The branch, v4-18-test has been updated via c4fd0850c5e smbd: Fix BZ15481 via 7de498a38d9 tests: Add reproducer for BZ15481 via 7b57cfb1a93 s4:kdc: Add correct Asserted Identity SID in response to an S4U2Self request via d96cd43df01 s4:kdc: Avoid copying data if not needed via f1b7a21a7f6 s4:kdc: Don't pass a NULL pointer into krb5_pac_add_buffer() from f869013c616 s3: smbd: Ensure we remove any pending aio values for named pipes on forced shutdown.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-test - Log ----------------------------------------------------------------- commit c4fd0850c5e855af326913147c10dea70f8e7322 Author: Volker Lendecke <v...@samba.org> Date: Tue Sep 19 17:44:56 2023 -0700 smbd: Fix BZ15481 Bug: https://bugzilla.samba.org/show_bug.cgi?id=15481 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Wed Sep 20 22:42:48 UTC 2023 on atb-devel-224 (cherry picked from commit 3481bbfede5127e3664bcf464a0ae3dec9247ab7) Autobuild-User(v4-18-test): Jule Anger <jan...@samba.org> Autobuild-Date(v4-18-test): Fri Sep 22 21:07:52 UTC 2023 on atb-devel-224 commit 7de498a38d93411cb4810456b6bd42e9a5ead4ce Author: Volker Lendecke <v...@samba.org> Date: Wed Sep 20 10:53:52 2023 -0700 tests: Add reproducer for BZ15481 Bug: https://bugzilla.samba.org/show_bug.cgi?id=15481 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 56df75d44795582dcecb8676a0d80d6f4a46c7e9) commit 7b57cfb1a9328072e090b5e05c9b0cb09cd2d883 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Sep 4 13:20:34 2023 +1200 s4:kdc: Add correct Asserted Identity SID in response to an S4U2Self request I’m not sure exactly how this check was supposed to work. But in any case, within fast_unwrap_request() the Heimdal KDC replaces the outer padata with the padata from the inner FAST request. Hence, this check does not accomplish anything useful: at no point should the KDC plugin see the outer padata. A couple of unwanted consequences resulted from this check. One was that a client who sent empty FX‐FAST padata within the inner FAST request would receive the *Authentication Authority* Asserted Identity SID instead of the *Service* Asserted Identity SID. Another consequence was that a client could in the same manner bypass the restriction on performing S4U2Self with an RODC‐issued TGT. Overall, samba_wdc_is_s4u2self_req() is somewhat of a hack. But the Heimdal plugin API gives us nothing better to work with. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 5c580dbdb3e6a70c8d2f5059e2b7293a7e780414) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15477 commit d96cd43df01ff30df6962f481ade1eca895feab5 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 17 09:16:17 2023 +1300 s4:kdc: Avoid copying data if not needed krb5_pac_add_buffer() makes its own copy of the data we pass in. We don't need to make yet another copy. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit fa901e7346d36ae64a7ceab5dcf76bc210a67c93) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15476 commit f1b7a21a7f6e47377ab4f41a9741a87907438c01 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 17 09:25:52 2023 +1300 s4:kdc: Don't pass a NULL pointer into krb5_pac_add_buffer() Heimdal contains an assertion that the data pointer is not NULL. We need to pass in a pointer to some dummy data instead. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 47ef49fd91f050ce4a79a8471b3e66c808f48752) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15476 ----------------------------------------------------------------------- Summary of changes: python/samba/tests/libsmb-basic.py | 27 +++++++++++++++++++++++++++ source3/smbd/filename.c | 12 +++++++++++- source4/kdc/pac-glue.c | 26 +++++++++++++++----------- source4/kdc/wdc-samba4.c | 22 ---------------------- 4 files changed, 53 insertions(+), 34 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/libsmb-basic.py b/python/samba/tests/libsmb-basic.py index cbe7cce5bae..163c5b09ea9 100644 --- a/python/samba/tests/libsmb-basic.py +++ b/python/samba/tests/libsmb-basic.py @@ -215,6 +215,33 @@ class LibsmbTestCase(samba.tests.libsmb.LibsmbTests): c1.unlink("x") c1 = None + def test_gencache_pollution_bz15481(self): + c = libsmb.Conn(self.server_ip, "tmp", self.lp, self.creds) + fh = c.create("file", + DesiredAccess=security.SEC_STD_DELETE, + CreateDisposition=libsmb.FILE_CREATE) + + # prime the gencache File->file + fh_upper = c.create("File", + DesiredAccess=security.SEC_FILE_READ_ATTRIBUTE, + CreateDisposition=libsmb.FILE_OPEN) + c.close(fh_upper) + + c.delete_on_close(fh, 1) + c.close(fh) + + fh = c.create("File", + DesiredAccess=security.SEC_STD_DELETE, + CreateDisposition=libsmb.FILE_CREATE) + + directory = c.list("\\", "File") + + c.delete_on_close(fh, 1) + c.close(fh) + + # Without the bugfix for 15481 we get 'file' not 'File' + self.assertEqual(directory[0]['name'], 'File') + if __name__ == "__main__": import unittest unittest.main() diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c index 98506775bce..77f5e3dee4e 100644 --- a/source3/smbd/filename.c +++ b/source3/smbd/filename.c @@ -785,6 +785,7 @@ static NTSTATUS openat_pathref_fsp_case_insensitive( if (lp_stat_cache()) { char *base_name = smb_fname_rel->base_name; + char *original_relname = NULL; DATA_BLOB value = { .data = NULL }; ok = get_real_filename_cache_key( @@ -806,7 +807,13 @@ static NTSTATUS openat_pathref_fsp_case_insensitive( } DO_PROFILE_INC(statcache_hits); - TALLOC_FREE(smb_fname_rel->base_name); + /* + * For the "new filename" case we need to preserve the + * capitalization the client sent us, see + * https://bugzilla.samba.org/show_bug.cgi?id=15481 + */ + original_relname = smb_fname_rel->base_name; + smb_fname_rel->base_name = talloc_memdup( smb_fname_rel, value.data, value.length); if (smb_fname_rel->base_name == NULL) { @@ -824,10 +831,13 @@ static NTSTATUS openat_pathref_fsp_case_insensitive( status = openat_pathref_fsp(dirfsp, smb_fname_rel); if (NT_STATUS_IS_OK(status)) { TALLOC_FREE(cache_key.data); + TALLOC_FREE(original_relname); return NT_STATUS_OK; } memcache_delete(NULL, GETREALFILENAME_CACHE, cache_key); + TALLOC_FREE(smb_fname_rel->base_name); + smb_fname_rel->base_name = original_relname; } lookup: diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index f844b08d513..b792fbbf5aa 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -1793,6 +1793,9 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, DATA_BLOB type_blob = data_blob_null; uint32_t type; + static char null_byte = '\0'; + const krb5_data null_data = smb_krb5_make_data(&null_byte, 0); + if (forced_next_type != 0) { /* * We need to inject possible missing types @@ -1936,12 +1939,9 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, } if (type_blob.length != 0) { - code = smb_krb5_copy_data_contents(&type_data, - type_blob.data, - type_blob.length); - if (code != 0) { - goto done; - } + type_data = smb_krb5_data_from_blob(type_blob); + code = krb5_pac_add_buffer(context, new_pac, + type, &type_data); } else { code = krb5_pac_get_buffer(context, old_pac, @@ -1950,13 +1950,17 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, if (code != 0) { goto done; } + /* + * Passing a NULL pointer into krb5_pac_add_buffer() is + * not allowed, so pass null_data instead if needed. + */ + code = krb5_pac_add_buffer(context, + new_pac, + type, + (type_data.data != NULL) ? &type_data : &null_data); + smb_krb5_free_data_contents(context, &type_data); } - code = krb5_pac_add_buffer(context, - new_pac, - type, - &type_data); - smb_krb5_free_data_contents(context, &type_data); if (code != 0) { goto done; } diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c index 1c10f13972f..bbc8e9154e8 100644 --- a/source4/kdc/wdc-samba4.c +++ b/source4/kdc/wdc-samba4.c @@ -67,7 +67,6 @@ static int samba_wdc_pac_options(astgs_request_t r, PAC_OPTIONS_FLAGS *flags) static bool samba_wdc_is_s4u2self_req(astgs_request_t r) { - krb5_kdc_configuration *config = kdc_request_get_config((kdc_request_t)r); const KDC_REQ *req = kdc_request_get_req(r); const PA_DATA *pa_for_user = NULL; @@ -75,27 +74,6 @@ static bool samba_wdc_is_s4u2self_req(astgs_request_t r) return false; } - if (config->enable_fast && req->padata != NULL) { - const PA_DATA *pa_fx_fast = NULL; - int idx = 0; - - pa_fx_fast = krb5_find_padata(req->padata->val, - req->padata->len, - KRB5_PADATA_FX_FAST, - &idx); - if (pa_fx_fast != NULL) { - /* - * We're in the outer request - * with KRB5_PADATA_FX_FAST - * if fast is enabled we'll - * process the s4u2self - * request only in the - * inner request. - */ - return false; - } - } - if (req->padata != NULL) { int idx = 0; -- Samba Shared Repository