[SCM] Samba Shared Repository - branch v4-15-test updated

Jule Anger Wed, 02 Mar 2022 04:28:18 -0800

The branch, v4-15-test has been updated
       via  c4b2930a837 smbd: Fix a use-after-free
       via  e19d287cef3 s4:sam: Don't use talloc_steal for msg attributes in 
authsam_make_user_info_dc()
      from  f7e31127e7f waf: re-add missing readlink test


https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test


- Log -----------------------------------------------------------------
commit c4b2930a837d817f3da8c7641b1b7201383ea36c
Author: Volker Lendecke <v...@samba.org>
Date:   Wed Feb 23 15:56:41 2022 +0100

    smbd: Fix a use-after-free
    
    stat_cache_lookup() allocates its result on top of talloc_tos().
    filename_convert_smb1_search_path() creates a talloc_stackframe(),
    which makes the names which were supposed to be allocated on the "ctx"
    parameter of filename_convert_smb1_search_path() go away too
    early. Reparent the results from stat_cache_lookup() properly.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=14989
    
    Signed-off-by: Volker Lendecke <v...@samba.org>
    Reviewed-by: Jeremy Allison <j...@samba.org>
    
    Autobuild-User(master): Jeremy Allison <j...@samba.org>
    Autobuild-Date(master): Tue Mar  1 20:59:55 UTC 2022 on sn-devel-184
    
    (cherry picked from commit 8c97743511e4d53f795f2469a28aabfb96da0dfa)
    
    Autobuild-User(v4-15-test): Jule Anger <jan...@samba.org>
    Autobuild-Date(v4-15-test): Wed Mar  2 12:27:47 UTC 2022 on sn-devel-184

commit e19d287cef39d137124295331243c019bd56438f
Author: Stefan Metzmacher <me...@samba.org>
Date:   Fri Feb 25 07:40:17 2022 +0100

    s4:sam: Don't use talloc_steal for msg attributes in 
authsam_make_user_info_dc()
    
    This is most likely not a problem for the current callers,
    but that it is unexpected and will likely cause problems with future
    changes.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14993
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit f6fe86924c2ca756083d3628d5dbace0b12d06b0)

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/filename.c |  7 +++++++
 source4/auth/sam.c      | 19 ++++++++++++++-----
 2 files changed, 21 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index 56ebdd9f370..ad9a0e817ff 100644
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -1100,6 +1100,13 @@ NTSTATUS unix_convert(TALLOC_CTX *mem_ctx,
                                          &state->name,
                                          state->smb_fname->twrp,
                                          &state->smb_fname->st);
+               /*
+                * stat_cache_lookup() allocates on talloc_tos() even
+                * when !found, reparent correctly
+                */
+               talloc_steal(state->smb_fname, state->smb_fname->base_name);
+               talloc_steal(state->mem_ctx, state->dirpath);
+
                if (found) {
                        goto done;
                }
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 93b41be3b21..8b233bab3ad 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -454,12 +454,15 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX 
*mem_ctx,
        user_info_dc->info = info = talloc_zero(user_info_dc, struct 
auth_user_info);
        NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
 
-       info->account_name = talloc_steal(info,
-               ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL));
+       str = ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL);
+       info->account_name = talloc_strdup(info, str);
+       if (info->account_name == NULL) {
+               TALLOC_FREE(user_info_dc);
+               return NT_STATUS_NO_MEMORY;
+       }
 
-       info->user_principal_name = talloc_steal(info,
-               ldb_msg_find_attr_as_string(msg, "userPrincipalName", NULL));
-       if (info->user_principal_name == NULL && dns_domain_name != NULL) {
+       str = ldb_msg_find_attr_as_string(msg, "userPrincipalName", NULL);
+       if (str == NULL && dns_domain_name != NULL) {
                info->user_principal_name = talloc_asprintf(info, "%s@%s",
                                        info->account_name,
                                        dns_domain_name);
@@ -468,6 +471,12 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX 
*mem_ctx,
                        return NT_STATUS_NO_MEMORY;
                }
                info->user_principal_constructed = true;
+       } else if (str != NULL) {
+               info->user_principal_name = talloc_strdup(info, str);
+               if (info->user_principal_name == NULL) {
+                       TALLOC_FREE(user_info_dc);
+                       return NT_STATUS_NO_MEMORY;
+               }
        }
 
        info->domain_name = talloc_strdup(info, domain_name);


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-15-test updated

Reply via email to