1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

1895 Commits

Author SHA1 Message Date
Ralph Boehme
02da9704a0 s3/rpc_client: fix handling of NT_STATUS_SOME_NOT_MAPPED
In this case names that couldn't be resolved will be have a NULL sid pointer
which would trigger a crash in sid_copy().

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 10:06:31 +00:00
Andreas Schneider
d755bc43d8 s3:rpc_client: Initialize struct security_ace
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source3/rpc_client/init_spoolss.c:348: var_decl: Declaring variable ""ace"" without initializer.
samba-4.20.0rc2/source3/rpc_client/init_spoolss.c:415: uninit_use_in_call: Using uninitialized value ""*ace"". Field ""ace->object"" is uninitialized when calling ""make_sec_acl"".
  413|   	   NT5 machine. */
  414|
  415|-> 	if ((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) != NULL) {
  416|   		psd = make_sec_desc(mem_ctx,
  417|   				    SD_REVISION,"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-30 23:20:33 +00:00
Andreas Schneider
dd896862d0 s3:rpc_client: Check for array size instead of UINT16_MAX
mdscli_ctx->mdscmd_open.share_path is an array of size 1025. The
boundary is 1025 and not UINT16_MAX.

"Error: OVERRUN (CWE-119):
samba-4.20.0rc2/source3/rpc_client/cli_mdssvc.c:127: cond_at_least: Checking ""share_path_len < 1UL"" implies that ""share_path_len"" is at least 1 on the false branch.
samba-4.20.0rc2/source3/rpc_client/cli_mdssvc.c:127: cond_between: Checking ""share_path_len > 65535UL"" implies that ""share_path_len"" is between 1 and 65535 (inclusive) on the false branch.
samba-4.20.0rc2/source3/rpc_client/cli_mdssvc.c:133: overrun-local: Overrunning array ""mdscli_ctx->mdscmd_open.share_path"" of 1025 bytes at byte offset 65534 using index ""share_path_len - 1UL"" (which evaluates to 65534).
  131|   	mdscli_ctx->mdscmd_open.share_path_len = share_path_len;
  132|
  133|-> 	if (mdscli_ctx->mdscmd_open.share_path[share_path_len-1] == '/') {
  134|   		mdscli_ctx->mdscmd_open.share_path[share_path_len-1] = '\0';
  135|   		mdscli_ctx->mdscmd_open.share_path_len--;"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2024-06-28 11:39:33 +00:00
Stefan Metzmacher
daf6d371f3 s3:rpc_client: implement bind time feature negotiation
This is not strictly needed as we don't use any of the
optional features yet.

But it will make it easier to add bind time features we'll
actually use later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Apr 23 17:29:55 UTC 2024 on atb-devel-224
2024-04-23 17:29:55 +00:00
Stefan Metzmacher
713a802257 s3:rpc_client: require DCERPC_BIND_ACK_RESULT_ACCEPTANCE for the negotiated presentation context
We should fail if we didn't get DCERPC_BIND_ACK_RESULT_ACCEPTANCE.

It's also not needed to require a single array element.

We already checked above that we have at least one.

The next patch will all bind time feature negotiation
and that means we'll have 2 array elements...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 16:23:38 +00:00
Stefan Metzmacher
6548ccb31b s3:rpc_client: pass struct rpc_pipe_client to check_bind_response()
This prepares adding bind time feature negotiation in the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 16:23:38 +00:00
Andreas Schneider
d078ee6af6 s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info_aes()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:38 +00:00
Andreas Schneider
05e9cb36b7 s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:38 +00:00
Noel Power
885850b6aa s3/rpc_client: Fix array offset check
Previous to this commit we were modifying the offset before
the array offset check. This was causing a spurious debug
message indicating the offset was out of bounds. An second
problem is that upon detecting the error we don't exit the loop.
A third problem was that when reading the offset the check
didn't cater for the size of the integer address about to be read.

This commit moves the offset check to before the first read,
additionally when an error is detected now we actually exit the loop
and the offset have been corrected to include the size of the
integer to be read

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15579
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sat Feb 17 17:58:43 UTC 2024 on atb-devel-224
2024-02-17 17:58:43 +00:00
Noel Power
f487211706 s3/rpc_client: Ensure max possible row buffer size is not exceeded
The max buf size of rows buffer should not exceed 0x00004000.
Ensuring this value is within limits means we can safely use
uint32_t offsets.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15579
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-02-17 16:51:37 +00:00
Noel Power
9b2f2302ee s3/rpc_client: cleanup unmarshalling of variant types from row columns
Prior to this change fn 'extract_variant_addresses' actually returns offsets
to the variant stored not the addresses, additionally the param in the
signature of the method is named offset where the param in reality is a
base address.
This change makes fn 'extract_variant_addresses' actually return addresses
instead of offsets and also changes the name of the incoming param. The
resulting changes are propaged to callers which hopefully makes what the
code is actually doing a little clearer

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Tue Jan 30 17:22:37 UTC 2024 on atb-devel-224
2024-01-30 17:22:37 +00:00
Noel Power
efa60ff310 s3/rpc_client: Remove stray unnecessary comment
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-01-30 16:21:35 +00:00
Noel Power
a61eb70328 s3/rpc_client: change type of offset to uint64_t
Offset can be a 32 or 64 bit address depending on the indexing addressing
mode negotiated by the client
With a 32 bit param we can only specify a 32 bit base address. This change
alone doesn't affect anything as it is the client itself that choses and
passes the base address offset and wspsearch is the only current user of
this code.
In this case even with 64bit addressing negotiated the address passed
represents only the lower 32-bits part of the address.
However, for coverage purposes it would be better for the client to use an
address that covers the full 64bit range of the address (when 64 bit
addressing is negotiated).
This change will alow the wspsearch client in a future commit to pass a
base address value with both the hi and low 32 bits values set to make up
the full 64 bit address.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-01-30 16:21:35 +00:00
Andreas Schneider
8863d84d53 s3:rpc_client: Remove unused rpccli_lsa_open_policy2()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Nov 21 12:21:18 UTC 2023 on atb-devel-224
2023-11-21 12:21:18 +00:00
Andreas Schneider
0db702322c s3:rpc_client: Implement dcerpc_lsa_open_policy_fallback()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-11-21 11:16:37 +00:00
Andreas Schneider
aecd73becc s3:rpc_client: Implement dcerpc_lsa_open_policy3()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-11-21 11:16:37 +00:00
Andreas Schneider
9621a3d7a6 Use python.h from libreplace
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15513

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-20 15:37:33 +00:00
Volker Lendecke
74e121f93b librpc: Fix error path cleanups in start_rpc_host_send()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-11-07 12:46:37 +00:00
Joseph Sutton
c095ec02ff s3:rpc_client: Add missing ‘break’ statement
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-02 03:08:37 +00:00
Joseph Sutton
90505d3aa8 s3:rpc_client: Align integer types (CID 1548342)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-02 03:08:37 +00:00
Joseph Sutton
4feb76592b s3:utils: Avoid integer overflow (CID 1548343)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-02 03:08:37 +00:00
Joseph Sutton
55d06fa9e3 s3:utils: Align integer type
If ‘count’ is larger than INT_MAX, ‘i’ might overflow in the loop and
lead to undefined behaviour.

See also CID 1548342.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-02 03:08:37 +00:00
Joseph Sutton
a396b705c8 librpc:ndr: Introduce ‘ndr_flags_type’ type
Instead of ‘int’ or ‘uint32_t’, neither of which convey much meaning,
consistently use a newly added type to hold NDR_ flags.

Update the NDR 4.0.0 ABI.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Noel Power
387c9f3aa5 libcli/wsp: Add simple client api for wsp client code.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:38 +00:00
Noel Power
47a0dc6fa6 add accessor for tstream_context
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:38 +00:00
Jeremy Allison
5ed25efb07 CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames.
We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND).

Remove knowfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra@samba.org>
2023-10-10 14:49:39 +00:00
Jeremy Allison
ae476e1c28 CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.
For now, SMB_ASSERT() to exit the server. We will remove
this once the test code is in place.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra@samba.org>
2023-10-10 14:49:39 +00:00
Douglas Bagnall
da841a80e3 s3:rpc: bump named_pipe_auth_req_info version number
This is because commit f893cf85cc
changed the security token in secuirty.idl, and bumping the version
was missed.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-11 02:42:41 +00:00
Joseph Sutton
32a1e7428c s3:rpc_client: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-11 02:42:41 +00:00
Joseph Sutton
687a0f016f s3:rpc_client: Add missing newlines to logging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Ralph Boehme
61c951e063 mdscli: correct handling of in-progress searches
If a query is still being processed on the server and there no results yet,
macOS returns 0x23.

For now just implements this as dumb polling once a second in mdsearch and the
Python bindings.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jul 24 16:15:16 UTC 2023 on atb-devel-224
2023-07-24 16:15:16 +00:00
Ralph Boehme
c2b4fe3fb7 mdscli: add fragmentation support
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2023-07-24 15:18:32 +00:00
Ralph Boehme
94fcbec8af CVE-2023-34968: mdscli: return share relative paths
The next commit will change the Samba Spotlight server to return absolute paths
that start with the sharename as "/SHARENAME/..." followed by the share path
relative appended.

So given a share

  [spotlight]
    path = /foo/bar
    spotlight = yes

and a file inside this share with a full path of

  /foo/bar/dir/file

previously a search that matched this file would returns the absolute
server-side pato of the file, ie

  /foo/bar/dir/file

This will be change to

  /spotlight/dir/file

As currently the mdscli library and hence the mdsearch tool print out these
paths returned from the server, we have to change the output to accomodate these
fake paths. The only way to do this sensibly is by makeing the paths relative to
the containing share, so just

  dir/file

in the example above.

The client learns about the share root path prefix – real server-side of fake in
the future – in an initial handshake in the "share_path" out argument of the
mdssvc_open() RPC call, so the client can use this path to convert the absolute
path to relative.

There is however an additional twist: the macOS Spotlight server prefixes this
absolute path with another prefix, typically "/System/Volumes/Data", so in the
example above the full path for the same search would be

  /System/Volumes/Data/foo/bar/dir/file

So macOS does return the full server-side path too, just prefixed with an
additional path. This path prefixed can be queried by the client in the
mdssvc_cmd() RPC call with an Spotlight command of "fetchPropertiesForContext:"
and the path is returned in a dictionary with key "kMDSStorePathScopes". Samba
just returns "/" for this.

Currently the mdscli library doesn't issue this Spotlight RPC
request (fetchPropertiesForContext), so this is added in this commit. In the
end, all search result paths are stripped of the combined prefix

  kMDSStorePathScopes + share_path (from mdssvc_open).

eg

  kMDSStorePathScopes = /System/Volumes/Data
  share_path = /foo/bar
  search result = /System/Volumes/Data/foo/bar/dir/file
  relative path returned by mdscli = dir/file

Makes sense? :)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-21 12:05:35 +00:00
Ralph Boehme
d402c0cc6a CVE-2023-34968: mdssvc: introduce an allocating wrapper to sl_pack()
sl_pack_alloc() does the buffer allocation that previously all callers of
sl_pack() did themselves.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-21 12:05:35 +00:00
Ralph Boehme
e85e09eee9 CVE-2023-34968: mdscli: remove response blob allocation
This is handled by the NDR code transparently.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-21 12:05:35 +00:00
Ralph Boehme
617fe37cc2 CVE-2023-34968: mdscli: use correct TALLOC memory context when allocating spotlight_blob
d is talloc_free()d at the end of the functions and the buffer was later used
after beeing freed in the DCERPC layer when sending the packet.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-21 12:05:35 +00:00
Andreas Schneider
4a817b1655 s3:rpc_client: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-07-19 09:58:37 +00:00
Andrew Bartlett
eda1022b59 crypto: Rely on GnuTLS 3.6.13 and gnutls_pbkdf2()
This removes a lot of inline #ifdef and means this feature is always tested.

We can do this as we have chosen GnuTLS 3.6.13 as the new minimum version.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-30 14:00:38 +00:00
Volker Lendecke
59694ad0a4 rpc_server3: Pass winbind_env_set() state through to rpcd_*
Winbind can ask rpcd_lsad for LookupNames etc. This can recurse back
into winbind for getpwnam. We have the "_NO_WINBINDD" environment
variable set in winbind itself for this case, but this is lost on the
way into rpcd_lsad. Use a flag in global_sid_Samba_NPA_Flags to pass
this information to dcerpc_core, where it sets the variable on every
call if requested.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue May 16 11:54:32 UTC 2023 on atb-devel-224
2023-05-16 11:54:32 +00:00
Volker Lendecke
bdba027a33 rpc: Remove named_pipe_auth_req_info6->need_idle_server
Involves bumping up the version number

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-05-16 10:53:40 +00:00
Volker Lendecke
31180e0e6d rpc_server3: Use global_sid_Samba_NPA_Flags to pass "need_idle"
More code, but will be more flexible in the future.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-05-16 10:53:40 +00:00
Volker Lendecke
0ab7b84ccb rpcd: Do blocking connects to local pipes
We don't have real async callers yet, and this is the simplest way to
fix our missing light-weight deterministic async fallback mechanism.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15310

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-03-06 21:32:35 +00:00
Volker Lendecke
f3ce997000 librpc: Remove unused sync rpc_transport_np_init()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-03-06 21:32:35 +00:00
Volker Lendecke
07ebf97a74 librpc: Make rpc_pipe_open_np() public and async
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-03-06 21:32:35 +00:00
Joseph Sutton
8aef16bbbc named_pipe_auth: Bump info5 to info6
In the next commit, we shall replace the 'authenticated' field of
named_pipe_auth_req_info.info5.session_info.session_info.info with a
more general 'user_flags' field.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:39 +00:00
Stefan Metzmacher
992f39a2c8 CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-12-13 13:07:29 +00:00
Andreas Schneider
16335412ff s3:rpcclient: Pass salt down to init_samr_CryptPasswordAES()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2022-10-25 09:34:33 +00:00
Andreas Schneider
c8daa5fb00 s3:rpc_client: Implement dcerpc_samr_chgpasswd_user4()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-07-28 11:51:29 +00:00
Andreas Schneider
b46064f8b5 s3:rpc_client: Fix trailing whitespaces in cli_samr.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-07-28 11:51:29 +00:00
Andreas Schneider
2454b86c88 s3:rpc_client: Implement init_samr_CryptPasswordAES()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-07-28 11:51:29 +00:00