The branch, v3-3-test has been updated via f8f21c8e3922806230e240cb54205fc2db7a3619 (commit) via bfc5d34a196f667276ce1e173821db478d01258b (commit) via 7edfb54c865ddcfd5cdcc8c2184b96aaac2d2ec0 (commit) via 72bd83fea7572a6202027b200d192c05023aa633 (commit) via 103ce6c9e94ce74e616fe922f2584fd46ae1f3f8 (commit) from 148a012421cdd875167e708c5dfa771d97bf9856 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test - Log ----------------------------------------------------------------- commit f8f21c8e3922806230e240cb54205fc2db7a3619 Author: Michael Adam <[EMAIL PROTECTED]> Date: Tue Aug 5 23:38:56 2008 +0200 dbwrap: add comment describing behaviour of dbwrap_change_int32_atomic(). Michael commit bfc5d34a196f667276ce1e173821db478d01258b Author: Michael Adam <[EMAIL PROTECTED]> Date: Tue Aug 5 23:14:05 2008 +0200 secrets: fix replacemend random seed generator (security issue). This is a regression introduced by the change to dbwrap. The replacement dbwrap_change_int32_atomic() does not correctly mimic the behaviour of tdb_change_int32_atomic(): The intended behaviour is to use *oldval as an initial value when the entry does not yet exist in the db and to return the old value in *oldval. The effect was that: 1. get_rand_seed() always returns sys_getpid() in *new_seed instead of the incremented seed from the secrets.tdb. 2. the seed stored in the tdb is always starting at 0 instead of sys_getpid() + 1 and incremented in subsequent calls. In principle this is a security issue, but i think the danger is low, since this is only used as a fallback when there is no useable /dev/urandom, and this is at most called on startup or via reinit_after_fork. Michael commit 7edfb54c865ddcfd5cdcc8c2184b96aaac2d2ec0 Author: Michael Adam <[EMAIL PROTECTED]> Date: Tue Aug 5 23:13:06 2008 +0200 dbwrap: add comment describing behaviour of dbwrap_change_uint32_atomic(). Michael commit 72bd83fea7572a6202027b200d192c05023aa633 Author: Michael Adam <[EMAIL PROTECTED]> Date: Tue Aug 5 22:38:44 2008 +0200 idmap_tdb2: fix a race condition in idmap_tdb2_allocate_id(). The race is a regression introduced by the change to dbwrap. It might have led to two concurrent processes returning the same id. This fix is achieved by changing dbwrap_change_uint32_atomic() to match the original behaviour of tdb_change_uint32_atomic(), which is the following: *oldval is used as initial value when the value does not yet exist and that the old value should be returned in *oldval. dbwrap_change_uint32_atomic() is used (only) in idmap_tdb2.c, to get new ids. Michael commit 103ce6c9e94ce74e616fe922f2584fd46ae1f3f8 Author: Michael Adam <[EMAIL PROTECTED]> Date: Mon Aug 4 23:30:16 2008 +0200 registry: use _bystring wrappers to dbwrap_trans_(store|delete). Michael ----------------------------------------------------------------------- Summary of changes: source/lib/dbwrap_util.c | 30 ++++++++++++++++++++++++++---- source/registry/reg_backend_db.c | 9 +++------ 2 files changed, 29 insertions(+), 10 deletions(-) Changeset truncated at 500 lines: diff --git a/source/lib/dbwrap_util.c b/source/lib/dbwrap_util.c index 07e5082..09e9071 100644 --- a/source/lib/dbwrap_util.c +++ b/source/lib/dbwrap_util.c @@ -98,6 +98,13 @@ bool dbwrap_store_uint32(struct db_context *db, const char *keystr, uint32_t v) return NT_STATUS_IS_OK(status) ? 0 : -1; } +/** + * Atomic unsigned integer change (addition): + * + * if value does not exist yet in the db, use *oldval as initial old value. + * return old value in *oldval. + * store *oldval + change_val to db. + */ uint32_t dbwrap_change_uint32_atomic(struct db_context *db, const char *keystr, uint32_t *oldval, uint32_t change_val) { @@ -110,9 +117,13 @@ uint32_t dbwrap_change_uint32_atomic(struct db_context *db, const char *keystr, return -1; } - if ((rec->value.dptr != NULL) - && (rec->value.dsize == sizeof(val))) { + if (rec->value.dptr == NULL) { + val = *oldval; + } else if (rec->value.dsize == sizeof(val)) { val = IVAL(rec->value.dptr, 0); + *oldval = val; + } else { + return -1; } val += change_val; @@ -127,6 +138,13 @@ uint32_t dbwrap_change_uint32_atomic(struct db_context *db, const char *keystr, return 0; } +/** + * Atomic integer change (addition): + * + * if value does not exist yet in the db, use *oldval as initial old value. + * return old value in *oldval. + * store *oldval + change_val to db. + */ int32 dbwrap_change_int32_atomic(struct db_context *db, const char *keystr, int32 *oldval, int32 change_val) { @@ -139,9 +157,13 @@ int32 dbwrap_change_int32_atomic(struct db_context *db, const char *keystr, return -1; } - if ((rec->value.dptr != NULL) - && (rec->value.dsize == sizeof(val))) { + if (rec->value.dptr == NULL) { + val = *oldval; + } else if (rec->value.dsize == sizeof(val)) { val = IVAL(rec->value.dptr, 0); + *oldval = val; + } else { + return -1; } val += change_val; diff --git a/source/registry/reg_backend_db.c b/source/registry/reg_backend_db.c index d216e0e..489f076 100644 --- a/source/registry/reg_backend_db.c +++ b/source/registry/reg_backend_db.c @@ -1144,8 +1144,7 @@ bool regdb_store_values( const char *key, REGVAL_CTR *values ) goto done; } - status = dbwrap_trans_store(regdb, string_term_tdb_data(keystr), data, - TDB_REPLACE); + status = dbwrap_trans_store_bystring(regdb, keystr, data, TDB_REPLACE); result = NT_STATUS_IS_OK(status); @@ -1219,8 +1218,7 @@ static WERROR regdb_set_secdesc(const char *key, if (secdesc == NULL) { /* assuming a delete */ - status = dbwrap_trans_delete(regdb, - string_term_tdb_data(tdbkey)); + status = dbwrap_trans_delete_bystring(regdb, tdbkey); if (NT_STATUS_IS_OK(status)) { err = WERR_OK; } else { @@ -1236,8 +1234,7 @@ static WERROR regdb_set_secdesc(const char *key, goto done; } - status = dbwrap_trans_store(regdb, string_term_tdb_data(tdbkey), - tdbdata, 0); + status = dbwrap_trans_store_bystring(regdb, tdbkey, tdbdata, 0); if (!NT_STATUS_IS_OK(status)) { err = ntstatus_to_werror(status); goto done; -- Samba Shared Repository