summaryrefslogtreecommitdiff
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* CVE-2020-27840: pytests: move Dn.validate test to ldbDouglas Bagnall2021-03-222-0/+46
| | | | | | | | | | | | We had the test in the Samba Python segfault suite because a) the signal catching infrastructure was there, and b) the ldb tests lack Samba's knownfail mechanism, which allowed us to assert the failure. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14595 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-27840 ldb_dn: avoid head corruption in ldb_dn_explodeDouglas Bagnall2021-03-221-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A DN string with lots of trailing space can cause ldb_dn_explode() to put a zero byte in the wrong place in the heap. When a DN string has a value represented with trailing spaces, like this "CN=foo ,DC=bar" the whitespace is supposed to be ignored. We keep track of this in the `t` pointer, which is NULL when we are not walking through trailing spaces, and points to the first space when we are. We are walking with the `p` pointer, writing the value to `d`, and keeping the length in `l`. "CN=foo ,DC= " ==> "foo " ^ ^ ^ t p d --l--- The value is finished when we encounter a comma or the end of the string. If `t` is not NULL at that point, we assume there are trailing spaces and wind `d and `l` back by the correct amount. Then we switch to expecting an attribute name (e.g. "CN"), until we get to an "=", which puts us back into looking for a value. Unfortunately, we forget to immediately tell `t` that we'd finished the last value, we can end up like this: "CN=foo ,DC= " ==> "" ^ ^ ^ t p d l=0 where `p` is pointing to a new value that contains only spaces, while `t` is still referring to the old value. `p` notices the value ends, and we subtract `p - t` from `d`: "CN=foo ,DC= " ==> ? "" ^ ^ ^ t p d l ~= SIZE_MAX - 8 At that point `d` wants to terminate its string with a '\0', but instead it terminates someone else's byte. This does not crash if the number of trailing spaces is small, as `d` will point into a previous value (a copy of "foo" in this example). Corrupting that value will ultimately not matter, as we will soon try to allocate a buffer `l` long, which will be greater than the available memory and the whole operation will fail properly. However, with more spaces, `d` will point into memory before the beginning of the allocated buffer, with the exact offset depending on the length of the earlier attributes and the number of spaces. What about a longer DN with more attributes? For example, "CN=foo ,DC= ,DC=example,DC=com" -- since `d` has moved out of bounds, won't we continue to use it and write more DN values into mystery memory? Fortunately not, because the aforementioned allocation of `l` bytes must happen first, and `l` is now huge. The allocation happens in a talloc_memdup(), which is by default restricted to allocating 256MB. So this allows a person who controls a string parsed by ldb_dn_explode to corrupt heap memory by placing a single zero byte at a chosen offset before the allocated buffer. An LDAP bind request can send a string DN as a username. This DN is necessarily parsed before the password is checked, so an attacker does not need proper credentials. The attacker can easily cause a denial of service and we cannot rule out more subtle attacks. The immediate solution is to reset `t` to NULL when a comma is encountered, indicating that we are no longer looking at trailing whitespace. Found with the help of Honggfuzz. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14595 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2021-20277 ldb/attrib_handlers casefold: stay in boundsDouglas Bagnall2021-03-221-1/+1
| | | | | | | | | | | | For a string that had N spaces at the beginning, we would try to move N bytes beyond the end of the string. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry-picked from commit for master)
* CVE-2021-20277 ldb: Remove tests from ldb_match_test that do not passAndrew Bartlett2021-03-221-2/+0
| | | | | | | | | | | | | This reverts some of the backport of 33a95a1e75b85e9795c4490b78ead2162e2a1f47 This is done here rather than squashed in the cherry-pick of the expanded testsuite because it allows this commit to be simply reverted for the backport of bug 14044 if this lands first, or to be dropped if bug 14044 lands first. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* CVE-2021-20277 ldb tests: ldb_match tests with extra spacesDouglas Bagnall2021-03-221-1/+7
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry-picked from commit for master)
* ldb: add tests for ldb_wildcard_compareDouglas Bagnall2021-03-221-10/+124
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14044 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Björn Jacke <bjacke@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry-picked from commit 33a95a1e75b85e9795c4490b78ead2162e2a1f47)
* lib:util: Avoid free'ing our own pointerAndreas Schneider2021-02-051-4/+15
| | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 0bdbe50fac680be3fe21043246b8c75005611351) Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-12-test): Fri Feb 5 12:14:09 UTC 2021 on sn-devel-184
* lib:util: Add cache oversize test for memcacheAndreas Schneider2021-02-051-0/+39
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 00543ab3b29e3fbfe8314e51919629803e14ede6)
* lib:util: Add basic memcache unit testAndreas Schneider2021-02-052-1/+129
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit bebbf621d6052f797c5cf19a2a9bbc13e699d3f0)
* lib:util: Add directory_create_or_exists_recursive()Andreas Schneider2021-01-133-7/+165
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14601 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> from commit bf7b165877bdfd07eb84ecafdc87bd7a6d945f09)
* debug: detect logrotation by checking inode numberRalph Boehme2020-12-091-2/+29
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 3651a51e93b45104323d5db1d5ea704d4f71acf1)
* debug: pass struct debug_class *config to do_one_check_log_size()Ralph Boehme2020-12-091-13/+9
| | | | | | | | | | | Pass a pointer to the struct instead of all struct members individually. No change in behaviour. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit b7ee36146458bcc2c944f5670b7632df8281ae61)
* debug: pass struct debug_class *config to reopen_one_log()Ralph Boehme2020-12-091-6/+6
| | | | | | | | | | | Pass a pointer to the struct instead of all struct members individually. No change in behaviour. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 29cd139a32d5dbf36bef68eb9c7f1160201e3042)
* loadparm: setup debug subsystem setting max_log_size from configRalph Boehme2020-12-091-0/+1
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit ab2c712c016f4e4dacd5064b9eb8f6417f4b9b60)
* lib/replace: move lib/replace/closefrom.c from ROKEN_HOSTCC_SOURCE to ↵Stefan Metzmacher2020-09-091-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | REPLACE_HOSTCC_SOURCE This is where it really belongs and we avoid the strange interaction with source4/heimdal_build/config.h. This a follow up for commit f31333d40e6fa38daa32a3ebb32d5a317c06fc62. This fixes a build problem if libbsd-dev is not installed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14482 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Björn Jacke <bjacke@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Sep 8 13:59:58 UTC 2020 on sn-devel-184 (cherry picked from commit 0022cd94587b805a525b0b9ef71ff0f15780424a) Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-12-test): Wed Sep 9 14:16:26 UTC 2020 on sn-devel-184
* util: Add cmocka unit test for directory_create_or_existsChristof Schmitt2020-08-172-0/+240
| | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14166 Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Sun Aug 16 07:06:59 UTC 2020 on sn-devel-184 (cherry picked from commit e89ec78e9a262a6e7bb9082323083eb5f1609655) Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-12-test): Mon Aug 17 12:44:53 UTC 2020 on sn-devel-184
* util: Allow symlinks in directory_create_or_existChristof Schmitt2020-08-171-2/+16
| | | | | | | | | | | | | Commit 9f60a77e0b updated the check to avoid having files or other objects instead of a directory. This missed the valid case that there might be a symlink to a directory. Updated the check accordingly to allow symlinks to directories. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14166 Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> (cherry picked from commit 672212cecdd7a7de40acdc81c56e2996ea82c090)
* lib/debug: set the correct default backend loglevel to MAX_DEBUG_LEVELRalph Boehme2020-07-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixed a regression introduced by commit c83ce5f4f99aef94530411ec82cc03e9935b352d for bug #14345. The backend loglevel globally restricts logging of a particular backend. If this value is smaller then any explicitly configured logging class, logging for this class is skipped. Eg, given the following logging config in smb.conf: log level = 1 auth_json_audit:3@/var/log/samba/samba_auth_audit.log the default class loglevel of 1 (dbgc_config[DBGC_ALL].loglevel) will be assigned to the backend loglevel. So even though the logging class auth_json_audit is configured at level 3, this doesn't become effective as the file backend drops all log messages with a level below 1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14426 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Thu Jul 2 13:25:29 UTC 2020 on sn-devel-184 (cherry picked from commit 71488b812fe737df2d3439a6ff3f95bb69b4a5bd)
* lib/debug: assert file backendRalph Boehme2020-07-091-6/+6
| | | | | | | | | | | The debug file backend is a built-in default, if it's missing we're totally screwed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14426 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 5aeaa6959da326095e98f0369b6d91dc5667415e)
* dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7Andrew Bartlett2020-07-061-0/+1
| | | | | | | | | | | | | | On RHEL7 crypt_r() will set errno. This is a problem because the implementation of crypt_r() in RHEL8 and elsewhere in libcrypt will return non-NULL but set errno on failure. The workaround is to use crypt_rn(), provided only by libcrypt, which will return NULL on failure, and so avoid checking errno in the non-failure case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14424 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> (cherry picked from commit 91453f110fa72062291eb59ad9d95fab0f423557)
* util: fix build on AIX by fixing the order of replace.h includeBjoern Jacke2020-07-061-1/+1
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14422 Signed-off-by: Bjoern Jacke <bjacke@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit d93a6d2663a25bca072cd5623aea16e21ed650b8)
* util: Reallocate larger buffer if getpwuid_r() returns ERANGEMartin Schwenke2020-07-061-0/+13
| | | | | | | | | | | Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Bjoern Jacke <bjacke@samba.org> Autobuild-User(master): Martin Schwenke <martins@samba.org> Autobuild-Date(master): Tue Jun 9 21:07:24 UTC 2020 on sn-devel-184 (cherry picked from commit ddac6b2eb4adaec8fc5e25ca07387d2b9417764c)
* util: Fix build on FreeBSD by avoiding NSS_BUFLEN_PASSWDMartin Schwenke2020-07-061-5/+22
| | | | | | | | | | | | | | NSS_BUFLEN_PASSWD is not defined on FreeBSD. Use sysconf(_SC_GETPW_R_SIZE_MAX) instead, as per POSIX. Use a dynamically allocated buffer instead of trying to cram all of the logic into the declarations. This will come in useful later anyway. Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Bjoern Jacke <bjacke@samba.org> (cherry picked from commit 847208cd8ac68c4c7d1dae63767820db1c69292b)
* util: Simplify input validationMartin Schwenke2020-07-061-5/+4
| | | | | | | | | | | | | | | It appears that snprintf(3) is being used for input validation. However, this seems like overkill because it causes szPath to be copied an extra time. The mostly likely protections being sought here, according to https://cwe.mitre.org/data/definitions/20.html, look to be DoS attacks involving CPU and memory usage. A simpler check that uses strnlen(3) can mitigate against both of these and is simpler. Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Bjoern Jacke <bjacke@samba.org> (cherry picked from commit 922bce2668994dd2a5988c17060f977e9bb0c229)
* Merge tag 'samba-4.12.4' into v4-12-testKarolin Seeger2020-07-024-2/+295
|\ | | | | | | samba: tag release samba-4.12.4
| * ldb: Bump version to 2.1.4ldb-2.1.4Gary Lockyer2020-06-253-1/+287
| | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
| * CVE-2020-10730: lib ldb: Check if ldb_lock_backend_callback called twiceGary Lockyer2020-06-251-1/+8
| | | | | | | | | | | | | | | | | | | | | | | | Prevent use after free issues if ldb_lock_backend_callback is called twice, usually due to ldb_module_done being called twice. This can happen if a module ignores the return value from function a function that calls ldb_module_done as part of it's error handling. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* | ldb_ldap: fix off-by-one increment in lldb_add_msg_attrAlexander Bokovoy2020-06-241-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix regression introduced by commit ce2bf5c72b6423fff680b3d6a9042103a6cdda55 lldb_add_msg_attr() calls ldb_msg_add_empty() which, in turn, calls calls _ldb_msg_add_el() which already increments msg->num_elements by one. As a result, msg->num_elements is bigger than the actual number of elements and any iteration over elements would step over elements array boundary. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14413 Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Fri Jun 19 08:35:33 UTC 2020 on sn-devel-184 (cherry picked from commit 990a0fc4a0481aed817fad7575d8df453fbe7af9) Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-12-test): Wed Jun 24 11:22:16 UTC 2020 on sn-devel-184
* | lib/ldb: add unit test for ldb_ldap internal codeAlexander Bokovoy2020-06-242-0/+119
| | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14413 Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 36bd6edd8a603f3aa34aff81c43ef26efd3ad4cf)
* | s3: lib: Paranoia around use of snprintf copying into a fixed-size buffer ↵Jeremy Allison2020-05-251-2/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | from a getenv() pointer. Post checks for overflow/error. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon May 18 23:42:57 UTC 2020 on sn-devel-184 (cherry picked from commit dd1f750293ef4361455a5d5b63fc7a89495715b7)
* | lib:util: Add test for path_expand_tilde()Andreas Schneider2020-05-252-0/+133
| | | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14370 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (backported from commit a15bd5493b696c66c6803d8ca65bc13f1cfcdf0a)
* | lib:util: Add path_expand_tilde()Andreas Schneider2020-05-252-0/+81
|/ | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14370 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 15457254be0ab1235c327bd305dfeee19b2ea7a1)
* lib: util: Add sys_pwrite_full().Jeremy Allison2020-05-142-0/+50
| | | | | | | | | | | | | | | | | | A pwrite wrapper that will deal with EINTR and never return a short write unless the file system returns an error. Copes with the unspecified edge condition of pwrite returning zero by changing the return to -1, errno = ENOSPC. Thread-safe so may be used as a replacement for pwrite inside pwrite_do() thread functions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Jeremy Allison <jra@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 3ba7a89cea85d134eacf1e624e011fe6f66146fc)
* lib: util: Add sys_pread_full().Jeremy Allison2020-05-142-0/+49
| | | | | | | | | | | | | | | | A pread wrapper that will deal with EINTR and never return a short read unless pread returns zero meaning EOF. Thread-safe so may be used as a replacement for pread inside pread_do() thread functions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Jeremy Allison <jra@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 36af33bf9fcdf93fce5ef1520fcb7ddbb07b355e)
* lib: util: Add sys_valid_io_range()Stefan Metzmacher2020-05-142-0/+25
| | | | | | | | | | | | | | | This implements the contraints of [MS-FSA] 2.1.5.2 Server Requests a Read. The special handling of [MS-FSA] 2.1.5.3 Server Requests a Write with offset < 0, should be handled by higher layers! Which means the check can also be used for writes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14361 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit e02cbd5c3ea6903d2b7b43c3193b8662d029ecdd)
* ldb: Bump version to 2.1.3ldb-2.1.3Gary Lockyer2020-05-143-1/+287
| | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14330 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* lib ldb: lmdb init var before calling mdb_reader_checkGary Lockyer2020-05-141-1/+1
| | | | | | | | | | | | | Initilalise "stale" to zero before passing a pointer to it to mdb_reader_check. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Apr 7 12:29:00 UTC 2020 on sn-devel-184 (cherry picked from commit d1f4002b914efb31aa34a59e7c93d80f3174727c)
* lib ldb: lmdb clear stale readers on write txn startGary Lockyer2020-05-142-1/+23
| | | | | | | | | | | | | | | | | | | | In use process failures and Bind9 shut downs leave stale entries in the lmdb reader table. This can result in lmdb filling it's database file, as the free list can not be reclaimed due to the stale reader. In this fix we call mdb_reader_check at the start of each transaction, to free any stale readers. As the default maximum number of readers is 127, this should not impact on performance to any great extent. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14330 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Mar 31 01:26:07 UTC 2020 on sn-devel-184 (cherry picked from commit 89041a6d18a1d091ea713e6986cac5ca66c2b481)
* ldb tests: Confirm lmdb free list handlingGary Lockyer2020-05-142-1/+663
| | | | | | | | | | | | | | | | | Add cmocka tests to confirm lmdb's handling of the free list. As a result of lmdb's MVCC (Multiversion Concurrency Control) long running read transactions or stale readers (read transactions where the process exited without ending the transaction) can cause the database to run out of space. Items in the free list are only reused when they would not be visible in a read transaction. So long running read transactions prevent entries in the free list being reused, and the database can run out of space. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit fc13304d1575ad6bc6e04cdb3eedf46d3c3678c7)
* lib:util: Fix smbclient -l basename dirAmit Kumar2020-05-141-1/+7
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14345 Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Amit Kumar <amitkuma@redhat.com> Reviewed-by: Alexander Bokovoy <ab@samba.org> (cherry picked from commit c83ce5f4f99aef94530411ec82cc03e9935b352d)
* CVE-2020-10704 libcli ldap: Check search request lengths.Gary Lockyer2020-04-222-0/+8
| | | | | | | | | | | | | Check the search request lengths against the limits passed to ldap_decode. Credit to OSS-Fuzz REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-10704: libcli ldap_message: Add search size limits to ldap_decodeGary Lockyer2020-04-222-1/+10
| | | | | | | | | | | | | | | | Add search request size limits to ldap_decode calls. The ldap server uses the smb.conf variable "ldap max search request size" which defaults to 250Kb. For cldap the limit is hard coded as 4096. Credit to OSS-Fuzz REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-10704: smb.conf: Add max ldap request sizesGary Lockyer2020-04-221-0/+5
| | | | | | | | | | | | | | | | | Add two new smb.conf parameters to control the maximum permitted ldap request size. Adds: ldap max anonymous request size default 250Kb ldap max authenticated request size default 16Mb Credit to OSS-Fuzz REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-10704: lib util asn1: Check parse tree depthGary Lockyer2020-04-221-0/+13
| | | | | | | | | | | | | Check the current depth of the parse tree and reject the input if the depth exceeds that passed to asn1_init Credit to OSS-Fuzz REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-10704: lib util asn1: Add ASN.1 max tree depthGary Lockyer2020-04-224-4/+30
| | | | | | | | | | | | | Add maximum parse tree depth to the call to asn1_init, which will be used to limit the depth of the ASN.1 parse tree. Credit to OSS-Fuzz REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-10700: ldb: Bump version up to 2.1.2.ldb-2.1.2Karolin Seeger2020-04-223-1/+287
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14331 Signed-off-by: Karolin Seeger <kseeger@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2020-10700: ldb: Always use ldb_next_request() in ASQ moduleAndrew Bartlett2020-04-221-9/+3
| | | | | | | | | | | | | | | We want to keep going down the module stack, and not start from the top again. ASQ is above the ACL modules, but below paged_results and we do not wish to re-trigger that work. Thanks to Andrei Popa <andrei.popa@next-gen.ro> for finding, reporting and working with us to diagnose this issue! BUG: https://bugzilla.samba.org/show_bug.cgi?id=14331 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* ldb: version 2.1.1Stefan Metzmacher2020-02-253-1/+287
| | | | | | | | | | | | | | | * Bug 14270: Samba 4.11 and later give incorrect results for SCOPE_ONE searches Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Karolin Seeger <kseeger@samba.org> Autobuild-Date(master): Tue Feb 25 12:59:02 UTC 2020 on sn-devel-184 (cherry picked from commit 0ca46a37268c8219192abc3ab5f2546a02ed8862) Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-12-test): Tue Feb 25 21:09:41 UTC 2020 on sn-devel-184
* ldb: Add tests aimed at the SCOPE_ONELEVEL bug in particularAndrew Bartlett2020-02-251-0/+8
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14270 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 0b8ab0200805127e36eeb2affe561f3aee59604a)
* ldb: Fix search with scope ONE and small result setsAndrew Bartlett2020-02-251-9/+12
| | | | | | | | | | | | | | | | | | | | This changes the LDB behaviour in the combination of a SCOPE_ONE search and an index returning less than 10 results. After b6b5b5fe355fee2a4096e9214831cb88c7a2a4c6 the list->strict flag became set to false in all cases, rather than being left to the value set by the caller. This changes the ldb_kv_index_dn_one() code to force strict mode on success instead. Thanks to Marcus Granér, ICEYE Oy for reporting. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14270 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 3c7261c43da491b57f50e0e64d7050d85c6b973e)
View Lorry Controller Status