| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
metze
The last 8 patches address bug #8815 (PIDL based autogenerated code allows
overwriting beyond of allocated array; CVE-2012-1182).
|
|
|
|
| |
metze
|
|
|
|
| |
metze
|
|
|
|
| |
metze
|
|
|
|
|
|
|
|
|
| |
elements (bug #8815 / CVE-2012-1182)
An anonymous researcher and Brian Gorenc (HP DVLabs) working
with HP's Zero Day Initiative program have found this and notified us.
metze
|
|
|
|
| |
metze
|
|
|
|
| |
metze
|
|
|
|
| |
metze
|
|
|
|
| |
Karolin
|
|
|
|
|
| |
Karolin
(cherry picked from commit ec70cd9cb9c82ef7be8e5450a2844ff0011f0169)
|
|
|
|
|
| |
Karolin
(cherry picked from commit d154a74f8fd8c6085beaac9f1adf20ef015d8b22)
|
|
|
|
|
|
|
|
|
| |
Fix bug #8724 - Memory leak in parent smbd on connection.
This is CVE-2012-0817.
Patch have been created by Ira Cooper <ira@wakeful.net> and
Jeremy Allison <jra@samba.org>.
(cherry picked from commit 964620240c83024bea8bbce0bc282b0851513808)
|
|
|
|
|
| |
Karolin
(cherry picked from commit 677f5573570ad1cbd4c1e1d920f67a0d20edea25)
|
|
|
|
|
| |
Karolin
(cherry picked from commit a3dd55e40cc905a4535d1786f2d53cda221fb3e2)
|
|
|
|
|
| |
Jeremy, thanks a lot for the fix!
(cherry picked from commit a3dcfb66bb3763ee95f2bfe8b7a615ffee859985)
|
|
|
|
|
| |
Follow-up fix for an issue introduced by a fix for bug #4942.
(cherry picked from commit 69fafa216ee45829d330e9564858f6702b4b268d)
|
|
|
|
|
| |
Karolin
(cherry picked from commit 788c8af4453bcb711da2712d8526c22689b49d38)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
requested, we still set SEC_DESC_DACL_PRESENT in the type field.
Ensure we always ask for the set:
OWNER_SECURITY_INFORMATION |
GROUP_SECURITY_INFORMATION |
DACL_SECURITY_INFORMATION |
SACL_SECURITY_INFORMATION
when getting an ACL inside the module.
(cherry picked from commit 4eb17aff84dc0dccec23e066db7a88581cf7668c)
|
|
|
|
|
|
|
|
|
| |
still set SEC_DESC_DACL_PRESENT in the type field.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Nov 30 04:59:07 CET 2011 on sn-devel-104
(cherry picked from commit da992be64f39364fbb8bca26e9421c7a36c49ac6)
(cherry picked from commit c0ad67c1888e44be77d8f34681f12fc8b4f19f86)
|
|
|
|
|
|
|
| |
Please feel free to add more entries.
Karolin
(cherry picked from commit 0b19c19ec6057b03fe0cbee91bbf974ca6bf3221)
|
|
|
|
|
| |
Karolin
(cherry picked from commit db645b334e591133d664a7d1f88e82925ad52c40)
|
|
|
|
|
|
|
| |
The last 7 patches address bug #8697 (DeletePrinterDriverEx never removes
printer driver files) and bug #4942 (DeletePrinterDriverEx deletes files
in use).
(cherry picked from commit c4a3d988a64723a51be4b3ddaddd83708d90ed13)
|
|
|
|
| |
(cherry picked from commit 31f491c98c07e468e1f0e840f6accb6da3281498)
|
|
|
|
|
|
| |
Test handling of DeletePrinterDriverEx when the DPD_DELETE_ALL_FILES
flag is set.
(cherry picked from commit b894e6297f36b05259fc6932a7ee1c500bc806e9)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
printer_driver_files_in_use() performs two tasks: it returns whether any
of the files in the to-be-deleted driver overlap with other drivers, it
also trims such files from the info structure passed in.
In processing a DeletePrinterDataEx request with DPD_DELETE_UNUSED_FILES
set, printer_driver_files_in_use() must be called to ensure files in
use by other drivers are not removed.
https://bugzilla.samba.org/show_bug.cgi?id=4942
(cherry picked from commit 8e3c0ac2815bc25360bf408c50449d154b841f8a)
|
|
|
|
|
|
|
|
|
| |
Spoolss delete printer driver code currently makes invalid version
assumptions based on the architecture requested by the client.
Ugly hacks are in place to cover removal of other versions (2 and 3).
This change wraps multi version deletion in a simple for loop.
(cherry picked from commit 54bc662adb24be9950c827446130b91504965c8c)
|
|
|
|
|
|
|
|
| |
Driver file paths stored in the registry do not include the server path
prefix. delete_driver_files() incorrectly assumes such a prefix.
https://bugzilla.samba.org/show_bug.cgi?id=8697
(cherry picked from commit c14586647451a878fdc911ee4be699b3e6485b83)
|
|
|
|
|
|
|
|
|
|
| |
If DeletePrinterDriverEx is called with DPD_DELETE_ALL_FILES and files
assigned to the to-be-deleted driver overlap with other drivers then an
error is returned. Change the error code here to match Windows 2k8r2.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 29c97b7132ac316327123f200a71e70317b2dbb9)
|
|
|
|
|
| |
Karolin
(cherry picked from commit f71b7a83c4cc3d10085ed1b7db29e222a4a9f743)
|
|
|
|
|
|
|
| |
To be continued...
Karolin
(cherry picked from commit 3ea8d8acaefaadd2d3888bec1ef148b7242aaccf)
|
|
|
|
|
|
|
|
| |
Remove looping replace them by memcpy.
Fix bug #8674 (Buffer overflow in vfs_smb_traffic_analyzer).
.
(cherry picked from commit 0971582873f90bb592355fb53171d09a8ff3012e)
|
|
|
|
|
| |
Buffer overflow issue with AES encryption in samba traffic analyzer.
(cherry picked from commit bb38a79656b6ddee01327c328435043a7d0a112b)
|
|
|
|
|
|
| |
(Not needed in master as this code has changed). Ensure we set a temp
access mask before calling open(O_RDONLY|O_DIRECTORY) on the directory.
(cherry picked from commit 6b72809b7488cc530f47ad08dfde215627681cf6)
|
|
|
|
|
|
|
|
|
| |
Ensure we process the entire ACE list instead of returning ACCESS_DENIED
and terminating the walk - ensure we only return the exact bits that cause
the access to be denied. Some of the S3 fileserver needs to know if we
are only denied DELETE access before overriding it by looking at the
containing directory ACL.
(cherry picked from commit 28834ee4fcfc204fa9a88459700fed212a1e9fce)
|
|
|
|
|
|
| |
Simplify the logic in the unlink/rmdir calls - makes it readable
(and correct). Add some debug.
(cherry picked from commit d40006aa7f8a594273a9d0ad1fa1a87ae7b1ebb0)
|
|
|
|
|
|
|
|
|
|
| |
target is outside of the share.
can_access_file_acl() - we can always delete a symlink.
can_delete_file_in_directory() - We don't need to do another STAT call
here, we know smb_fname->st is in a valid state.
smbd_check_open_rights() - we can always delete a symlink.
(cherry picked from commit c6bd2aa768ebf4308c53d057bc1db7adc2b67705)
|
|
|
|
|
|
|
|
| |
target is outside of the share.
Ensure we use UCF_UNIX_NAME_LOOKUP flags on filename_convert()
when doing a restricted set of infolevels in trans2setfilepathinfo().
(cherry picked from commit cb5f2b3f9d5710ba66182e45bf8380c2f37b4190)
|
|
|
|
|
|
|
|
| |
target is outside of the share.
Remove two unneeded check_name() calls. They have already been done
in order to get here.
(cherry picked from commit 8799e63b3859502e724cb870c954a0c03ce860e2)
|
|
|
|
|
|
|
|
|
|
|
| |
Ensure the cnum used to claim the connection for SMB2 is the
id that will be used for the SMB2 tcon. Based on code from
Ira Cooper <ira@wakeful.net>.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Jan 18 23:14:32 CET 2012 on sn-devel-104
(cherry picked from commit 39c627b60754bd89c419b2d7e32d32c7a9af5a11)
(cherry picked from commit a455a63eaf84024f79922e95a740bf3443f37954)
|
|
|
|
|
|
| |
the share.
(cherry picked from commit 6e77eac8f21925460e3b1946c2c22f6eff296322)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
to_null specifies that character conversion should only occur until the
null pointer in an array based string.
Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat Jan 14 00:51:54 CET 2012 on sn-devel-104
The last 5 patches address bug #8606 (Intermittent print job failures caused by
character conversion errors).
(cherry picked from commit c92513e218432ba3fb4afe6e93c8c1fc8f684368)
|
|
|
|
|
|
|
|
|
| |
OpenPrinterEx requests have also been observed in the wild carrying
non-utf16 garbage after the device mode devicename field null
terminator.
Signed-off-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 90f3708135ef6573997417bd8e53191df78519c2)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenPrinterEx requests have been observed in the wild carrying a device
mode formname "A4" followed by non-utf16 garbage after the null
terminator. Such requests currently fail during unmarshalling in the
ndr_pull_charset() codepath, causing intermittent print job failures.
This change ensures that garbage after the device mode formname null
terminator is not processed in unmarshalling.
https://bugzilla.samba.org/show_bug.cgi?id=8606
Signed-off-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 219d8c916fd890ca4b4eae77abd5a651aa37e4ff)
|
|
|
|
|
|
|
|
| |
The same as ndr_pull_charset(), however only perform character
conversion on bytes prior to and including the null terminator.
Signed-off-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit aa8fbd5005c06dfd0b5ee2865c49eab285f57e62)
|
|
|
|
|
|
|
| |
Compile into a ndr_pull_charset_to_null call.
Signed-off-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit ec05a11c362f0aa4875c8dd3cfb853d0fae84c4c)
|
|
|
|
|
|
|
|
| |
Guenther
Fix big #8692 (ads_keytab_verify_ticket mixes talloc allocation with malloc
free).
(cherry picked from commit 6da7abe87db15d260db807643a25a96fc05e5ad9)
|
|
|
|
|
|
|
|
|
|
|
|
| |
After a calling any wrapper of tevent_req_notify_callback(),
e.g. tevent_req_nterror(), tevent_req_done(), tevent_req_nomem(),
a function has to return immediately otherwise it is very likely to
crash.
metze
(similar to commit 17f1a97a614db4ed8292544988cb6a6cf56621d8)
(cherry picked from commit 740a001971bab647c1ab129b3dd2fbccaddc4e7b)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ctdbd_traverse is only called if the main db_context is already
open. So if we could get to information via dbwrap_fetch,
we should also be able to traverse.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Dec 23 18:19:14 CET 2011 on sn-devel-104
(cherry picked from commit 4a1895eb9921ad533910d08823c2814c470875fd)
(cherry picked from commit ff4e1df575a3d7eb484b31d6afe46825ba418981)
|
|
|
|
|
|
| |
Removed path from driver files.
We only need the basenames.
(cherry picked from commit d61993043fcb7676a58658476421f5f4ff1a3fea)
|
|
|
|
|
|
| |
validation causing uninitialized memory read.
(cherry picked from commit 24ac26ddfd9ee8841d1984e710a4dfe535b9abcf)
|