summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* pidl/NDR/Parser: also do range checks on the array sizesamba-3.6.4Stefan Metzmacher2012-04-071-5/+20
| | | | | | | metze The last 8 patches address bug #8815 (PIDL based autogenerated code allows overwriting beyond of allocated array; CVE-2012-1182).
* pidl/NDR/Parser: do array range validation in ParseArrayPullGetLength()Stefan Metzmacher2012-04-071-28/+14
| | | | metze
* pidl/NDR/Parser: use helper variables for array size and lengthStefan Metzmacher2012-04-071-7/+15
| | | | metze
* pidl/NDR/Parser: remember if we already know the array lengthStefan Metzmacher2012-04-071-1/+7
| | | | metze
* pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of array ↵Stefan Metzmacher2012-04-071-5/+1
| | | | | | | | | elements (bug #8815 / CVE-2012-1182) An anonymous researcher and Brian Gorenc (HP DVLabs) working with HP's Zero Day Initiative program have found this and notified us. metze
* pidl/NDR/Parser: split off ParseArrayPullGetSize() and ParseArrayPullGetLength()Stefan Metzmacher2012-04-071-13/+42
| | | | metze
* pidl/NDR/Parser: simplify logic in DeclareArrayVariables*()Stefan Metzmacher2012-04-071-8/+6
| | | | metze
* pidl/NDR/Parser: declare all union helper variables in ParseUnionPull()Stefan Metzmacher2012-04-071-2/+2
| | | | metze
* WHATSNEW: Prepare release notes for 3.6.4.Karolin Seeger2012-04-071-5/+10
| | | | Karolin
* WHATSNEW: Start release notes for Samba 3.6.4.Karolin Seeger2012-01-301-2/+44
| | | | | Karolin (cherry picked from commit ec70cd9cb9c82ef7be8e5450a2844ff0011f0169)
* VERSION: Bump version up to 3.6.4.Karolin Seeger2012-01-301-1/+1
| | | | | Karolin (cherry picked from commit d154a74f8fd8c6085beaac9f1adf20ef015d8b22)
* s3-smbd: Fix bug #8724.samba-3.6.3Ira Cooper2012-01-292-2/+13
| | | | | | | | | Fix bug #8724 - Memory leak in parent smbd on connection. This is CVE-2012-0817. Patch have been created by Ira Cooper <ira@wakeful.net> and Jeremy Allison <jra@samba.org>. (cherry picked from commit 964620240c83024bea8bbce0bc282b0851513808)
* WHATSNEW: Add release notes for 3.6.3.Karolin Seeger2012-01-291-2/+52
| | | | | Karolin (cherry picked from commit 677f5573570ad1cbd4c1e1d920f67a0d20edea25)
* VERSION: Bump version up to 3.6.3.Karolin Seeger2012-01-291-1/+1
| | | | | Karolin (cherry picked from commit a3dd55e40cc905a4535d1786f2d53cda221fb3e2)
* WHATSNEW: Add another change.samba-3.6.2Karolin Seeger2012-01-251-0/+1
| | | | | Jeremy, thanks a lot for the fix! (cherry picked from commit a3dcfb66bb3763ee95f2bfe8b7a615ffee859985)
* s3-spoolss: Pass the right pointer type.Jeremy Allison2012-01-251-1/+1
| | | | | Follow-up fix for an issue introduced by a fix for bug #4942. (cherry picked from commit 69fafa216ee45829d330e9564858f6702b4b268d)
* WHATSNEW: Add another change.Karolin Seeger2012-01-231-0/+2
| | | | | Karolin (cherry picked from commit 788c8af4453bcb711da2712d8526c22689b49d38)
* Second part of fix for 8636 - When returning an ACL without SECINFO_DACL ↵Jeremy Allison2012-01-231-2/+4
| | | | | | | | | | | | | | requested, we still set SEC_DESC_DACL_PRESENT in the type field. Ensure we always ask for the set: OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION when getting an ACL inside the module. (cherry picked from commit 4eb17aff84dc0dccec23e066db7a88581cf7668c)
* Fix bug 8636 - When returning an ACL without SECINFO_DACL requested, we ↵Jeremy Allison2012-01-232-0/+4
| | | | | | | | | still set SEC_DESC_DACL_PRESENT in the type field. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Wed Nov 30 04:59:07 CET 2011 on sn-devel-104 (cherry picked from commit da992be64f39364fbb8bca26e9421c7a36c49ac6) (cherry picked from commit c0ad67c1888e44be77d8f34681f12fc8b4f19f86)
* WHATSNEW: Add major changes.Karolin Seeger2012-01-231-2/+4
| | | | | | | Please feel free to add more entries. Karolin (cherry picked from commit 0b19c19ec6057b03fe0cbee91bbf974ca6bf3221)
* WHATSNEW: Add more changes.Karolin Seeger2012-01-231-0/+2
| | | | | Karolin (cherry picked from commit db645b334e591133d664a7d1f88e82925ad52c40)
* torture: add spoolss overlapping driver deletion testsDavid Disseldorp2012-01-231-1/+118
| | | | | | | The last 7 patches address bug #8697 (DeletePrinterDriverEx never removes printer driver files) and bug #4942 (DeletePrinterDriverEx deletes files in use). (cherry picked from commit c4a3d988a64723a51be4b3ddaddd83708d90ed13)
* torture: confirm printer driver file removalDavid Disseldorp2012-01-231-1/+81
| | | | (cherry picked from commit 31f491c98c07e468e1f0e840f6accb6da3281498)
* torture: add spoolss del printer driver testDavid Disseldorp2012-01-231-0/+63
| | | | | | Test handling of DeletePrinterDriverEx when the DPD_DELETE_ALL_FILES flag is set. (cherry picked from commit b894e6297f36b05259fc6932a7ee1c500bc806e9)
* s3-spoolss: fix printer_driver_files_in_use() call orderingDavid Disseldorp2012-01-231-10/+13
| | | | | | | | | | | | | printer_driver_files_in_use() performs two tasks: it returns whether any of the files in the to-be-deleted driver overlap with other drivers, it also trims such files from the info structure passed in. In processing a DeletePrinterDataEx request with DPD_DELETE_UNUSED_FILES set, printer_driver_files_in_use() must be called to ensure files in use by other drivers are not removed. https://bugzilla.samba.org/show_bug.cgi?id=4942 (cherry picked from commit 8e3c0ac2815bc25360bf408c50449d154b841f8a)
* s3-spoolss: fix printer driver version deletionDavid Disseldorp2012-01-231-174/+128
| | | | | | | | | Spoolss delete printer driver code currently makes invalid version assumptions based on the architecture requested by the client. Ugly hacks are in place to cover removal of other versions (2 and 3). This change wraps multi version deletion in a simple for loop. (cherry picked from commit 54bc662adb24be9950c827446130b91504965c8c)
* s3-spoolss: prefix print$ path on driver file deletionDavid Disseldorp2012-01-231-44/+37
| | | | | | | | Driver file paths stored in the registry do not include the server path prefix. delete_driver_files() incorrectly assumes such a prefix. https://bugzilla.samba.org/show_bug.cgi?id=8697 (cherry picked from commit c14586647451a878fdc911ee4be699b3e6485b83)
* spoolss: fix DPD_DELETE_ALL_FILES error returnDavid Disseldorp2012-01-231-2/+1
| | | | | | | | | | If DeletePrinterDriverEx is called with DPD_DELETE_ALL_FILES and files assigned to the to-be-deleted driver overlap with other drivers then an error is returned. Change the error code here to match Windows 2k8r2. Signed-off-by: David Disseldorp <ddiss@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 29c97b7132ac316327123f200a71e70317b2dbb9)
* WHATSNEW: Add more changes since 3.6.1.Karolin Seeger2012-01-231-0/+85
| | | | | Karolin (cherry picked from commit f71b7a83c4cc3d10085ed1b7db29e222a4a9f743)
* WHATSNEW: Start release notes for 3.6.2.Karolin Seeger2012-01-231-1/+48
| | | | | | | To be continued... Karolin (cherry picked from commit 3ea8d8acaefaadd2d3888bec1ef148b7242aaccf)
* [PATCH] s3: improve the code in the AES encryption.Matthieu Patou2012-01-231-8/+8
| | | | | | | | Remove looping replace them by memcpy. Fix bug #8674 (Buffer overflow in vfs_smb_traffic_analyzer). . (cherry picked from commit 0971582873f90bb592355fb53171d09a8ff3012e)
* s3: Fix bug #8674.Jeremy Allison2012-01-231-2/+1
| | | | | Buffer overflow issue with AES encryption in samba traffic analyzer. (cherry picked from commit bb38a79656b6ddee01327c328435043a7d0a112b)
* Third part of fix for bug #8673 - NT ACL issue.Jeremy Allison2012-01-231-4/+8
| | | | | | (Not needed in master as this code has changed). Ensure we set a temp access mask before calling open(O_RDONLY|O_DIRECTORY) on the directory. (cherry picked from commit 6b72809b7488cc530f47ad08dfde215627681cf6)
* Second part of fix for bug #8673 - NT ACL issue.Jeremy Allison2012-01-231-3/+4
| | | | | | | | | Ensure we process the entire ACE list instead of returning ACCESS_DENIED and terminating the walk - ensure we only return the exact bits that cause the access to be denied. Some of the S3 fileserver needs to know if we are only denied DELETE access before overriding it by looking at the containing directory ACL. (cherry picked from commit 28834ee4fcfc204fa9a88459700fed212a1e9fce)
* First part of fix for bug #8673 - NT ACL issue.Jeremy Allison2012-01-231-18/+34
| | | | | | Simplify the logic in the unlink/rmdir calls - makes it readable (and correct). Add some debug. (cherry picked from commit d40006aa7f8a594273a9d0ad1fa1a87ae7b1ebb0)
* Third part of fix for bug #8663 - deleting a symlink fails if the symlink ↵Jeremy Allison2012-01-232-12/+21
| | | | | | | | | | target is outside of the share. can_access_file_acl() - we can always delete a symlink. can_delete_file_in_directory() - We don't need to do another STAT call here, we know smb_fname->st is in a valid state. smbd_check_open_rights() - we can always delete a symlink. (cherry picked from commit c6bd2aa768ebf4308c53d057bc1db7adc2b67705)
* Second part of fix for bug #8663 - deleting a symlink fails if the symlink ↵Jeremy Allison2012-01-231-1/+9
| | | | | | | | target is outside of the share. Ensure we use UCF_UNIX_NAME_LOOKUP flags on filename_convert() when doing a restricted set of infolevels in trans2setfilepathinfo(). (cherry picked from commit cb5f2b3f9d5710ba66182e45bf8380c2f37b4190)
* First part of fix for bug #8663 - deleting a symlink fails if the symlink ↵Jeremy Allison2012-01-231-12/+0
| | | | | | | | target is outside of the share. Remove two unneeded check_name() calls. They have already been done in order to get here. (cherry picked from commit 8799e63b3859502e724cb870c954a0c03ce860e2)
* Fix bug 8710 - connections.tdb - major leak with SMB2.Jeremy Allison2012-01-233-22/+78
| | | | | | | | | | | Ensure the cnum used to claim the connection for SMB2 is the id that will be used for the SMB2 tcon. Based on code from Ira Cooper <ira@wakeful.net>. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Wed Jan 18 23:14:32 CET 2012 on sn-devel-104 (cherry picked from commit 39c627b60754bd89c419b2d7e32d32c7a9af5a11) (cherry picked from commit a455a63eaf84024f79922e95a740bf3443f37954)
* Fix bug #8664 - Renaming a symlink fails if the symlink target is outside of ↵Jeremy Allison2012-01-231-2/+4
| | | | | | the share. (cherry picked from commit 6e77eac8f21925460e3b1946c2c22f6eff296322)
* idl: add to_null propertyDavid Disseldorp2012-01-231-1/+8
| | | | | | | | | | | | | | to_null specifies that character conversion should only occur until the null pointer in an array based string. Signed-off-by: Jeremy Allison <jra@samba.org> Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Sat Jan 14 00:51:54 CET 2012 on sn-devel-104 The last 5 patches address bug #8606 (Intermittent print job failures caused by character conversion errors). (cherry picked from commit c92513e218432ba3fb4afe6e93c8c1fc8f684368)
* idl: add to_null attribute to the spoolss devicename arrayDavid Disseldorp2012-01-231-1/+1
| | | | | | | | | OpenPrinterEx requests have also been observed in the wild carrying non-utf16 garbage after the device mode devicename field null terminator. Signed-off-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 90f3708135ef6573997417bd8e53191df78519c2)
* idl: add to_null attribute to the spoolss formname arrayDavid Disseldorp2012-01-231-1/+1
| | | | | | | | | | | | | | | OpenPrinterEx requests have been observed in the wild carrying a device mode formname "A4" followed by non-utf16 garbage after the null terminator. Such requests currently fail during unmarshalling in the ndr_pull_charset() codepath, causing intermittent print job failures. This change ensures that garbage after the device mode formname null terminator is not processed in unmarshalling. https://bugzilla.samba.org/show_bug.cgi?id=8606 Signed-off-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 219d8c916fd890ca4b4eae77abd5a651aa37e4ff)
* ndr: add ndr_pull_charset_to_null()David Disseldorp2012-01-232-0/+33
| | | | | | | | The same as ndr_pull_charset(), however only perform character conversion on bytes prior to and including the null terminator. Signed-off-by: Jeremy Allison <jra@samba.org> (cherry picked from commit aa8fbd5005c06dfd0b5ee2865c49eab285f57e62)
* idl: add parser for the to_null propertyDavid Disseldorp2012-01-231-1/+5
| | | | | | | Compile into a ndr_pull_charset_to_null call. Signed-off-by: Jeremy Allison <jra@samba.org> (cherry picked from commit ec05a11c362f0aa4875c8dd3cfb853d0fae84c4c)
* s3-libads: fix malloc/talloc mismatch in ads_keytab_verify_ticket().Günther Deschner2012-01-231-1/+1
| | | | | | | | Guenther Fix big #8692 (ads_keytab_verify_ticket mixes talloc allocation with malloc free). (cherry picked from commit 6da7abe87db15d260db807643a25a96fc05e5ad9)
* libcli/cldap: fix a crash bug in cldap_socket_recv_dgram() (bug #8593)Stefan Metzmacher2012-01-231-5/+5
| | | | | | | | | | | | After a calling any wrapper of tevent_req_notify_callback(), e.g. tevent_req_nterror(), tevent_req_done(), tevent_req_nomem(), a function has to return immediately otherwise it is very likely to crash. metze (similar to commit 17f1a97a614db4ed8292544988cb6a6cf56621d8) (cherry picked from commit 740a001971bab647c1ab129b3dd2fbccaddc4e7b)
* s3:lib/ctdbd_conn: try ctdbd_init_connection() as root (bug #8684)Stefan Metzmacher2012-01-231-0/+2
| | | | | | | | | | | | | ctdbd_traverse is only called if the main db_context is already open. So if we could get to information via dbwrap_fetch, we should also be able to traverse. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Fri Dec 23 18:19:14 CET 2011 on sn-devel-104 (cherry picked from commit 4a1895eb9921ad533910d08823c2814c470875fd) (cherry picked from commit ff4e1df575a3d7eb484b31d6afe46825ba418981)
* s3-printing: fix migrate printer code (bug 8618)Björn Baumbach2012-01-231-0/+27
| | | | | | Removed path from driver files. We only need the basenames. (cherry picked from commit d61993043fcb7676a58658476421f5f4ff1a3fea)
* Fix bug #8686 - Packet validation checks can be done before length ↵Volker Lendecke2012-01-231-2/+2
| | | | | | validation causing uninitialized memory read. (cherry picked from commit 24ac26ddfd9ee8841d1984e710a4dfe535b9abcf)
View Lorry Controller Status