The branch, master has been updated
via f198abc Provide fallback code for non-portable clearenv(3)
via 90403de testsuit/manage-ca.sh: specify key size in CSRs
via b61658e winbindd/idmap_rfc2307: Fix CID 1273424 - Read from pointer
after free
via 184e787 winbindd: check if dcinfo from genache is expired
from eee88e0 s3:selftest: add smbclient_ntlm tests
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit f198abcbb3f6e8b26c697d3ded2caa1076ae018b
Author: Jérémie Courrèges-Anglas <[email protected]>
Date: Wed Apr 27 18:01:51 2016 +0200
Provide fallback code for non-portable clearenv(3)
clearenv(3) is a GNU extension that was rejected twice by POSIX,
without an easy, portable alternative.
As the dovecot project notes,
"""
environ = NULL crashes on OSX - and OpenBSD < 6.0
*environ = NULL doesn't work on FreeBSD 7.0
environ = emptyenv doesn't work on Haiku OS
environ = calloc should work everywhere
"""
(source:
http://hg.dovecot.org/dovecot-2.0/file/48f90e7e92dc/src/lib/env-util.c)
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11864
Signed-off-by: Jérémie Courrèges-Anglas <[email protected]>
Reviewed-by: Volker Lendecke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
Autobuild-User(master): Jeremy Allison <[email protected]>
Autobuild-Date(master): Fri Apr 29 00:12:02 CEST 2016 on sn-devel-144
commit 90403de7acdfec2aa3c752f6add27bc6f0e9ac30
Author: Björn Jacke <[email protected]>
Date: Wed Apr 27 16:57:36 2016 +0200
testsuit/manage-ca.sh: specify key size in CSRs
specifying the key size is required by some openssl versions
Signed-off-by: Bjoern Jacke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
commit b61658e721c922089bde4543ec8c445de6eb903c
Author: Robin Hack <[email protected]>
Date: Wed Apr 27 15:10:45 2016 +0200
winbindd/idmap_rfc2307: Fix CID 1273424 - Read from pointer after free
idmap_rfc2307_ads_search() calls ads_do_search_retry_internal() which
can deallocate ads param based on ads->is_mine boolean.
This approach is fragile so caller must properly check
return code before any pointer dereference.
Signed-off-by: Robin Hack <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
Reviewed-by: Christof Schmitt <[email protected]>
commit 184e7873cb4038e3e90028cb60443f5b2602a7ed
Author: Ralph Boehme <[email protected]>
Date: Tue Apr 26 08:43:26 2016 +0200
winbindd: check if dcinfo from genache is expired
The gencache parse function dcinfo_parser() used by
wb_dsgetdcname_gencache_get() misses a check for expired gencache
entries.
Signed-off-by: Ralph Boehme <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
selftest/manage-ca/manage-ca.sh | 4 ++--
source3/client/smbspool_krb5_wrapper.c | 6 ++++++
source3/winbindd/idmap_rfc2307.c | 5 +++++
source3/winbindd/wb_dsgetdcname.c | 4 ++++
source3/wscript | 2 +-
5 files changed, 18 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/selftest/manage-ca/manage-ca.sh b/selftest/manage-ca/manage-ca.sh
index ab796b7..8e09a93 100755
--- a/selftest/manage-ca/manage-ca.sh
+++ b/selftest/manage-ca/manage-ca.sh
@@ -234,7 +234,7 @@ create_dc)
"${OPENSSLCNF}" \
${DEFAULT_VARS} DC_DNS_NAME DC_OBJECTGUID_HEX
- openssl req -new -newkey rsa -keyout "${DCKEY_PEM}" -out "${DCREQ_PEM}"
-config "${OPENSSLCNF}"
+ openssl req -new -newkey rsa:${DC_BITS} -keyout "${DCKEY_PEM}" -out
"${DCREQ_PEM}" -config "${OPENSSLCNF}"
openssl rsa -in "${DCKEY_PEM}" -inform PEM -out "${DCKEY_PRIVATE_PEM}"
-outform PEM
openssl ca -config "${OPENSSLCNF}" -in "${DCREQ_PEM}" -out
"${DCCERT_PEM}"
ln -s "${DCKEY_PRIVATE_PEM_BASE}" "${DCKEY_PRIVATE_PEM_LINK}"
@@ -326,7 +326,7 @@ create_user)
"${OPENSSLCNF}" \
${DEFAULT_VARS} USER_PRINCIPAL_NAME
- openssl req -new -newkey rsa -keyout "${USERKEY_PEM}" -out
"${USERREQ_PEM}" -config "${OPENSSLCNF}"
+ openssl req -new -newkey rsa:${USER_BITS} -keyout "${USERKEY_PEM}" -out
"${USERREQ_PEM}" -config "${OPENSSLCNF}"
openssl rsa -in "${USERKEY_PEM}" -inform PEM -out
"${USERKEY_PRIVATE_PEM}" -outform PEM
openssl ca -config "${OPENSSLCNF}" -in "${USERREQ_PEM}" -out
"${USERCERT_PEM}"
ln -s "${USERKEY_PRIVATE_PEM_BASE}" "${USERKEY_PRIVATE_PEM_LINK}"
diff --git a/source3/client/smbspool_krb5_wrapper.c
b/source3/client/smbspool_krb5_wrapper.c
index e19fd92..89db5e0 100644
--- a/source3/client/smbspool_krb5_wrapper.c
+++ b/source3/client/smbspool_krb5_wrapper.c
@@ -24,6 +24,7 @@
#include "system/passwd.h"
#include <errno.h>
+#include <stdlib.h>
#include <string.h>
#include <cups/backend.h>
@@ -195,7 +196,12 @@ int main(int argc, char *argv[])
* Make sure we do not have LD_PRELOAD or other security relevant
* environment variables set.
*/
+#ifdef HAVE_CLEARENV
clearenv();
+#else
+ extern char **environ;
+ environ = calloc(1, sizeof(*environ));
+#endif
CUPS_SMB_DEBUG("Setting KRB5CCNAME to '%s'", gen_cc);
setenv("KRB5CCNAME", gen_cc, 1);
diff --git a/source3/winbindd/idmap_rfc2307.c b/source3/winbindd/idmap_rfc2307.c
index 3ef10f6..1b5aad9 100644
--- a/source3/winbindd/idmap_rfc2307.c
+++ b/source3/winbindd/idmap_rfc2307.c
@@ -99,6 +99,11 @@ static NTSTATUS idmap_rfc2307_ads_search(struct
idmap_rfc2307_context *ctx,
status = ads_do_search_retry(ctx->ads, bind_path,
LDAP_SCOPE_SUBTREE, expr, attrs, result);
+
+ if (!ADS_ERR_OK(status)) {
+ return ads_ntstatus(status);
+ }
+
ctx->ldap = ctx->ads->ldap.ld;
return ads_ntstatus(status);
}
diff --git a/source3/winbindd/wb_dsgetdcname.c
b/source3/winbindd/wb_dsgetdcname.c
index 5aea7de..125e98a 100644
--- a/source3/winbindd/wb_dsgetdcname.c
+++ b/source3/winbindd/wb_dsgetdcname.c
@@ -176,6 +176,10 @@ static void dcinfo_parser(time_t timeout, DATA_BLOB blob,
void *private_data)
struct dcinfo_parser_state *state = private_data;
enum ndr_err_code ndr_err;
+ if (timeout <= time(NULL)) {
+ return;
+ }
+
state->dcinfo = talloc(state->mem_ctx, struct netr_DsRGetDCNameInfo);
if (state->dcinfo == NULL) {
state->status = NT_STATUS_NO_MEMORY;
diff --git a/source3/wscript b/source3/wscript
index 3118e28..3b6f8a4 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -110,7 +110,7 @@ def configure(conf):
conf.CHECK_FUNCS('getpwnam', headers='sys/types.h pwd.h')
conf.CHECK_FUNCS('fdopendir')
conf.CHECK_FUNCS('fstatat')
- conf.CHECK_FUNCS('getpwent_r setenv strcasecmp fcvt fcvtl')
+ conf.CHECK_FUNCS('getpwent_r setenv clearenv strcasecmp fcvt fcvtl')
conf.CHECK_FUNCS('syslog vsyslog timegm setlocale')
conf.CHECK_FUNCS_IN('nanosleep', 'rt')
conf.CHECK_FUNCS('lutimes futimes utimensat futimens')
--
Samba Shared Repository
