The branch, master has been updated
via fa3f0499cc1 pyglue:generate_random_[machine]_password: ValueError
for bad values
via 4f902dba336 pyglue: generate_random_[machine]_password: reject
negative numbers
via b7b4d6da5fa pyglue: generate_random_bytes/str accept positive
numbers only
via 333e1efa27f pyglue: check talloc buffer for random bytes
via 9aa52bb37e9 pytest/segfault: abort for generate_random_bytes(-1)
via 9c2ffef0d51 s3:passdb: Zero sensitive memory in
lsa_secret_{set/get}_common()
via 79754f04bbf s3:passdb: Zero secrets_domain_info1_password created
via secrets_domain_info_password_create()
via da2c723266c s3:passdb: Zero secrets_domain_info1_password created
via secrets_fetch()
via 01c0ab191a5 s3:passdb: Zero local memory in
secrets_domain_info_kerberos_keys()
via ebfc1672335 s3:passdb: Zero local memory in secrets_fetch()
via 28a3d5119ad lib:krb5: Change memset() to BURN_PTR_SIZE()
via 4b2df80e898 s3:afs: Zero memory for afs_keyfile
via 83dc061fd3c s3:net: Zero password in secrets_fetch_ipc_userpass()
callers
via 2578eb3b5e2 s3:passdb: Fix possible memory leak in
secrets_fetch_ipc_userpass()
via 5b647513940 s3:passdb: Zero password in secrets_fetch_ipc_userpass()
via 8941c748c77 s3:net: Fix trailing whitespace in net.c
via 1772a05757d s3:passdb: Zero memory in pdb_set_pw_history()
via 003854a4f5d s3:passdb: Zero memory in pdb_set_plaintext_passwd()
via 12478c24b0b s3:passdb: s/BURN_PTR_SIZE/BURN_STR/ in samu_destroy()
via ccae2a4ab54 s3:auth: Zero memory in sam_password_ok()
via 035e2021fa9 s3:passdb: Zero memory for plaintext_pw from 'struct
samu'
via 02f667587c6 s3:passdb: Fix whitespaces in pdb_get_set.c
via 3151e760548 s3:passdb: Zero password in fetch_ldap_pw() callers
via 84d5e156ffb s3:passdb: Zero password in fetch_ldap_pw()
via 2357f6e21ec s3:passdb: Fix trailing whitespaces in pdb_ldap.c
via 2706fdae54d s3:lib: Fix trailing whitespaces in smbldap.c
via 04d4bc54949 s3: Zero memory of idmap_fetch_secret() users
via 0d7e34a63d5 s3:passdb: Zero password in
secrets_{fetch,store}_trusted_domain_password()
via ad9044a17a3 s3:passdb: Zero memory using BURN_FREE_STR() in
get_trust_pw_hash2()
via ca3c9fa0f35 s3:passdb: Zero memory using BURN_FREE_STR() in
secrets_fetch_or_upgrade_domain_info()
via b6dde7d31bc s3:passdb: Zero memory using BURN_FREE() in
secrets_fetch_trust_account_password_legacy() and
secrets_fetch_domain_info1_by_key()
via 988077c3360 s3:libsmb: Zero memory in trust_pw_change()
via 4df98ed05d4 s3:libads: Zero memory in
ads_change_trust_account_password()
via 8de685741b1 lib:util: Zero memory in
generate_random_machine_password()
via 8564380346a lib:replace: Add macro BURN_STR() to zero memory of a
string
via fa29eed6810 lib:util: Add BURN_FREE() and BURN_FREE_STR()
via c9c120da110 s3:libsmb: Fix trailing whitespaces in trusts_util.c
via f641abfcb59 s3:libads: Fix trailing whitespaces in util.c
from 9fa6ab2233a s3:tests: Transfer test files into temporary directory
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit fa3f0499cc1709fefaf95a6a6902651ba3961c8d
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date: Wed Jun 22 15:21:31 2022 +1200
pyglue:generate_random_[machine]_password: ValueError for bad values
The actual range is 14 to 255 for machine passwords, and there is a
min <= max check for both.
Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org>
Autobuild-Date(master): Fri Aug 26 08:59:28 UTC 2022 on sn-devel-184
commit 4f902dba336f9d2aabb31e2ba6acf2b8ad726fcc
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date: Wed Jun 22 11:12:30 2022 +1200
pyglue: generate_random_[machine]_password: reject negative numbers
Other range errors (e.g. min > max) are caught in the wrapped
functions which returns EINVAL, so we don't recapitulate that logic
(see next commit though).
Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit b7b4d6da5fa81635e71c5e5e84dbdd13e7915b4b
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date: Mon Aug 5 00:41:49 2019 +1200
pyglue: generate_random_bytes/str accept positive numbers only
We aren't yet able to generate negative numbers of random bytes.
Instead a request for -n bytes is implicitly converted into one for
SIZE_MAX - n bytes, which is typically very large. Memory exhaustion
seems a likely outcome.
With this patch callers will see a ValueError.
Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 333e1efa27f1d99bbfc69d94d3bf47e7b99c1e40
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date: Mon Aug 5 00:28:31 2019 +1200
pyglue: check talloc buffer for random bytes
Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 9aa52bb37e90a00fa38fb5048fd1debb599b03df
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date: Fri Aug 5 12:39:24 2022 +1200
pytest/segfault: abort for generate_random_bytes(-1)
Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 9c2ffef0d51029132313593e413f2e2f4f671e6b
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Sat Aug 20 15:37:26 2022 +0200
s3:passdb: Zero sensitive memory in lsa_secret_{set/get}_common()
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 79754f04bbfcc36977377c98d8dd6addc93af892
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Sat Aug 20 09:38:55 2022 +0200
s3:passdb: Zero secrets_domain_info1_password created via
secrets_domain_info_password_create()
Zero out these members of struct secrets_domain_info1_password:
DATA_BLOB cleartext_blob;
struct samr_Password nt_hash;
struct secrets_domain_info1_kerberos_key *keys;
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit da2c723266c38e241e35c7cbf28e480d19cb40f6
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Sat Aug 20 09:34:30 2022 +0200
s3:passdb: Zero secrets_domain_info1_password created via secrets_fetch()
Zero out these members of struct secrets_domain_info1_password:
DATA_BLOB cleartext_blob;
struct samr_Password nt_hash;
struct secrets_domain_info1_kerberos_key *keys;
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 01c0ab191a58d109f277aea8330fcf31bd7a83f6
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Fri Aug 19 15:25:28 2022 +0200
s3:passdb: Zero local memory in secrets_domain_info_kerberos_keys()
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit ebfc16723358b4077499edead99a66ef0056ef94
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Thu Aug 11 10:09:00 2022 +0200
s3:passdb: Zero local memory in secrets_fetch()
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 28a3d5119ad5f254a2a3af380d9a4259ed8433db
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Wed Aug 17 17:33:42 2022 +0200
lib:krb5: Change memset() to BURN_PTR_SIZE()
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 4b2df80e898c837707b6854a1a94fccf8d87f6b8
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Wed Aug 10 09:07:07 2022 +0200
s3:afs: Zero memory for afs_keyfile
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 83dc061fd3c670f5f1e2bed5c4e8db94ce81dfc5
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Tue Aug 9 15:37:15 2022 +0200
s3:net: Zero password in secrets_fetch_ipc_userpass() callers
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 2578eb3b5e2c202e51c8263cd660ba8626503405
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Thu Aug 11 10:39:37 2022 +0200
s3:passdb: Fix possible memory leak in secrets_fetch_ipc_userpass()
If domain or username are empty strings (""), we need to free them.
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 5b64751394073f692cbf169a1df5621f443abce9
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Tue Aug 9 15:36:34 2022 +0200
s3:passdb: Zero password in secrets_fetch_ipc_userpass()
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 8941c748c775ccd07bc35336f43e295cfaab142e
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Wed Aug 10 14:48:14 2022 +0200
s3:net: Fix trailing whitespace in net.c
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 1772a05757ddf3ac017de122589bf77ebc64201b
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Tue Aug 9 09:09:49 2022 +0200
s3:passdb: Zero memory in pdb_set_pw_history()
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 003854a4f5d4eca6bf75b21364722597f8e137d8
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Mon Aug 8 18:23:40 2022 +0200
s3:passdb: Zero memory in pdb_set_plaintext_passwd()
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 12478c24b0b994adc909c06e85d7c6c5330f9db2
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Mon Aug 8 17:49:11 2022 +0200
s3:passdb: s/BURN_PTR_SIZE/BURN_STR/ in samu_destroy()
This makes sure that strlen(user->plaintext_pw) is not called twice.
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit ccae2a4ab5478acea7c37134d486c3562ff5c3dc
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Mon Aug 8 15:23:05 2022 +0200
s3:auth: Zero memory in sam_password_ok()
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 035e2021fa986fe7a1b9a7af5a0102163697eda3
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Mon Aug 8 14:30:24 2022 +0200
s3:passdb: Zero memory for plaintext_pw from 'struct samu'
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 02f667587c69bd4c3ffa5ea2bfe2fb9d09f88d5f
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Mon Aug 8 14:14:53 2022 +0200
s3:passdb: Fix whitespaces in pdb_get_set.c
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 3151e760548ce4cbcf6ec5f6907e96b37eb18dde
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Wed Aug 10 20:51:46 2022 +0200
s3:passdb: Zero password in fetch_ldap_pw() callers
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 84d5e156ffb0fc9ae2bf0e7439bccb9aab40be7f
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Thu Aug 11 10:49:01 2022 +0200
s3:passdb: Zero password in fetch_ldap_pw()
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 2357f6e21ec50a40ed36bc15624eebdd98013020
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Fri Aug 5 11:44:53 2022 +0200
s3:passdb: Fix trailing whitespaces in pdb_ldap.c
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 2706fdae54d89351a6405f85adbb9d237d9762c2
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Fri Aug 5 11:11:37 2022 +0200
s3:lib: Fix trailing whitespaces in smbldap.c
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 04d4bc54949e646cfa86a14b051879edde56048a
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Fri Aug 5 11:09:37 2022 +0200
s3: Zero memory of idmap_fetch_secret() users
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 0d7e34a63d5accedc2d792c002d5f60cdd4255dd
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Wed Aug 3 21:06:21 2022 +0200
s3:passdb: Zero password in secrets_{fetch,store}_trusted_domain_password()
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit ad9044a17a34450fe0a2c246c5d5e5c9d11accd2
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Tue Aug 2 17:32:43 2022 +0200
s3:passdb: Zero memory using BURN_FREE_STR() in get_trust_pw_hash2()
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit ca3c9fa0f35a92d487ebafabbe2acfa375fb88d2
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Tue Aug 2 17:24:29 2022 +0200
s3:passdb: Zero memory using BURN_FREE_STR() in
secrets_fetch_or_upgrade_domain_info()
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit b6dde7d31bc3731471ce92b68c8eaf3ef9779392
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Tue Jul 26 19:03:11 2022 +0200
s3:passdb: Zero memory using BURN_FREE() in
secrets_fetch_trust_account_password_legacy() and
secrets_fetch_domain_info1_by_key()
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 988077c33602c62a47a1dab67e846ed28352088d
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Wed Jul 27 17:21:08 2022 +0200
s3:libsmb: Zero memory in trust_pw_change()
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 4df98ed05d4171d0d13bf6c45577cdeb03958f22
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Wed Jul 27 17:21:07 2022 +0200
s3:libads: Zero memory in ads_change_trust_account_password()
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 8de685741b13bcb433d748ef7de6296a6dee0726
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Tue Jul 26 19:02:28 2022 +0200
lib:util: Zero memory in generate_random_machine_password()
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 8564380346ace981b957bb8464f2ecf007032062
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Mon Aug 8 17:47:28 2022 +0200
lib:replace: Add macro BURN_STR() to zero memory of a string
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit fa29eed6810844dee1ca481a74ab80810baeda6b
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Wed Jul 27 17:40:03 2022 +0200
lib:util: Add BURN_FREE() and BURN_FREE_STR()
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit c9c120da110269b473b39d6854a44cf78ce5c578
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Wed Jul 27 16:03:55 2022 +0200
s3:libsmb: Fix trailing whitespaces in trusts_util.c
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit f641abfcb5977b62a23ff5c199dd2f8ca5463829
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Wed Jul 27 16:01:25 2022 +0200
s3:libads: Fix trailing whitespaces in util.c
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/krb5_wrap/krb5_samba.c | 2 +-
lib/replace/replace.h | 11 ++
lib/util/genrand_util.c | 8 ++
lib/util/memory.h | 27 +++++
python/pyglue.c | 63 +++++++++-
python/samba/tests/segfault.py | 6 +
source3/auth/check_samsec.c | 14 ++-
source3/lib/smbldap.c | 98 ++++++++--------
source3/libads/util.c | 9 +-
source3/libsmb/trusts_util.c | 7 +-
source3/passdb/machine_account_secrets.c | 67 ++++++++---
source3/passdb/passdb.c | 6 +-
source3/passdb/pdb_get_set.c | 190 +++++++++++++++++--------------
source3/passdb/pdb_ldap.c | 101 ++++++++--------
source3/passdb/py_passdb.c | 2 +
source3/passdb/secrets.c | 38 +++++--
source3/passdb/secrets_lsa.c | 13 ++-
source3/utils/net.c | 6 +-
source3/utils/net_afs.c | 2 +
source3/utils/net_sam.c | 3 +-
source3/winbindd/idmap_ldap.c | 2 +-
source3/winbindd/idmap_rfc2307.c | 2 +-
22 files changed, 436 insertions(+), 241 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 2873c386410..0e70b696948 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -322,7 +322,7 @@ int smb_krb5_create_key_from_string(krb5_context context,
}
mdfour(nt_hash, utf16, utf16_size);
- memset(utf16, 0, utf16_size);
+ BURN_PTR_SIZE(utf16, utf16_size);
ret = smb_krb5_keyblock_init_contents(context,
ENCTYPE_ARCFOUR_HMAC,
nt_hash,
diff --git a/lib/replace/replace.h b/lib/replace/replace.h
index da5526c4a2f..bd7f6e53e81 100644
--- a/lib/replace/replace.h
+++ b/lib/replace/replace.h
@@ -864,6 +864,17 @@ typedef unsigned long long ptrdiff_t ;
*/
#define BURN_PTR_SIZE(x, s) memset_s((x), (s), 0, (s))
+/**
+ * Explicitly zero data in string. This is guaranteed to be not optimized
+ * away.
+ */
+#define BURN_STR(x) do { \
+ if ((x) != NULL) { \
+ size_t s = strlen(x); \
+ memset_s((x), s, 0, s); \
+ } \
+ } while(0)
+
/**
* Work out how many elements there are in a static array.
*/
diff --git a/lib/util/genrand_util.c b/lib/util/genrand_util.c
index 82103f59bd7..43005c56666 100644
--- a/lib/util/genrand_util.c
+++ b/lib/util/genrand_util.c
@@ -312,6 +312,9 @@ again:
*
* If 'unix charset' is not utf8, the password consist of random ascii
* values!
+ *
+ * The return value is a talloc string with destructor talloc_keep_secret()
set.
+ * The content will be overwritten by zeros when the mem_ctx is destroyed.
*/
_PUBLIC_ char *generate_random_machine_password(TALLOC_CTX *mem_ctx, size_t
min, size_t max)
@@ -349,6 +352,7 @@ _PUBLIC_ char *generate_random_machine_password(TALLOC_CTX
*mem_ctx, size_t min,
frame = talloc_stackframe_pool(2048);
state = talloc_zero(frame, struct
generate_random_machine_password_state);
+ talloc_keep_secret(state);
diff = max - min;
@@ -417,6 +421,7 @@ _PUBLIC_ char *generate_random_machine_password(TALLOC_CTX
*mem_ctx, size_t min,
TALLOC_FREE(frame);
return NULL;
}
+ talloc_keep_secret(utf8_pw);
ok = convert_string_talloc(frame,
CH_UTF16MUNGED, CH_UNIX,
@@ -425,6 +430,7 @@ _PUBLIC_ char *generate_random_machine_password(TALLOC_CTX
*mem_ctx, size_t min,
if (!ok) {
goto ascii_fallback;
}
+ talloc_keep_secret(unix_pw);
if (utf8_len != unix_len) {
goto ascii_fallback;
@@ -442,6 +448,7 @@ _PUBLIC_ char *generate_random_machine_password(TALLOC_CTX
*mem_ctx, size_t min,
TALLOC_FREE(frame);
return NULL;
}
+ talloc_keep_secret(new_pw);
talloc_set_name_const(new_pw, __func__);
TALLOC_FREE(frame);
return new_pw;
@@ -467,6 +474,7 @@ ascii_fallback:
TALLOC_FREE(frame);
return NULL;
}
+ talloc_keep_secret(new_pw);
talloc_set_name_const(new_pw, __func__);
TALLOC_FREE(frame);
return new_pw;
diff --git a/lib/util/memory.h b/lib/util/memory.h
index 4f7986c9b0c..40c66d824a1 100644
--- a/lib/util/memory.h
+++ b/lib/util/memory.h
@@ -31,6 +31,33 @@
#define SAFE_FREE(x) do { if ((x) != NULL) {free(x); (x)=NULL;} } while(0)
#endif
+/**
+ * Zero string and free memory if the pointer and zero the pointer.
+ *
+ * @note You are explicitly allowed to pass NULL pointers -- they will
+ * always be ignored.
+ **/
+#define BURN_FREE_STR(x) do { \
+ if ((x) != NULL) { \
+ size_t s = strlen(x); \
+ memset_s((x), s, 0, s); \
+ free(x); (x) = NULL; \
+ } \
+ } while(0)
+
+/**
+ * Zero and free memory if the pointer and zero the pointer.
+ *
+ * @note You are explicitly allowed to pass NULL pointers -- they will
+ * always be ignored.
+ **/
+#define BURN_FREE(x, s) do { \
+ if ((x) != NULL) { \
+ memset_s((x), (s), 0, (s)); \
+ free(x); (x) = NULL; \
+ } \
+ } while(0)
+
/**
* Type-safe version of malloc. Allocated one copy of the
* specified data type.
diff --git a/python/pyglue.c b/python/pyglue.c
index 0e1bf82fa7a..60592874ae6 100644
--- a/python/pyglue.c
+++ b/python/pyglue.c
@@ -37,9 +37,15 @@ static PyObject *py_generate_random_str(PyObject *self,
PyObject *args)
int len;
PyObject *ret;
char *retstr;
- if (!PyArg_ParseTuple(args, "i", &len))
+ if (!PyArg_ParseTuple(args, "i", &len)) {
return NULL;
-
+ }
+ if (len < 0) {
+ PyErr_Format(PyExc_ValueError,
+ "random string length should be positive, not %d",
+ len);
+ return NULL;
+ }
retstr = generate_random_str(NULL, len);
ret = PyUnicode_FromString(retstr);
talloc_free(retstr);
@@ -51,11 +57,28 @@ static PyObject *py_generate_random_password(PyObject
*self, PyObject *args)
int min, max;
PyObject *ret;
char *retstr;
- if (!PyArg_ParseTuple(args, "ii", &min, &max))
+ if (!PyArg_ParseTuple(args, "ii", &min, &max)) {
+ return NULL;
+ }
+ if (max < 0 || min < 0) {
+ /*
+ * The real range checks happen in generate_random_password().
+ * Here we are just checking the values won't overflow into
+ * numbers when cast to size_t.
+ */
+ PyErr_Format(PyExc_ValueError,
+ "invalid range: %d - %d",
+ min, max);
return NULL;
+ }
retstr = generate_random_password(NULL, min, max);
if (retstr == NULL) {
+ if (errno == EINVAL) {
+ PyErr_Format(PyExc_ValueError,
+ "invalid range: %d - %d",
+ min, max);
+ }
return NULL;
}
ret = PyUnicode_FromString(retstr);
@@ -68,11 +91,29 @@ static PyObject
*py_generate_random_machine_password(PyObject *self, PyObject *a
int min, max;
PyObject *ret;
char *retstr;
- if (!PyArg_ParseTuple(args, "ii", &min, &max))
+ if (!PyArg_ParseTuple(args, "ii", &min, &max)) {
+ return NULL;
+ }
+ if (max < 0 || min < 0) {
+ /*
+ * The real range checks happen in
+ * generate_random_machine_password().
+ * Here we are just checking the values won't overflow into
+ * numbers when cast to size_t.
+ */
+ PyErr_Format(PyExc_ValueError,
+ "invalid range: %d - %d",
+ min, max);
return NULL;
+ }
retstr = generate_random_machine_password(NULL, min, max);
if (retstr == NULL) {
+ if (errno == EINVAL) {
+ PyErr_Format(PyExc_ValueError,
+ "invalid range: %d - %d",
+ min, max);
+ }
return NULL;
}
ret = PyUnicode_FromString(retstr);
@@ -97,10 +138,20 @@ static PyObject *py_generate_random_bytes(PyObject *self,
PyObject *args)
PyObject *ret;
uint8_t *bytes = NULL;
- if (!PyArg_ParseTuple(args, "i", &len))
+ if (!PyArg_ParseTuple(args, "i", &len)) {
return NULL;
-
+ }
+ if (len < 0) {
+ PyErr_Format(PyExc_ValueError,
+ "random bytes length should be positive, not %d",
+ len);
+ return NULL;
+ }
bytes = talloc_zero_size(NULL, len);
+ if (bytes == NULL) {
+ PyErr_NoMemory();
+ return NULL;
+ }
generate_random_buffer(bytes, len);
ret = PyBytes_FromStringAndSize((const char *)bytes, len);
talloc_free(bytes);
diff --git a/python/samba/tests/segfault.py b/python/samba/tests/segfault.py
index 6186d60c823..a2a42feffda 100644
--- a/python/samba/tests/segfault.py
+++ b/python/samba/tests/segfault.py
@@ -236,3 +236,9 @@ class SegfaultTests(samba.tests.TestCase):
c = ldb.Control(samdb, 'relax:1')
del c.critical
+
+ @segfault_detector
+ def test_random_bytes(self):
+ # memory error from SIZE_MAX -1 allocation.
+ from samba import generate_random_bytes
+ generate_random_bytes(-1)
diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
index b9563c958a9..25620aef20a 100644
--- a/source3/auth/check_samsec.c
+++ b/source3/auth/check_samsec.c
@@ -81,19 +81,20 @@ static NTSTATUS sam_password_ok(TALLOC_CTX *mem_ctx,
if (nt_pw) {
*user_sess_key = data_blob_talloc(mem_ctx,
NULL, 16);
if (!user_sess_key->data) {
- return NT_STATUS_NO_MEMORY;
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
}
SMBsesskeygen_ntv1(nt_pw, user_sess_key->data);
}
}
- return status;
+ break;
/* Eventually we should test plaintext passwords in their own
* function, not assuming the caller has done a
* mapping */
case AUTH_PASSWORD_PLAIN:
case AUTH_PASSWORD_RESPONSE:
- return ntlm_password_check(mem_ctx, lp_lanman_auth(),
+ status = ntlm_password_check(mem_ctx, lp_lanman_auth(),
lp_ntlm_auth(),
user_info->logon_parameters,
challenge,
@@ -104,10 +105,15 @@ static NTSTATUS sam_password_ok(TALLOC_CTX *mem_ctx,
lm_hash,
nt_hash,
user_sess_key, lm_sess_key);
+ break;
default:
DEBUG(0,("user_info constructed for user '%s' was invalid -
password_state=%u invalid.\n", username, user_info->password_state));
- return NT_STATUS_INTERNAL_ERROR;
+ status = NT_STATUS_INTERNAL_ERROR;
}
+done:
+ ZERO_STRUCTP(lm_hash);
+ ZERO_STRUCTP(nt_hash);
+ return status;
}
/****************************************************************************
diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c
index 4815dd81fc3..d7ff3017fb3 100644
--- a/source3/lib/smbldap.c
+++ b/source3/lib/smbldap.c
@@ -1,4 +1,4 @@
-/*
+/*
Unix SMB/CIFS implementation.
LDAP protocol helper functions for SAMBA
Copyright (C) Jean François Micouleau 1998
@@ -106,7 +106,7 @@ void smbldap_set_bind_callback(struct smbldap_state *state,
}
if (!convert_string(CH_UTF8, CH_UNIX,values[0], -1, value, max_len,
&size)) {
- DEBUG(1, ("smbldap_get_single_attribute: string conversion of
[%s] = [%s] failed!\n",
+ DEBUG(1, ("smbldap_get_single_attribute: string conversion of
[%s] = [%s] failed!\n",
attribute, values[0]));
ldap_value_free(values);
return False;
@@ -115,7 +115,7 @@ void smbldap_set_bind_callback(struct smbldap_state *state,
ldap_value_free(values);
#ifdef DEBUG_PASSWORDS
DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n", attribute,
value));
-#endif
+#endif
return True;
}
@@ -156,7 +156,7 @@ void smbldap_set_bind_callback(struct smbldap_state *state,
#ifdef DEBUG_PASSWORDS
DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n",
attribute, result));
-#endif
+#endif
return result;
}
@@ -345,7 +345,7 @@ static void smbldap_set_mod_internal(LDAPMod *** modlist,
int modop, const char
/* sanity checks on the mod values */
if (attribute == NULL || *attribute == '\0') {
- return;
+ return;
}
#if 0 /* commented out after discussion with abartlet. Do not re-enable.
@@ -494,7 +494,7 @@ static void smbldap_make_mod_internal(LDAP *ldap_struct,
LDAPMessage *existing,
* should be race-free in the sense that the LDAP-Server will
* deny the complete operation if somebody changed the
* attribute behind our back. */
- /* This will also allow modifying single valued attributes
+ /* This will also allow modifying single valued attributes
* in Novell NDS. In NDS you have to first remove attribute and
then
* you could add new value */
@@ -541,8 +541,8 @@ static void smbldap_make_mod_internal(LDAP *ldap_struct,
LDAPMessage *existing,
}
/**********************************************************************
- Some varients of the LDAP rebind code do not pass in the third 'arg'
- pointer to a void*, so we try and work around it by assuming that the
+ Some varients of the LDAP rebind code do not pass in the third 'arg'
+ pointer to a void*, so we try and work around it by assuming that the
value of the 'LDAP *' pointer is the same as the one we had passed in
**********************************************************************/
@@ -554,7 +554,7 @@ struct smbldap_state_lookup {
static struct smbldap_state_lookup *smbldap_state_lookup_list;
-static struct smbldap_state *smbldap_find_state(LDAP *ld)
+static struct smbldap_state *smbldap_find_state(LDAP *ld)
{
struct smbldap_state_lookup *t;
@@ -566,7 +566,7 @@ static struct smbldap_state *smbldap_find_state(LDAP *ld)
return NULL;
}
-static void smbldap_delete_state(struct smbldap_state *smbldap_state)
+static void smbldap_delete_state(struct smbldap_state *smbldap_state)
{
struct smbldap_state_lookup *t;
@@ -579,7 +579,7 @@ static void smbldap_delete_state(struct smbldap_state
*smbldap_state)
}
}
-static void smbldap_store_state(LDAP *ld, struct smbldap_state *smbldap_state)
+static void smbldap_store_state(LDAP *ld, struct smbldap_state *smbldap_state)
{
struct smbldap_state *tmp_ldap_state;
struct smbldap_state_lookup *t;
@@ -671,7 +671,7 @@ static int smb_ldap_setup_conn(LDAP **ldap_struct, const
char *uri)
}
return LDAP_SUCCESS;
-#else
+#else
/* Parse the string manually */
@@ -749,7 +749,7 @@ static int smb_ldap_setup_conn(LDAP **ldap_struct, const
char *uri)
/********************************************************************
try to upgrade to Version 3 LDAP if not already, in either case return current
- version
+ version
*******************************************************************/
static int smb_ldap_upgrade_conn(LDAP *ldap_struct, int *new_version)
@@ -861,7 +861,7 @@ static int smbldap_open_connection (struct smbldap_state
*ldap_state)
******************************************************************/
#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
#else
-static int rebindproc_with_state (LDAP * ld, char **whop, char **credp,
+static int rebindproc_with_state (LDAP * ld, char **whop, char **credp,
int *methodp, int freeit, void *arg)
{
struct smbldap_state *ldap_state = arg;
@@ -878,7 +878,7 @@ static int rebindproc_with_state (LDAP * ld, char **whop,
char **credp,
}
SAFE_FREE(*credp);
} else {
- DEBUG(5,("rebind_proc_with_state: Rebinding as \"%s\"\n",
+ DEBUG(5,("rebind_proc_with_state: Rebinding as \"%s\"\n",
ldap_state->bind_dn?ldap_state->bind_dn:"[Anonymous
bind]"));
if (ldap_state->anonymous) {
@@ -911,8 +911,8 @@ static int rebindproc_with_state (LDAP * ld, char **whop,
char **credp,
and actually does the connection.
******************************************************************/
#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
-static int rebindproc_connect_with_state (LDAP *ldap_struct,
- LDAP_CONST char *url,
+static int rebindproc_connect_with_state (LDAP *ldap_struct,
+ LDAP_CONST char *url,
ber_tag_t request,
ber_int_t msgid, void *arg)
{
@@ -922,7 +922,7 @@ static int rebindproc_connect_with_state (LDAP *ldap_struct,
struct timespec ts;
int version;
- DEBUG(5,("rebindproc_connect_with_state: Rebinding to %s as \"%s\"\n",
+ DEBUG(5,("rebindproc_connect_with_state: Rebinding to %s as \"%s\"\n",
url, ldap_state->bind_dn?ldap_state->bind_dn:"[Anonymous
bind]"));
/* call START_TLS again (ldaps:// is handled by the OpenLDAP library
@@ -992,7 +992,7 @@ static int rebindproc_connect (LDAP * ld, LDAP_CONST char
*url, int request,
{
struct smbldap_state *ldap_state = smbldap_find_state(ld);
- return rebindproc_connect_with_state(ld, url, (ber_tag_t)request,
msgid,
+ return rebindproc_connect_with_state(ld, url, (ber_tag_t)request, msgid,
ldap_state);
}
# endif /*LDAP_SET_REBIND_PROC_ARGS == 2*/
@@ -1007,7 +1007,7 @@ static int smbldap_connect_system(struct smbldap_state
*ldap_state)
int rc;
int version;
- /* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
+ /* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
(OpenLDAP) doesn't seem to support it */
DEBUG(10,("ldap_connect_system: Binding to ldap server %s as \"%s\"\n",
@@ -1015,18 +1015,18 @@ static int smbldap_connect_system(struct smbldap_state
*ldap_state)
#ifdef HAVE_LDAP_SET_REBIND_PROC
#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
-# if LDAP_SET_REBIND_PROC_ARGS == 2
- ldap_set_rebind_proc(ldap_struct, &rebindproc_connect);
+# if LDAP_SET_REBIND_PROC_ARGS == 2
+ ldap_set_rebind_proc(ldap_struct, &rebindproc_connect);
# endif
-# if LDAP_SET_REBIND_PROC_ARGS == 3
- ldap_set_rebind_proc(ldap_struct, &rebindproc_connect_with_state, (void
*)ldap_state);
+# if LDAP_SET_REBIND_PROC_ARGS == 3
+ ldap_set_rebind_proc(ldap_struct, &rebindproc_connect_with_state, (void
*)ldap_state);
# endif
#else /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
-# if LDAP_SET_REBIND_PROC_ARGS == 2
- ldap_set_rebind_proc(ldap_struct, &rebindproc);
+# if LDAP_SET_REBIND_PROC_ARGS == 2
+ ldap_set_rebind_proc(ldap_struct, &rebindproc);
# endif
-# if LDAP_SET_REBIND_PROC_ARGS == 3
- ldap_set_rebind_proc(ldap_struct, &rebindproc_with_state, (void
*)ldap_state);
+# if LDAP_SET_REBIND_PROC_ARGS == 3
+ ldap_set_rebind_proc(ldap_struct, &rebindproc_with_state, (void
*)ldap_state);
# endif
#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
#endif
@@ -1074,7 +1074,7 @@ static int smbldap_connect_system(struct smbldap_state
*ldap_state)
}
DEBUG(3, ("ldap_connect_system: successful connection to the LDAP
server\n"));
- DEBUGADD(10, ("ldap_connect_system: LDAP server %s support paged
results\n",
+ DEBUGADD(10, ("ldap_connect_system: LDAP server %s support paged
results\n",
ldap_state->paged_results ? "does" : "does not"));
done:
if (rc != 0) {
@@ -1126,7 +1126,7 @@ static int smbldap_open(struct smbldap_state *ldap_state)
ldap_state->last_ping = (time_t)0;
} else {
ldap_state->last_ping = time_mono(NULL);
- }
--
Samba Shared Repository
