigned int *') to 'size_t *' (aka
'unsigned long *') increases required alignment from 4 to 8

==10343==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdc6784fc0 at pc 0x7f339f1ea500 bp 0x7ffdc6784ed0 sp 0x7ffdc6784ec8
WRITE of size 8 at 0x7ffdc6784fc0 thread T0
    #0 0x7f339f1ea4ff in fd_load ../../lib/util/util_file.c:220
    #1 0x7f339f1ea5a4 in file_load ../../lib/util/util_file.c:245
    #2 0x56363209a596 in net_offlinejoin_requestodj ../../source3/utils/net_offlinejoin.c:267
    #3 0x56363209a9d0 in net_offlinejoin ../../source3/utils/net_offlinejoin.c:74
    #4 0x56363208f61c in net_run_function ../../source3/utils/net_util.c:453
    #5 0x563631fe8a9f in main ../../source3/utils/net.c:1358
    #6 0x7f339b22c5af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #7 0x7f339b22c678 in __libc_start_main_impl ../csu/libc-start.c:381
    #8 0x563631faf374 in _start ../sysdeps/x86_64/start.S:115

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15257

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit ef8c8ac54c)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Tue Dec  6 12:02:00 UTC 2022 on sn-devel-184
2022-12-06 12:02:00 +00:00
Ralph Boehme
885e3fc12d smbd: reject FILE_ATTRIBUTE_TEMPORARY on directories
Cf MS-FSA 2.1.5.14.2

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15252

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Nov 28 10:14:12 UTC 2022 on sn-devel-184

(cherry picked from commit 535a08dfc4)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Mon Dec  5 11:03:30 UTC 2022 on sn-devel-184
2022-12-05 11:03:30 +00:00
Ralph Boehme
8c2f27d442 torture: add a test trying to set FILE_ATTRIBUTE_TEMPORARY on a directory
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15252

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fdb19ce8aa)
2022-12-05 10:11:17 +00:00
Stefan Metzmacher
7edddbc684 CVE-2022-42898: HEIMDAL: lib/krb5: fix _krb5_get_int64 on systems where 'unsigned long' is just 32-bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Wed Nov 23 15:58:56 UTC 2022 on sn-devel-184
2022-11-23 15:58:56 +00:00
Noel Power
33f74aea5d nsswitch: Fix uninitialized memory when allocating pwdlastset_prelim
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15224
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Nov 16 19:29:21 UTC 2022 on sn-devel-184

(cherry picked from commit f6284877ce)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Wed Nov 23 13:52:37 UTC 2022 on sn-devel-184
2022-11-23 13:52:37 +00:00
Jeremy Allison
399522d048 nsswitch: Fix pam_set_data()/pam_get_data() to use pointers to a time_t, not try and embedd it directly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15224

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Wed Nov 16 15:09:45 UTC 2022 on sn-devel-184

(cherry picked from commit 7cb5040551)
2022-11-23 12:43:15 +00:00
Andreas Schneider
b11ceb58fe s3:rpc_server: Fix include directive substitution when enumerating shares
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit f03665bb7e)
(cherry picked from commit 2b643c17d486ecbd0b46a9f31aeb3593ad19e464)
2022-11-23 12:43:15 +00:00
Andreas Schneider
ef39898066 s3:tests: Add substitution test for listing shares
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit c213ead8c4)
(cherry picked from commit 8f1ba9193b0a11a320754cfbde2ab42b68d61ad4)
2022-11-23 12:43:15 +00:00
Andreas Schneider
5ade6d20f3 s3:tests: Add substitution test for include directive
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(backported from commit ce3d27a9f5)
2022-11-23 12:43:15 +00:00
Stefan Metzmacher
450dd63bdf lib/replace: fix memory leak in snprintf replacements
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15230

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Nov  9 11:18:02 UTC 2022 on sn-devel-184

(cherry picked from commit 76adda9d2f)
2022-11-23 12:43:15 +00:00
Jule Anger
83da21f429 VERSION: Bump version up to Samba 4.16.8...
and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>
2022-11-15 15:55:35 +01:00
Jule Anger
722abdcf35 samba: tag release samba-4.16.7
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmNzpVsACgkQqplEL7aA
 tiDKVBAAsFoRwB7QKhq05IRkV74uQ+WlCBmzgcn7zv5fLn/9wRGMRZNTHpDql1S7
 njP+oPkCBgELR91ivuBXHlBojRllZIxzT0wSh7nk5tK1udV0AnNnCU3unF/rAfM1
 K6F/u4+7qU4ivYSs+kYawmeIz16jhhanxS3aZEBLc1dCLefwPS66KToM0h5TbUVR
 UTJBUHbLeaYzw9glxYKmAYqT+fP8s3BI1BSLcp+7t3NfmZiLU1bqh8mKLwnZlpfx
 9nt0wz3PZDjvZNBHNWn9ZJZfgrgMq2YuSsqnScYvf0zcotqooIt93TOoxvAMe7mf
 50NWP0roMbDj7cTwrQQBYz9duMnmps3FMGMpO15BTvGTDFCG3tb7qwzQICLBuyAk
 quXZ4EPuUQoUgL381tK294ElH3ETvFLrvl0KcGGjVhwQqHcFUPpyQ0uGLtXrqZEm
 fMI2QJGo4iBuJEBmB78+KY6aFpc75k+MaCr6Y5IKo10H4Edjv7Y6CDgKCShKyJCW
 cWvptn8UyVKuUtQX8abuQ6A5oe5+YUgW9uGP52Pcb5OdiWMPT67aOPSbcLLCd9Ws
 4YusPBkgWWjcrjZeRxOrkk/QLVM/QrORFRJiUOrkQy3C3gBCaSpJjlEI+uX9WU5D
 pCKWLtS+49kZ4xcG55q+wFKBaLAyxf8xKxTUeiOJ49dgg7/dGlE=
 =vwwy
 -----END PGP SIGNATURE-----

Merge tag 'samba-4.16.7' into v4-16-test

samba: tag release samba-4.16.7

Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2022-11-15 15:54:55 +01:00
Jule Anger
fc0f1090f4 VERSION: Disable GIT_SNAPSHOT for the 4.16.7 release.
Signed-off-by: Jule Anger <janger@samba.org>
2022-11-15 15:41:09 +01:00
Jule Anger
2e1f66e3d9 WHATSNEW: Add release notes for Samba 4.16.7.
Signed-off-by: Jule Anger <janger@samba.org>
2022-11-15 15:41:09 +01:00
Joseph Sutton
a8ef840d43 CVE-2022-42898 third_party/heimdal: PAC parse integer overflows
Catch overflows that result from adding PAC_INFO_BUFFER_SIZE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203

Heavily edited by committer Nico Williams <nico@twosigma.com>, original by
Joseph Sutton <josephsutton@catalyst.net.nz>.

Signed-off-by: Nico Williams <nico@twosigma.com>

[jsutton@samba.org Zero-initialised header_size in krb5_pac_parse() to
 avoid a maybe-uninitialized error; added a missing check for ret == 0]
2022-11-15 15:41:08 +01:00
Jule Anger
b403ae70a0 VERSION: Bump version up to Samba 4.16.7...
and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>
(cherry picked from commit c2095819c3)
2022-11-15 15:41:08 +01:00
Volker Lendecke
b57c2bb472 heimdal: Fix the 32-bit build on FreeBSD
REF: https://github.com/heimdal/heimdal/pull/1004
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15220

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ab4c7bda8d)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Tue Nov  8 14:09:47 UTC 2022 on sn-devel-184
2022-11-08 14:09:47 +00:00
Joseph Sutton
eeea6587e9 third_party/heimdal: Introduce macro for common plugin structure elements
Heimdal's HDB plugin interface, and hence Samba's KDC that depends upon
it, doesn't work on 32-bit builds due to structure fields being arranged
in the wrong order. This problem presents itself in the form of
segmentation faults on 32-bit systems, but goes unnoticed on 64-bit
builds thanks to extra structure padding absorbing the errant fields.

This commit reorders the HDB plugin structure fields to prevent crashes
and introduces a common macro to ensure every plugin presents a
consistent interface.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15110

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 074e928497)
2022-11-08 13:11:15 +00:00
Jeremy Allison
618395a7ea s3: libsmbclient: Fix smbc_stat() to return ENOENT on a non-existent file.
Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15195

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>

(backported from commit fd0c01da1c)

jra@samba.org: Older SMBC_getatr returns bool not NTSTATUS.

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Mon Oct 31 15:31:53 UTC 2022 on sn-devel-184
2022-10-31 15:31:53 +00:00
Jeremy Allison
efa48817d3 s4: torture: libsmbclient: Add a torture test to ensure smbc_stat() returns ENOENT on a non-existent file.
Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15195

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
(cherry picked from commit 9eda432836)
2022-10-31 14:30:09 +00:00
Stefan Metzmacher
f7a84cffe9 s4:ldap_server: let ldapsrv_call_writev_start use conn_idle_time to limit the time
If the client is not able to receive the results within connections idle
time, then we should treat it as dead. It's value is 15 minutes (900 s)
by default.

In order to limit that further an admin can use 'socket options'
and set TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL and/or TCP_USER_TIMEOUT
to useful values.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 19 17:13:39 UTC 2022 on sn-devel-184

(cherry picked from commit eb2f352603)
2022-10-31 14:30:09 +00:00
Stefan Metzmacher
bc16a8abe3 lib/tsocket: avoid endless cpu-spinning in tstream_bsd_fde_handler()
There were some reports that strace output an LDAP server socket is in
CLOSE_WAIT state, returning EAGAIN for writev over and over (after a call to
epoll() each time).

In the tstream_bsd code the problem happens when we have a pending
writev_send, while there's no readv_send pending. In that case
we still ask for TEVENT_FD_READ in order to notice connection errors
early, so we try to call writev even if the socket doesn't report TEVENT_FD_WRITE.
And there are situations where we do that over and over again.

It happens like this with a Linux kernel:

    tcp_fin() has this:
        struct tcp_sock *tp = tcp_sk(sk);

        inet_csk_schedule_ack(sk);

        sk->sk_shutdown |= RCV_SHUTDOWN;
        sock_set_flag(sk, SOCK_DONE);

        switch (sk->sk_state) {
        case TCP_SYN_RECV:
        case TCP_ESTABLISHED:
                /* Move to CLOSE_WAIT */
                tcp_set_state(sk, TCP_CLOSE_WAIT);
                inet_csk_enter_pingpong_mode(sk);
                break;

It means RCV_SHUTDOWN gets set as well as TCP_CLOSE_WAIT, but
sk->sk_err is not changed to indicate an error.

    tcp_sendmsg_locked has this:
    ...
        err = -EPIPE;
        if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN))
                goto do_error;

        while (msg_data_left(msg)) {
                int copy = 0;

                skb = tcp_write_queue_tail(sk);
                if (skb)
                        copy = size_goal - skb->len;

                if (copy <= 0 || !tcp_skb_can_collapse_to(skb)) {
                        bool first_skb;

    new_segment:
                        if (!sk_stream_memory_free(sk))
                                goto wait_for_space;

    ...

    wait_for_space:
                set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
                if (copied)
                        tcp_push(sk, flags & ~MSG_MORE, mss_now,
                                 TCP_NAGLE_PUSH, size_goal);

                err = sk_stream_wait_memory(sk, &timeo);
                if (err != 0)
                        goto do_error;

It means if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN)) doesn't
hit as we only have RCV_SHUTDOWN and sk_stream_wait_memory returns
-EAGAIN.

    tcp_poll has this:

        if (sk->sk_shutdown & RCV_SHUTDOWN)
                mask |= EPOLLIN | EPOLLRDNORM | EPOLLRDHUP;

So we'll get EPOLLIN | EPOLLRDNORM | EPOLLRDHUP triggering
TEVENT_FD_READ and writev/sendmsg keeps getting EAGAIN.

So we need to always clear TEVENT_FD_READ if we don't
have readable handler in order to avoid burning cpu.
But we turn it on again after a timeout of 1 second
in order to monitor the error state of the connection.

And now that our tsocket_bsd_error() helper checks for POLLRDHUP,
we can check if the socket is in an error state before calling the
writable handler when TEVENT_FD_READ was reported.
Only on error we'll call the writable handler, which will pick
the error without calling writev().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit e232ba946f)
2022-10-31 14:30:09 +00:00
Stefan Metzmacher
aeb7dd2ca8 lib/tsocket: remember the first error as tstream_bsd->error
If we found that the connection is broken, there's no point
in trying to use it anymore, so just return the first error we detected.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 4c7e2b9b60)
2022-10-31 14:30:09 +00:00
Stefan Metzmacher
d8d5146d16 lib/tsocket: check for errors indicated by poll() before getsockopt(fd, SOL_SOCKET, SO_ERROR)
This also returns an error if we got TCP_FIN from the peer,
which is only reported by an explicit POLLRDHUP check.

Also on FreeBSD getsockopt(fd, SOL_SOCKET, SO_ERROR) fetches
and resets the error, so a 2nd call no longer returns an error.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 29a65da63d)
2022-10-31 14:30:09 +00:00
Stefan Metzmacher
119bf60998 lib/tsocket: split out tsocket_bsd_error() from tsocket_bsd_pending()
This will be used on its own soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 9950efd83e)
2022-10-31 14:30:08 +00:00
Andrew Bartlett
c805ccba33 lib/tsocket: Add tests for loop on EAGAIN
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit f0fb8b9508)
2022-10-31 14:30:08 +00:00
Jule Anger
c2095819c3 VERSION: Bump version up to Samba 4.16.7...
and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>
2022-10-25 11:56:55 +02:00
Jule Anger
a901109313 samba: tag release samba-4.16.6
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmNWba0ACgkQqplEL7aA
 tiAj2w/8DgIpsNJSFaUM/yjCPc3brNMFmr1ljBDWIqDOuAuYmx+wBsrPsLaewalp
 0O99kP8Tcsqanwc0HQ+SJcCuprCsxk2qQCMz3SdjSr/lpdDjaIZTAf8ycb1BtjQ3
 U7LxAU7Rv0pmlH277HS6aZAPd1iHWOhUpZpFMZsECOHJLVjdIghXW+x8SDEPl41Y
 ulogbEj7xebJk62N2Z4HrbxlSsoPtPtKSRAytstclnDf4+QSK2pIO2magobsA5q9
 V0z7k7E+8qp/nWiTG2g1hkozZjUVV3UfvOOXmPnr2JatXFblr3Id1gTIRjrPqK2L
 UvQu1r4idA4IWmnbyYldqu7SeQuRtnXHWNa1RVoVa8K5vO6NlhgyfZdLxDFlxO4b
 hKCFV6CvYs2+gDH1Ir7mQc/dV0LUAIUmRdBGwX8BUidyOgYIuoXgyWJAIVKdBGQX
 U9WA3fCS3jPM9RNgeNZMY0RRBmuTVjH/uJA22MEeBfdOKD/iqdt4O9RboC5NlrdS
 s72tiECST6dItBEc5EDTa7jtTd5tQyZkXjhvBLn7DIND0Kdes93u8HCazi74HhRK
 Sq8nbwuadxmGoBEPiISBoxK4fkWucHTRtOgISMfuhqHHug1WCOiHf2Q1IYANKlW0
 rcfC1x2LhTnb1TeRukOfzvXriAksOEhvcTG/HnJolWFZvfwnrgY=
 =bBex
 -----END PGP SIGNATURE-----

Merge tag 'samba-4.16.6' into v4-16-test

samba: tag release samba-4.16.6

Signed-off-by: Jule Anger <janger@samba.org>
2022-10-25 11:55:25 +02:00
Jule Anger
dc74e56c03 VERSION: Disable GIT_SNAPSHOT for the 4.16.6 release.
Signed-off-by: Jule Anger <janger@samba.org>
2022-10-24 12:44:57 +02:00
Jule Anger
620698353b WHATSNEW: Add release notes for Samba 4.16.6.
Signed-off-by: Jule Anger <janger@samba.org>
2022-10-24 12:26:09 +02:00
Joseph Sutton
5c31d5beb3 CVE-2022-3437 third_party/heimdal: Pass correct length to _gssapi_verify_pad()
We later subtract 8 when calculating the length of the output message
buffer. If padlength is excessively high, this calculation can underflow
and result in a very large positive value.

Now we properly constrain the value of padlength so underflow shouldn't
be possible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
22dd9072c9 CVE-2022-3437 third_party/heimdal: Check for overflow in _gsskrb5_get_mech()
If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
d16ac1f405 CVE-2022-3437 third_party/heimdal: Check buffer length against overflow for DES{,3} unwrap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
de77f01598 CVE-2022-3437 third_party/heimdal: Check the result of _gsskrb5_get_mech()
We should make sure that the result of 'total_len - mech_len' won't
overflow, and that we don't memcmp() past the end of the buffer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
e1c2e2836e CVE-2022-3437 third_party/heimdal: Avoid undefined behaviour in _gssapi_verify_pad()
By decrementing 'pad' only when we know it's safe, we ensure we can't
stray backwards past the start of a buffer, which would be undefined
behaviour.

In the previous version of the loop, 'i' is the number of bytes left to
check, and 'pad' is the current byte we're checking. 'pad' was
decremented at the end of each loop iteration. If 'i' was 1 (so we
checked the final byte), 'pad' could potentially be pointing to the
first byte of the input buffer, and the decrement would put it one
byte behind the buffer.

That would be undefined behaviour.

The patch changes it so that 'pad' is the byte we previously checked,
which allows us to ensure that we only decrement it when we know we
have a byte to check.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
c944773adc CVE-2022-3437 third_party/heimdal: Don't pass NULL pointers to memcpy() in DES unwrap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
9ca9408c5e CVE-2022-3437 third_party/heimdal: Use constant-time memcmp() in unwrap_des3()
The surrounding checks all use ct_memcmp(), so this one was presumably
meant to as well.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
e3c314ed69 CVE-2022-3437 third_party/heimdal: Use constant-time memcmp() for arcfour unwrap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
03eefa45d3 CVE-2022-3437 s4/auth/tests: Add unit tests for unwrap_des3()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
c5dd87f488 CVE-2022-3437 third_party/heimdal_build: Add gssapi-subsystem subsystem
This allows us to access (and so test) functions internal to GSSAPI by
depending on this subsystem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Joseph Sutton
0eaa68d193 CVE-2022-3437 third_party/heimdal: Remove __func__ compatibility workaround
As described by the C standard, __func__ is a variable, not a macro.
Hence this #ifndef check does not work as intended, and only serves to
unconditionally disable __func__. A nonoperating __func__ prevents
cmocka operating correctly, so remove this definition.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-24 07:27:37 +02:00
Stefan Metzmacher
c28d971b12 s4:messaging: let imessaging_client_init() use imessaging_init_discard_incoming()
imessaging_client_init() is for temporary stuff only, so we should drop
(unexpected) incoming messages unless we expect irpc responses.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15201

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Oct 13 13:32:30 UTC 2022 on sn-devel-184

(cherry picked from commit 266bcedc18)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Wed Oct 19 09:45:53 UTC 2022 on sn-devel-184
2022-10-19 09:45:53 +00:00
Stefan Metzmacher
04d0d5a036 s3:auth_samba4: make use of imessaging_init_discard_incoming()
Otherwise we'll generate a memory leak of imessaging_post_state/
tevent_immediate structures per incoming message!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15201

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 32df5e4961)
2022-10-19 08:39:17 +00:00
Stefan Metzmacher
6ba44033e3 s4:messaging: add imessaging_init_discard_incoming()
We often create imessaging contexts just for sending messages,
but we'll never process incoming messages because a temporary event
context was used and we just queue a lot of imessaging_post_state
structures with immediate events.

With imessaging_init_discard_incoming() we'll discard any incoming messages
unless we have pending irpc requests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15201

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit a120fb1c72)
2022-10-19 08:39:17 +00:00
Noel Power
4d7e31b981 s3/utils: check result of talloc_strdup
follow to commit 4b15d8c2a5

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Oct 17 19:49:37 UTC 2022 on sn-devel-184

(cherry picked from commit 0326549a05)
2022-10-19 08:39:17 +00:00
Noel Power
9a18da112c s3/utils: Check return of talloc_strdup
followup to e82699fcca

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 972127dadd)
2022-10-19 08:39:17 +00:00
Noel Power
e69d2b3f9d s3/param: Check return of talloc_strdup
followup to commit ff003fc87b

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 19eb88bc53)
2022-10-19 08:39:17 +00:00
Noel Power
7480f9c01d s4/lib/registry: Fix use after free with popt 1.19
popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.

==6357== Command: ./bin/regpatch file
==6357==
Can't load /home/npower/samba-back/INSTALL_DIR/etc/smb.conf - run testparm to debug it
==6357== Syscall param openat(filename) points to unaddressable byte(s)
==6357==    at 0x4BFE535: open (in /usr/lib64/libc.so.6)
==6357==    by 0x4861432: reg_diff_load (patchfile.c:345)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4B5D50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4B5D50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d1 is 1 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357==    at 0x4B83DD0: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6357==    by 0x4B5D39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357==    at 0x4B83DDF: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6357==    by 0x4B5D39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d2 is 2 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
Error reading registry patch file `file'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Oct 14 13:38:55 UTC 2022 on sn-devel-184

(cherry picked from commit 7e0e3f47cd)
2022-10-19 08:39:17 +00:00
Noel Power
5383d625cb s3/utils: Fix use after free with popt 1.19
popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.

==6055== Command: ./bin/testparm /etc/samba/smb.conf
==6055==
==6055== Invalid read of size 1
==6055==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4C1E50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6055==    by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x10EBFA: main (testparm.c:862)
==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4C1E50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6055==    by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x10EBFA: main (testparm.c:862)
==6055==  Address 0x72dab71 is 1 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x4C44DD0: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6055==    by 0x4C1E39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6055==    by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x10EBFA: main (testparm.c:862)
==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x4C44DDF: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6055==    by 0x4C1E39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6055==    by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x10EBFA: main (testparm.c:862)
==6055==  Address 0x72dab72 is 2 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
Load smb config files from /etc/samba/smb.conf
==6055== Invalid read of size 1
==6055==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927E1C: talloc_strdup (talloc.c:2470)
==6055==    by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055==    by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927E1C: talloc_strdup (talloc.c:2470)
==6055==    by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055==    by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab71 is 1 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 8
==6055==    at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055==    by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055==    by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 2
==6055==    at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055==    by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055==    by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab80 is 16 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055==    by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055==    by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab82 is 18 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927E1C: talloc_strdup (talloc.c:2470)
==6055==    by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055==    by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927E1C: talloc_strdup (talloc.c:2470)
==6055==    by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055==    by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab71 is 1 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 8
==6055==    at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055==    by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055==    by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 2
==6055==    at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055==    by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055==    by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab80 is 16 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055==    by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055==    by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab82 is 18 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 4b15d8c2a5)
2022-10-19 08:39:17 +00:00
Noel Power
4b35fa3f85 s3/utils: Fix use after free with popt 1.19
popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.

==5914== Invalid read of size 1
==5914==    at 0x4FDF740: strlcpy (in /usr/lib64/libbsd.so.0.11.6)
==5914==    by 0x49E09A9: tdbsam_getsampwnam (pdb_tdb.c:583)
==5914==    by 0x49D94E5: pdb_getsampwnam (pdb_interface.c:340)
==5914==    by 0x10DED1: print_user_info (pdbedit.c:372)
==5914==    by 0x111413: main (pdbedit.c:1324)
==5914==  Address 0x73b6750 is 0 bytes inside a block of size 7 free'd
==5914==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5914==    by 0x4C508B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5914==    by 0x4C515D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5914==    by 0x1113E6: main (pdbedit.c:1323)
==5914==  Block was alloc'd at
==5914==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5914==    by 0x4C522EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5914==    by 0x110AE5: main (pdbedit.c:1137)
==5914==

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit e82699fcca)
2022-10-19 08:39:17 +00:00