The branch, v4-15-test has been updated via c4b2930a837 smbd: Fix a use-after-free via e19d287cef3 s4:sam: Don't use talloc_steal for msg attributes in authsam_make_user_info_dc() from f7e31127e7f waf: re-add missing readlink test
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log ----------------------------------------------------------------- commit c4b2930a837d817f3da8c7641b1b7201383ea36c Author: Volker Lendecke <v...@samba.org> Date: Wed Feb 23 15:56:41 2022 +0100 smbd: Fix a use-after-free stat_cache_lookup() allocates its result on top of talloc_tos(). filename_convert_smb1_search_path() creates a talloc_stackframe(), which makes the names which were supposed to be allocated on the "ctx" parameter of filename_convert_smb1_search_path() go away too early. Reparent the results from stat_cache_lookup() properly. Bug: https://bugzilla.samba.org/show_bug.cgi?id=14989 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Tue Mar 1 20:59:55 UTC 2022 on sn-devel-184 (cherry picked from commit 8c97743511e4d53f795f2469a28aabfb96da0dfa) Autobuild-User(v4-15-test): Jule Anger <jan...@samba.org> Autobuild-Date(v4-15-test): Wed Mar 2 12:27:47 UTC 2022 on sn-devel-184 commit e19d287cef39d137124295331243c019bd56438f Author: Stefan Metzmacher <me...@samba.org> Date: Fri Feb 25 07:40:17 2022 +0100 s4:sam: Don't use talloc_steal for msg attributes in authsam_make_user_info_dc() This is most likely not a problem for the current callers, but that it is unexpected and will likely cause problems with future changes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14993 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit f6fe86924c2ca756083d3628d5dbace0b12d06b0) ----------------------------------------------------------------------- Summary of changes: source3/smbd/filename.c | 7 +++++++ source4/auth/sam.c | 19 ++++++++++++++----- 2 files changed, 21 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c index 56ebdd9f370..ad9a0e817ff 100644 --- a/source3/smbd/filename.c +++ b/source3/smbd/filename.c @@ -1100,6 +1100,13 @@ NTSTATUS unix_convert(TALLOC_CTX *mem_ctx, &state->name, state->smb_fname->twrp, &state->smb_fname->st); + /* + * stat_cache_lookup() allocates on talloc_tos() even + * when !found, reparent correctly + */ + talloc_steal(state->smb_fname, state->smb_fname->base_name); + talloc_steal(state->mem_ctx, state->dirpath); + if (found) { goto done; } diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 93b41be3b21..8b233bab3ad 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -454,12 +454,15 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info); NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info); - info->account_name = talloc_steal(info, - ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL)); + str = ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL); + info->account_name = talloc_strdup(info, str); + if (info->account_name == NULL) { + TALLOC_FREE(user_info_dc); + return NT_STATUS_NO_MEMORY; + } - info->user_principal_name = talloc_steal(info, - ldb_msg_find_attr_as_string(msg, "userPrincipalName", NULL)); - if (info->user_principal_name == NULL && dns_domain_name != NULL) { + str = ldb_msg_find_attr_as_string(msg, "userPrincipalName", NULL); + if (str == NULL && dns_domain_name != NULL) { info->user_principal_name = talloc_asprintf(info, "%s@%s", info->account_name, dns_domain_name); @@ -468,6 +471,12 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } info->user_principal_constructed = true; + } else if (str != NULL) { + info->user_principal_name = talloc_strdup(info, str); + if (info->user_principal_name == NULL) { + TALLOC_FREE(user_info_dc); + return NT_STATUS_NO_MEMORY; + } } info->domain_name = talloc_strdup(info, domain_name); -- Samba Shared Repository