diff options
author | Samuel Cabrero <scabrero@suse.de> | 2022-06-13 13:56:10 +0200 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2022-06-27 15:50:30 +0000 |
commit | d64335eaef5ad690ea923a8e6656b9185a54d9fa (patch) | |
tree | 4b4ac7870c47207d7db997bb33fef581cf77d268 | |
parent | c1ab39163bbaf8ef9c8dc92b1d14c3f6cb56456c (diff) | |
download | samba-d64335eaef5ad690ea923a8e6656b9185a54d9fa.tar.gz |
s3:libads: Allocate ads->auth.password under ADS_STRUCT talloc context
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
-rw-r--r-- | libgpo/pygpo.c | 31 | ||||
-rw-r--r-- | source3/lib/netapi/joindomain.c | 14 | ||||
-rw-r--r-- | source3/libads/ads_struct.c | 1 | ||||
-rw-r--r-- | source3/libnet/libnet_join.c | 8 | ||||
-rw-r--r-- | source3/printing/nt_printing_ads.c | 47 | ||||
-rw-r--r-- | source3/utils/net_ads.c | 8 | ||||
-rw-r--r-- | source3/utils/net_ads_join_dns.c | 15 | ||||
-rw-r--r-- | source3/winbindd/winbindd_ads.c | 8 |
8 files changed, 95 insertions, 37 deletions
diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c index 85a4aaa1581..b9570b24d82 100644 --- a/libgpo/pygpo.c +++ b/libgpo/pygpo.c @@ -230,13 +230,17 @@ static PyObject* py_ads_connect(ADS *self, return NULL; } SAFE_FREE(self->ads_ptr->auth.user_name); - SAFE_FREE(self->ads_ptr->auth.password); + TALLOC_FREE(self->ads_ptr->auth.password); TALLOC_FREE(self->ads_ptr->auth.realm); if (self->cli_creds) { self->ads_ptr->auth.user_name = SMB_STRDUP(cli_credentials_get_username(self->cli_creds)); - self->ads_ptr->auth.password = - SMB_STRDUP(cli_credentials_get_password(self->cli_creds)); + self->ads_ptr->auth.password = talloc_strdup(self->ads_ptr, + cli_credentials_get_password(self->cli_creds)); + if (self->ads_ptr->auth.password == NULL) { + PyErr_NoMemory(); + goto err; + } self->ads_ptr->auth.realm = talloc_strdup(self->ads_ptr, cli_credentials_get_realm(self->cli_creds)); if (self->ads_ptr->auth.realm == NULL) { @@ -254,22 +258,29 @@ static PyObject* py_ads_connect(ADS *self, goto err; } - passwd = secrets_fetch_machine_password(self->ads_ptr->server.workgroup, - NULL, NULL); + ret = asprintf(&(self->ads_ptr->auth.user_name), "%s$", + lp_netbios_name()); + if (ret == -1) { + PyErr_NoMemory(); + goto err; + } + + passwd = secrets_fetch_machine_password( + self->ads_ptr->server.workgroup, NULL, NULL); if (passwd == NULL) { PyErr_SetString(PyExc_RuntimeError, "Failed to fetch the machine account " "password"); goto err; } - ret = asprintf(&(self->ads_ptr->auth.user_name), "%s$", - lp_netbios_name()); - if (ret == -1) { - SAFE_FREE(passwd); + + self->ads_ptr->auth.password = talloc_strdup(self->ads_ptr, + passwd); + SAFE_FREE(passwd); + if (self->ads_ptr->auth.password == NULL) { PyErr_NoMemory(); goto err; } - self->ads_ptr->auth.password = passwd; /* take ownership of this data */ self->ads_ptr->auth.realm = talloc_asprintf_strupper_m( self->ads_ptr, "%s", self->ads_ptr->server.realm); if (self->ads_ptr->auth.realm == NULL) { diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c index 7438e8407be..aa0cefe163e 100644 --- a/source3/lib/netapi/joindomain.c +++ b/source3/lib/netapi/joindomain.c @@ -446,15 +446,23 @@ WERROR NetGetJoinableOUs_l(struct libnetapi_ctx *ctx, } } - SAFE_FREE(ads->auth.password); + TALLOC_FREE(ads->auth.password); if (r->in.password) { - ads->auth.password = SMB_STRDUP(r->in.password); + ads->auth.password = talloc_strdup(ads, r->in.password); + if (ads->auth.password == NULL) { + ret = WERR_NOT_ENOUGH_MEMORY; + goto out; + } } else { const char *password = NULL; libnetapi_get_password(ctx, &password); if (password != NULL) { - ads->auth.password = SMB_STRDUP(password); + ads->auth.password = talloc_strdup(ads, password); + if (ads->auth.password == NULL) { + ret = WERR_NOT_ENOUGH_MEMORY; + goto out; + } } } diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c index e344d42ae43..b1ae510aafd 100644 --- a/source3/libads/ads_struct.c +++ b/source3/libads/ads_struct.c @@ -130,7 +130,6 @@ static void ads_destroy(ADS_STRUCT **ads) #ifdef HAVE_LDAP ads_disconnect(*ads); #endif - SAFE_FREE((*ads)->auth.password); SAFE_FREE((*ads)->auth.user_name); SAFE_FREE((*ads)->auth.kdc_server); SAFE_FREE((*ads)->auth.ccache_name); diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 4dd6ab5410a..0ec5ff4c1d8 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -185,8 +185,12 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, } if (password) { - SAFE_FREE(my_ads->auth.password); - my_ads->auth.password = SMB_STRDUP(password); + TALLOC_FREE(my_ads->auth.password); + my_ads->auth.password = talloc_strdup(my_ads, password); + if (my_ads->auth.password == NULL) { + status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto out; + } } if (ccname != NULL) { diff --git a/source3/printing/nt_printing_ads.c b/source3/printing/nt_printing_ads.c index 026605372c0..ff41baad5a2 100644 --- a/source3/printing/nt_printing_ads.c +++ b/source3/printing/nt_printing_ads.c @@ -220,12 +220,8 @@ WERROR nt_printer_guid_retrieve(TALLOC_CTX *mem_ctx, const char *printer, char *printer_dn; WERROR result; ADS_STATUS ads_status; - TALLOC_CTX *tmp_ctx; - - tmp_ctx = talloc_new(mem_ctx); - if (tmp_ctx == NULL) { - return WERR_NOT_ENOUGH_MEMORY; - } + TALLOC_CTX *tmp_ctx = talloc_stackframe(); + char *machine_password = NULL; ads = ads_init(tmp_ctx, lp_realm(), @@ -239,9 +235,17 @@ WERROR nt_printer_guid_retrieve(TALLOC_CTX *mem_ctx, const char *printer, old_krb5ccname = getenv(KRB5_ENV_CCNAME); setenv(KRB5_ENV_CCNAME, "MEMORY:prtpub_cache", 1); - SAFE_FREE(ads->auth.password); - ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), + TALLOC_FREE(ads->auth.password); + machine_password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); + if (machine_password != NULL) { + ads->auth.password = talloc_strdup(ads, machine_password); + SAFE_FREE(machine_password); + if (ads->auth.password == NULL) { + result = WERR_NOT_ENOUGH_MEMORY; + goto out; + } + } ads_status = ads_connect(ads); if (!ADS_ERR_OK(ads_status)) { @@ -647,6 +651,7 @@ WERROR nt_printer_publish(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads = NULL; WERROR win_rc; char *old_krb5ccname = NULL; + char *machine_password = NULL; sinfo2 = talloc_zero(tmp_ctx, struct spoolss_SetPrinterInfo2); if (!sinfo2) { @@ -693,9 +698,17 @@ WERROR nt_printer_publish(TALLOC_CTX *mem_ctx, } old_krb5ccname = getenv(KRB5_ENV_CCNAME); setenv(KRB5_ENV_CCNAME, "MEMORY:prtpub_cache", 1); - SAFE_FREE(ads->auth.password); - ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), + TALLOC_FREE(ads->auth.password); + machine_password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); + if (machine_password != NULL) { + ads->auth.password = talloc_strdup(ads, machine_password); + SAFE_FREE(machine_password); + if (ads->auth.password == NULL) { + win_rc = WERR_NOT_ENOUGH_MEMORY; + goto done; + } + } /* ads_connect() will find the DC for us */ ads_rc = ads_connect(ads); @@ -741,6 +754,7 @@ WERROR check_published_printers(struct messaging_context *msg_ctx) NTSTATUS status; WERROR result; char *old_krb5ccname = NULL; + char *machine_password = NULL; ads = ads_init(tmp_ctx, lp_realm(), @@ -754,10 +768,17 @@ WERROR check_published_printers(struct messaging_context *msg_ctx) } old_krb5ccname = getenv(KRB5_ENV_CCNAME); setenv(KRB5_ENV_CCNAME, "MEMORY:prtpub_cache", 1); - SAFE_FREE(ads->auth.password); - ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), + TALLOC_FREE(ads->auth.password); + machine_password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); - + if (machine_password != NULL) { + ads->auth.password = talloc_strdup(ads, machine_password); + SAFE_FREE(machine_password); + if (ads->auth.password == NULL) { + result = WERR_NOT_ENOUGH_MEMORY; + goto done; + } + } /* ads_connect() will find the DC for us */ ads_rc = ads_connect(ads); if (!ADS_ERR_OK(ads_rc)) { diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 11efde7947f..008e0e89be2 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -659,8 +659,12 @@ retry: if (c->opt_password) { use_in_memory_ccache(); - SAFE_FREE(ads->auth.password); - ads->auth.password = smb_xstrdup(c->opt_password); + TALLOC_FREE(ads->auth.password); + ads->auth.password = talloc_strdup(ads, c->opt_password); + if (ads->auth.password == NULL) { + TALLOC_FREE(ads); + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } } SAFE_FREE(ads->auth.user_name); diff --git a/source3/utils/net_ads_join_dns.c b/source3/utils/net_ads_join_dns.c index 286a77c5c9d..1009f510e3b 100644 --- a/source3/utils/net_ads_join_dns.c +++ b/source3/utils/net_ads_join_dns.c @@ -244,6 +244,7 @@ void net_ads_join_dns_updates(struct net_context *c, TALLOC_CTX *ctx, struct lib ADS_STRUCT *ads_dns = NULL; int ret; NTSTATUS status; + char *machine_password = NULL; /* * In a clustered environment, don't do dynamic dns updates: @@ -289,11 +290,17 @@ void net_ads_join_dns_updates(struct net_context *c, TALLOC_CTX *ctx, struct lib goto done; } - ads_dns->auth.password = secrets_fetch_machine_password( + machine_password = secrets_fetch_machine_password( r->out.netbios_domain_name, NULL, NULL); - if (ads_dns->auth.password == NULL) { - d_fprintf(stderr, _("DNS update failed: out of memory\n")); - goto done; + if (machine_password != NULL) { + ads_dns->auth.password = talloc_strdup(ads_dns, + machine_password); + SAFE_FREE(machine_password); + if (ads_dns->auth.password == NULL) { + d_fprintf(stderr, + _("DNS update failed: out of memory\n")); + goto done; + } } ads_dns->auth.realm = talloc_asprintf_strupper_m(ads_dns, "%s", r->out.dns_domain_name); diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c index 4da52a40f93..d2b0962ac71 100644 --- a/source3/winbindd/winbindd_ads.c +++ b/source3/winbindd/winbindd_ads.c @@ -125,11 +125,15 @@ static ADS_STATUS ads_cached_connection_connect(const char *target_realm, goto out; } - SAFE_FREE(ads->auth.password); + TALLOC_FREE(ads->auth.password); TALLOC_FREE(ads->auth.realm); ads->auth.renewable = renewable; - ads->auth.password = password; + ads->auth.password = talloc_strdup(ads, password); + if (ads->auth.password == NULL) { + status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto out; + } /* In FIPS mode, client use kerberos is forced to required. */ krb5_state = lp_client_use_kerberos(); |