1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

122793 Commits

Author SHA1 Message Date
Stefan Metzmacher
4e39e43730 s4:torture: avoid multiple recursions into the test lists
torture_run_suite_restricted() and torture_run_tcase_restricted()
already handle recursion. If we call them from smbtorture
we should avoid our own recursion.

Without this passing 'smb2.multichannel.*' results in running
tests more than once.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-07-07 10:30:40 +00:00
Stefan Metzmacher
9025192333 s4:torture: use prefix_name() for all names in run_matching()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-07-07 10:30:40 +00:00
Stefan Metzmacher
0e0d89b55c lib/torture: fix subunit names of nested suites
E.g. passing 'smb2.multichannel.generic' to smbtorture results in

- interface_info
- num_channels

While passing 'smb2.multichannel' to smbtorture results in:

- generic.interface_info
- genetic.num_channels
- oplocks.test1
...
- leases.test1
...

Before we got this:

- interface_info
- num_channels
- test1
...
- test1

That made it impossible to add knownfail entries for

leases.test1 vs. oplocks.test1

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-07-07 10:30:40 +00:00
Stefan Metzmacher
a4a6c03bf8 lib/torture: add back links to the parent objects
This makes would allow the full name of a test to be constructed
if needed in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-07-07 10:30:39 +00:00
Stefan Metzmacher
f6eb56bff2 lib/torture: make torture_subunit_test_name() public
This makes it easier to modify.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-07-07 10:30:39 +00:00
Stefan Metzmacher
b7832c2c80 selftest/Samba4: split out _setup_ad_dc()
setup_ad_dc() was used for more than 'ad_dc'.
Setting up 'ad_dc' means not all missing arguments are
passed as undef.

The following had no effect

        if (!defined($conf_opts)) {
                $conf_opts = "";
        }

and $conf_opts results in a string of 'HASH(....)'

So we better pass explicit undef arguments from setup_ad_dc() to
_setup_ad_dc() now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-07-07 10:30:39 +00:00
Stefan Metzmacher
2a7317e0b2 s3:wscript: vfs_gpfs needs kernel oplock support
It uses symbols, which are only available if we have
HAVE_KERNEL_OPLOCKS_LINUX defined.

This is not the case when building withing the
Windows Subsystem for Liux (WSL). So we better don't try to
build the vfs_gpfs module there.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jul  7 09:37:37 UTC 2020 on sn-devel-184
2020-07-07 09:37:37 +00:00
Stefan Metzmacher
58adf349ed s3:smbd: check for stale pid in delay_for_oplock_fn() when leases_db_get() fails
If leases_db_get() failed the leases_db record might have been cleaned up for
stale processes. Check if the share-mode-entry owner is stale in this case and
return ignore the entry. In any other case, log a debug messages and panic.

Commit 05d4466a6d
"smbd: check for stale pid in get_lease_type()" fixed only one half of
this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14428

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul  7 02:47:46 UTC 2020 on sn-devel-184
2020-07-07 02:47:46 +00:00
Stefan Metzmacher
217693682d s3:leases: log errors with level 0 in leases_db_do_locked_fn()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14428

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-07-07 01:25:49 +00:00
Douglas Bagnall
8bd7669d8d dsdb/password_hash: don't double assign variables (CID 1363048, 1034720)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jul  6 13:56:17 UTC 2020 on sn-devel-184
2020-07-06 13:56:17 +00:00
Douglas Bagnall
9199541052 pypidl: check the result of py_dcerpc_ndr_pointer_deref()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-07-06 12:30:33 +00:00
Douglas Bagnall
e78db8a7eb policy/gp: always close a file (CID 1445119)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-07-06 12:30:33 +00:00
Douglas Bagnall
213a8d551d s4/winbind/idmap: check the right variable (CID 1272950)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-07-06 12:30:33 +00:00
Ralph Boehme
05d4466a6d smbd: check for stale pid in get_lease_type()
If leases_db_get() failed the leases_db record might have been cleaned up for
stale processes. Check if the share-mode-entry owner is stale in this case and
return a 0 lease state. In any other case, log a debug messages and panic.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14428

Signed-off-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jul  2 16:45:42 UTC 2020 on sn-devel-184
2020-07-02 16:45:42 +00:00
Ralph Boehme
3f4a865821 smbd: let get_lease_type() take a non-const share_mode_entry
We're going to add a call to share_entry_stale_pid(share_mode_entry) which takes
a non-const pointer (in order to eventually set e->state = true).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14428

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-07-02 15:25:32 +00:00
Ralph Boehme
e4328db1c9 smbd: inverse if/else logic in get_lease_type()
No change in behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14428

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-07-02 15:25:31 +00:00
Ralph Boehme
383a2457bd s3/leases: log NDR decoding failure with level 0 in leases_db_get_fn()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14428

Signed-off-by: Ralph Boehme <slow@samba.org>
2020-07-02 15:25:31 +00:00
Ralph Boehme
fbb8bbe124 smbd: increase loglevel when leases_db_del() with anything then NT_STATUS_NOT_FOUND
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14428

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-07-02 15:25:31 +00:00
Stefan Metzmacher
f3f330f61d s3:smbd: make sure vfs_ChDir() always sets conn->cwd_fsp->fh->fd = AT_FDCWD
This is what all consumers of conn->cwd_fsp->fh->fd expect!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14427

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-07-02 15:25:31 +00:00
Stefan Metzmacher
b2b5ae090e s3:smbd: reformat if statement for caching in vfs_ChDir()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14427

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-07-02 15:25:31 +00:00
Stefan Metzmacher
bcba4bb210 s4:torture/smb2: add smb2.delete-on-close-perms.BUG14427
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14427

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-07-02 15:25:31 +00:00
Andrew
b5b801026e s3:winbind:idmap_ad - make failure to get attrnames for schema mode fatal
Add check for failure to resolve the OID array for the schema mode into
names.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14425

Signed-off-by: Andrew <awalker@ixsystems.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-07-02 15:25:31 +00:00
Ralph Boehme
71488b812f lib/debug: set the correct default backend loglevel to MAX_DEBUG_LEVEL
This fixed a regression introduced by commit
c83ce5f4f9 for bug #14345.

The backend loglevel globally restricts logging of a particular backend. If this
value is smaller then any explicitly configured logging class, logging for this
class is skipped.

Eg, given the following logging config in smb.conf:

  log level = 1 auth_json_audit:3@/var/log/samba/samba_auth_audit.log

the default class loglevel of 1 (dbgc_config[DBGC_ALL].loglevel) will be
assigned to the backend loglevel.

So even though the logging class auth_json_audit is configured at level 3, this
doesn't become effective as the file backend drops all log messages with a level
below 1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14426

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul  2 13:25:29 UTC 2020 on sn-devel-184
2020-07-02 13:25:29 +00:00
Ralph Boehme
5aeaa6959d lib/debug: assert file backend
The debug file backend is a built-in default, if it's missing we're totally
screwed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14426

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-07-02 12:03:33 +00:00
Volker Lendecke
7082902d56 ldap_client: Make ldap_parse_basic_url() IPv6-address aware
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jul  2 12:01:06 UTC 2020 on sn-devel-184
2020-07-02 12:01:06 +00:00
Volker Lendecke
61bc99362a ldap_client: Align integer types
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-07-02 10:38:34 +00:00
Volker Lendecke
011a2a8295 ldap_client: Make ldap_parse_basic_url take care of ldapi as well
SUSV4's sscanf has the %m modifier, which allocates the right
amount. Remove those SMB_ASSERTS for string buffers.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-07-02 10:38:34 +00:00
Volker Lendecke
9d988ce090 pdb_dsdb: Fix typos
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-07-02 10:38:34 +00:00
Volker Lendecke
9f3d2ba7ee ldb_ldap: Fix a memleak
Don't allocate a temporary value on a long-term context

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
2020-07-02 10:38:34 +00:00
Gary Lockyer
3cc0f1eeda CVE-2020-14303: s4 nbt: fix busy loop on empty UDP packet
An empty UDP packet put the nbt server into a busy loop that consumes
100% of a cpu.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14417

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Thu Jul  2 10:26:24 UTC 2020 on sn-devel-184
2020-07-02 10:26:24 +00:00
Andrew Bartlett
b232a7bc54 CVE-2020-14303 Ensure an empty packet will not DoS the NBT server
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2020-07-02 09:01:41 +00:00
Andrew Bartlett
17fc8d2bfb CVE-2020-10760 dsdb: Add tests for paged_results and VLV over the Global Catalog port
This should avoid a regression.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2020-07-02 09:01:41 +00:00
Andrew Bartlett
32c333def9 CVE-2020-10760 dsdb: Ensure a proper talloc tree for saved controls
Otherwise a paged search on the GC port will fail as the ->data was
not kept around for the second page of searches.

An example command to produce this is
 bin/ldbsearch --paged -H ldap://$SERVER:3268 -U$USERNAME%$PASSWORD

This shows up later in the partition module as:

ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00151ef20 at pc 0x7fec3f801aac bp 0x7ffe8472c270 sp 0x7ffe8472c260
READ of size 4 at 0x60b00151ef20 thread T0 (ldap(0))
    #0 0x7fec3f801aab in talloc_chunk_from_ptr ../../lib/talloc/talloc.c:526
    #1 0x7fec3f801aab in __talloc_get_name ../../lib/talloc/talloc.c:1559
    #2 0x7fec3f801aab in talloc_check_name ../../lib/talloc/talloc.c:1582
    #3 0x7fec1b86b2e1 in partition_search ../../source4/dsdb/samdb/ldb_modules/partition.c:780

or

smb_panic_default: PANIC (pid 13287): Bad talloc magic value - unknown value
(from source4/dsdb/samdb/ldb_modules/partition.c:780)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14402

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
cc3a67760c CVE-2020-10745: ndr/dns-utils: prepare for NBT compatibility
NBT has a funny thing where it sometimes needs to send a trailing dot as
part of the last component, because the string representation is a user
name. In DNS, "example.com", and "example.com." are the same, both
having three components ("example", "com", ""); in NBT, we want to treat
them differently, with the second form having the three components
("example", "com.", "").

This retains the logic of e6e2ec0001.

Also DNS compression cannot be turned off for NBT.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
c3fa8ada43 CVE-2020-10745: dns_util/push: forbid names longer than 255 bytes
As per RFC 1035.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
51a4571849 CVE-2020-10745: ndr_dns: do not allow consecutive dots
The empty subdomain component is reserved for the root domain, which we
should only (and always) see at the end of the list. That is, we expect
"example.com.", but never "example..com".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
bb63737905 CVE-2020-10745: ndr/dns_utils: correct a comment
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
601e8a3f69 CVE-2020-10745: ndr_dns: move ndr_push_dns_string core into sharable function
This is because ndr_nbt.c does almost exactly the same thing with
almost exactly the same code, and they both do it wrong. Soon they
will both be using the better version that this will become. Though in
this patch we just move the code, not fix it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
bc896d7529 CVE-2020-10745: librpc/tests: cmocka tests of dns and ndr strings
These time the push and pull function in isolation.

Timing should be under 0.0001 seconds on even quite old hardware; we
assert it must be under 0.2 seconds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
f4b2fd00fe CVE-2020-10745: pytests: hand-rolled invalid dns/nbt packet tests
The client libraries don't allow us to make packets that are broken in
certain ways, so we need to construct them as byte strings.

These tests all fail at present, proving the server is rendered
unresponsive, which is the crux of CVE-2020-10745.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Gary Lockyer
d8b9bb274b CVE-2020-10730: lib ldb: Check if ldb_lock_backend_callback called twice
Prevent use after free issues if ldb_lock_backend_callback is called
twice, usually due to ldb_module_done being called twice. This can happen if a
module ignores the return value from function a function that calls
ldb_module_done as part of it's error handling.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-07-02 09:01:41 +00:00
Gary Lockyer
f88b69f543 CVE-2020-10730: s4 dsdb vlv_pagination: Prevent repeat call of ldb_module_done
Check the return code from vlv_results, if it is not LDB_SUCCESS
ldb_module_done has already been called, and SHOULD NOT be called again.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-07-02 09:01:40 +00:00
Gary Lockyer
4d99cab617 CVE-2020-10730: s4 dsdb paged_results: Prevent repeat call of ldb_module_done
Check the return code from paged_results, if it is not LDB_SUCCESS
ldb_module_done has already been called, and SHOULD NOT be called again.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-07-02 09:01:40 +00:00
Andrew Bartlett
9197d85c52 CVE-2020-10730: dsdb: Ban the combination of paged_results and VLV
This (two different paging controls) makes no sense and fails against
Windows Server 1709.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-07-02 09:01:40 +00:00
Andrew Bartlett
60078f4f6f CVE-2020-10730: dsdb: Fix crash when vlv and paged_results are combined
The GUID is not returned in the DN for some reason in this (to be banned)
combination.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-07-02 09:01:40 +00:00
Andrew Bartlett
cac84d9161 CVE-2020-10730: selftest: Add test to show that VLV and paged_results are incompatible
As tested against Windows Server 1709

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-07-02 09:01:40 +00:00
Andrew Bartlett
ff0b1df856 CVE-2020-10730: vlv: Another workaround for mixing ASQ and VLV
This is essentially an alternative patch, but without the correct
behaviour.  Instead this just avoids a segfault.

Included in case we have something simialr again in
another module.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-07-02 09:01:40 +00:00
Andrew Bartlett
ec1c7d6208 CVE-2020-10730: selftest: Add test to confirm VLV interaction with ASQ
Tested against Windows 1709.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-07-02 09:01:40 +00:00
Andrew Bartlett
914e0cfa08 CVE-2020-10730: vlv: Do not re-ASQ search the results of an ASQ search with VLV
This is a silly combination, but at least try and keep the results sensible
and avoid a double-dereference.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-07-02 09:01:40 +00:00
Andrew Bartlett
b2f27a47b3 CVE-2020-10730: vlv: Use strcmp(), not strncmp() checking the NULL terminated control OIDs
The end result is the same, as sizeof() includes the trailing NUL, but this
avoids having to think about that.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-07-02 09:01:40 +00:00