The branch, v4-8-stable has been updated via a62c2f3 VERSION: Disable GIT_SNAPSHOT for the 4.8.3 release. via 519bc4d WHATSNEW: Add release notes for Samba 4.8.3. via e25631d ldb: version 1.3.4 via fb522c1 .gitlab-ci.yml: Adapt to current GitLab CI setup via 7ccd1eb Fix several mem leaks in ldb_index ldb_search ldb_tdb via 2a3f91e check return value before using key_values via 7a1906d ldb: check return values via 9b5f368 ldb_tdb: Use mem_ctx and so avoid leak onto long-term memory on duplicated add. via 1fb7246 ldb: Fix memory leak on module context via b4331a3 ldb: Add tests for when we should expect a full scan via b8df3cd ldb: One-level search was incorrectly falling back to full DB scan via 703ca1a ldb: Explain why an entry can vanish from the index via d1b59c2 ldb: Indicate that the ltdb_dn_list_sort() in list_union is a bit subtle. via 5c1d9b0 ldb: Save a copy of the index result before calling the callbacks. via 8b32d29 samdb: Fix build error with gcc8 via ee6bd86 s3:winbind: Fix regression introduced with bso #12851 via 941b566 s3:smbget: Fix buffer truncation issues with gcc8 via 5f2859e s3:registry: Fix buffer truncation issues issues with gcc8 via be00b89 heimdal: lib/krb5: do not fail set_config_files due to parse error via 0196569 krb5_plugin: Add winbind localauth plugin for MIT Kerberos via 228e5d4 krb5_wrap: fix keep_old_entries logic for older kerberos libraries via df16008 bla via 7f32430 python: Fix talloc frame use in make_simple_acl(). via 6121a6f s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x. via e5ffffd s3: torture: Add DELETE-PRINT test. via 0e3d52f lib: Fix array size in audit_logging via fd83672 s4:ntvfs: Fix string copy of share_name via 15c13f7 lib:util: Fix size types in debug.c via 05dab79 lib:util: Fix parameter aliasing in tfork test via ca1aced s3:winbind: Fix uninitialzed variable warning via aa833e8 s3:passdb: Fix size of ascii_p16 via aff1261 s3:lib: Use memcpy() in escape_ldap_string() via 3ef6d6a s4:torture: Use strlcpy() in gen_name() via c16e479 lib:util: Fix string check in mkdir_p() via 3e42a24 s3-utils: fix format-truncation in smbpasswd via 23f19c8 s4-torture: fix format-truncation warning in smb2 session tests. via 1b420a2 s3-printing: fix format-truncation in print_queue_update() via 35de20b s3-winbindd: remove unused fill_domain_username() via c70a0d5 s3-winbindd: use fill_domain_username_talloc() in winbind. via c5f3606 s4-heimdal: Fix the format-truncation errors. via 2839bf2 s3: smbtorture: Add new SMB2-DIR-FSYNC test to show behavior of FSYNC on directories. via ce89931 s3: smbd: Fix SMB2-FLUSH against directories. via a7a51bd smbd: Flush dfree memcache on service reload via f7e53f8 smbd: Cache dfree information based on query path via 3fd685e memcache: Add new cache type for dfree information via 88d19df selftest: Add test for 'dfree cache' via 2e5bc85 selftest: Add dfq_cache share with 'dfree cache time' set via 68999b8 lib/util: Call log_stack_trace() in smb_panic_default() via 5733e90 lib/util: Move log_stack_trace() to common code via d14cd61 lib/util: Log PANIC before calling pacic action just like s3 via 8f01d94 s3-lib: Remove support for libexc for IRIX backtraces via 9c794a2 s3:utils: Do not segfault on error in DoDNSUpdate() via 9cb6459 auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE as a server via 7faa201 s4:selftest: run test_ldb_simple.sh with more auth options via e153636 auth/ntlmssp: add ntlmssp_client:ldap_style_send_seal option via 2fb77a2 libgpo: Fix the build --without-ads via bcee547 s3:smbd: fix interaction between chown and SD flags via 6ea5d16 s4:torture/smb2: new test for interaction between chown and SD flags via 682a2e2 winbind: Fix UPN handling in canonicalize_username() via 124f0e4 winbind: Fix UPN handling in parse_domain_user() via b5ba5da winbind: Remove unused function parse_domain_user_talloc() via f1dfb9f winbind: Pass upn unmodified to lookup names via a52b067 nsswitch:tests: Add test for wbinfo --user-info via 5c946eb selftest: Add a user with a different userPrincipalName via 40a1341 nsswitch: Lookup the domain in tests with the wb seperator via a28d7c4 nsswitch: Add a test looking up domain sid via ee22c6f nsswitch: Add a test looking up the user using the upn via 4bbc5a8 selftest: Make sure we have correct group mappings via cc678c4 VERSION: Bump version up to 4.8.3... from e64d0d0 VERSION: Disable GIT_SNAPSHOT for the 4.8.2 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-8-stable - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- Summary of changes: .gitlab-ci.yml => .gitlab-ci-private.yml | 14 +- VERSION | 2 +- WHATSNEW.txt | 106 +++++++- auth/auth_log.c | 2 +- auth/ntlmssp/gensec_ntlmssp_server.c | 19 -- auth/ntlmssp/ntlmssp_client.c | 24 +- auth/ntlmssp/ntlmssp_server.c | 8 + lib/krb5_wrap/krb5_samba.c | 2 +- lib/ldb/ABI/{ldb-1.3.3.sigs => ldb-1.3.4.sigs} | 0 ...b-util.py3-1.3.3.sigs => pyldb-util-1.3.4.sigs} | 0 ...il.py3-1.3.3.sigs => pyldb-util.py3-1.3.4.sigs} | 0 lib/ldb/ldb_tdb/ldb_index.c | 134 +++++++--- lib/ldb/ldb_tdb/ldb_search.c | 23 +- lib/ldb/ldb_tdb/ldb_tdb.c | 20 +- lib/ldb/ldb_tdb/ldb_tdb.h | 6 + lib/ldb/tests/ldb_mod_op_test.c | 275 ++++++++++++++++++++ lib/ldb/tests/python/api.py | 104 +++++++- lib/ldb/wscript | 2 +- lib/util/debug.c | 14 +- lib/util/fault.c | 107 +++++++- lib/util/fault.h | 1 + lib/util/memcache.h | 3 +- lib/util/mkdir_p.c | 4 +- lib/util/tests/tfork.c | 7 +- lib/util/wscript_configure | 1 + libgpo/pygpo.c | 5 + nsswitch/krb5_plugin/winbind_krb5_localauth.c | 267 ++++++++++++++++++++ nsswitch/tests/test_idmap_ad.sh | 2 +- nsswitch/tests/test_idmap_nss.sh | 4 +- nsswitch/tests/test_idmap_rid.sh | 2 +- nsswitch/tests/test_wbinfo_name_lookup.sh | 13 +- nsswitch/tests/test_wbinfo_user_info.sh | 83 ++++++ nsswitch/wscript_build | 6 + selftest/knownfail | 1 + selftest/knownfail.d/upn_handling | 8 + selftest/target/Samba3.pm | 15 ++ selftest/target/Samba4.pm | 19 +- source3/include/local.h | 3 - source3/include/proto.h | 1 - source3/lib/ldap_escape.c | 2 +- source3/lib/util.c | 139 ----------- source3/modules/vfs_acl_common.c | 7 +- source3/passdb/pdb_smbpasswd.c | 2 +- source3/printing/printing.c | 2 +- source3/printing/printspoolss.c | 17 ++ source3/registry/reg_perfcount.c | 12 +- source3/script/tests/test_dfree_quota.sh | 35 +++ source3/script/tests/test_smbspool.sh | 63 +++++ source3/selftest/tests.py | 18 +- source3/smbd/dfree.c | 104 ++++++-- source3/smbd/proto.h | 1 + source3/smbd/pysmbd.c | 49 ++-- source3/smbd/server_reload.c | 1 + source3/smbd/smb2_flush.c | 26 +- source3/torture/proto.h | 1 + source3/torture/test_smb2.c | 270 ++++++++++++++++++++ source3/torture/torture.c | 74 ++++++ source3/utils/net_dns.c | 1 + source3/utils/smbget.c | 2 +- source3/utils/smbpasswd.c | 49 ++-- source3/winbindd/wb_getpwsid.c | 23 +- source3/winbindd/wb_lookupname.c | 8 +- source3/winbindd/wb_query_user_list.c | 9 +- source3/winbindd/wb_xids2sids.c | 1 + source3/winbindd/winbindd_cache.c | 5 +- source3/winbindd/winbindd_ccache_access.c | 43 +++- source3/winbindd/winbindd_creds.c | 3 +- source3/winbindd/winbindd_getgrnam.c | 18 +- source3/winbindd/winbindd_getgroups.c | 13 +- source3/winbindd/winbindd_getpwnam.c | 13 +- source3/winbindd/winbindd_group.c | 12 +- source3/winbindd/winbindd_irpc.c | 7 +- source3/winbindd/winbindd_list_groups.c | 14 +- source3/winbindd/winbindd_lookupname.c | 17 +- source3/winbindd/winbindd_pam.c | 96 +++++-- source3/winbindd/winbindd_pam_auth.c | 11 +- source3/winbindd/winbindd_pam_chauthtok.c | 12 +- source3/winbindd/winbindd_pam_logoff.c | 12 +- source3/winbindd/winbindd_proto.h | 20 +- source3/winbindd/winbindd_util.c | 83 +++--- source3/wscript | 2 +- source4/dsdb/samdb/ldb_modules/samldb.c | 2 +- source4/heimdal/lib/com_err/compile_et.c | 6 +- source4/heimdal/lib/krb5/config_file.c | 4 +- source4/heimdal/lib/krb5/context.c | 3 +- source4/ntvfs/ipc/rap_server.c | 9 +- source4/selftest/tests.py | 7 + source4/torture/basic/mangle_test.c | 2 +- source4/torture/smb2/acls.c | 278 +++++++++++++++++++++ source4/torture/smb2/session.c | 2 +- wscript_configure_system_mitkrb5 | 1 + 91 files changed, 2436 insertions(+), 482 deletions(-) rename .gitlab-ci.yml => .gitlab-ci-private.yml (92%) copy lib/ldb/ABI/{ldb-1.3.3.sigs => ldb-1.3.4.sigs} (100%) copy lib/ldb/ABI/{pyldb-util.py3-1.3.3.sigs => pyldb-util-1.3.4.sigs} (100%) copy lib/ldb/ABI/{pyldb-util.py3-1.3.3.sigs => pyldb-util.py3-1.3.4.sigs} (100%) create mode 100644 nsswitch/krb5_plugin/winbind_krb5_localauth.c create mode 100755 nsswitch/tests/test_wbinfo_user_info.sh create mode 100644 selftest/knownfail.d/upn_handling Changeset truncated at 500 lines: diff --git a/.gitlab-ci.yml b/.gitlab-ci-private.yml similarity index 92% rename from .gitlab-ci.yml rename to .gitlab-ci-private.yml index 2ae9eb4..584b853 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci-private.yml @@ -1,12 +1,15 @@ # see https://docs.gitlab.com/ce/ci/yaml/README.html for all available options +image: registry.gitlab.com/samba-team/samba:latest + before_script: - echo "Build starting ..." build_samba: stage: build tags: - - autobuild + - docker + - private script: # this one takes about 4 hours to finish - python script/autobuild.py samba --verbose --tail --testbase /tmp/samba-testbase @@ -14,7 +17,8 @@ build_samba: build_samba_others: stage: build tags: - - autobuild + - docker + - private script: - python script/autobuild.py samba-nopython --verbose --tail --testbase /tmp/samba-testbase - python script/autobuild.py samba-systemkrb5 --verbose --tail --testbase /tmp/samba-testbase @@ -26,7 +30,8 @@ build_samba_others: build_ctdb: stage: build tags: - - autobuild + - docker + - private script: - python script/autobuild.py samba-ctdb --verbose --tail --testbase /tmp/samba-testbase - python script/autobuild.py ctdb --verbose --tail --testbase /tmp/samba-testbase @@ -34,7 +39,8 @@ build_ctdb: build_others: stage: build tags: - - autobuild + - docker + - private script: - python script/autobuild.py ldb --verbose --tail --testbase /tmp/samba-testbase - python script/autobuild.py pidl --verbose --tail --testbase /tmp/samba-testbase diff --git a/VERSION b/VERSION index 9dfbef0..f9e02e8 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=8 -SAMBA_VERSION_RELEASE=2 +SAMBA_VERSION_RELEASE=3 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 6aa0f91..5c2d922 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,93 @@ ============================= + Release Notes for Samba 4.8.3 + June 26, 2018 + ============================= + + +This is the latest stable release of the Samba 4.8 release series. + + +Changes since 4.8.2: +-------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 13428: s3: smbd: Fix SMB2-FLUSH against directories. + * BUG 13457: s3: smbd: printing: Re-implement delete-on-close semantics for + print files missing since 3.5.x. + * BUG 13474: python: Fix talloc frame use in make_simple_acl(). + +o Jeffrey Altman <jalt...@secure-endpoints.com> + * BUG 11573: heimdal: lib/krb5: Do not fail set_config_files due to parse + error. + +o Andrew Bartlett <abart...@samba.org> + * ldb: version 1.3.4 + * BUG 13448: ldb: One-level search was incorrectly falling back to full DB + scan. + * BUG 13452: ldb: Save a copy of the index result before calling the + callbacks. + * BUG 13454: No Backtrace given by Samba's AD DC by default. + * BUG 13471: ldb_tdb: Use mem_ctx and so avoid leak onto long-term memory + on duplicated add. + +o Ralph Boehme <s...@samba.org> + * BUG 13432: s3:smbd: Fix interaction between chown and SD flags. + +o Günther Deschner <g...@samba.org> + * BUG 13437: Fix building Samba with gcc 8.1. + +o Andrej Gessel <andrej.ges...@janztec.com> + * BUG 13475: Fix several mem leaks in ldb_index ldb_search ldb_tdb. + +o Volker Lendecke <v...@samba.org> + * BUG 13331: libgpo: Fix the build --without-ads. + +o Stefan Metzmacher <me...@samba.org> + * BUG 13369: Looking up the user using the UPN results in user name with the + REALM instead of the DOMAIN. + * BUG 13427: Fix broken server side GENSEC_FEATURE_LDAP_STYLE handling + (NTLMSSP NTLM2 packet check failed due to invalid signature!). + +o Christof Schmitt <c...@samba.org> + * BUG 13446: smbd: Flush dfree memcache on service reload. + * BUG 13478: krb5_wrap: Fix keep_old_entries logic for older Kerberos + libraries. + +o Andreas Schneider <a...@samba.org> + * BUG 13369: Looking up the user using the UPN results in user name with the + REALM instead of the DOMAIN. + * BUG 13437: Fix building Samba with gcc 8.1. + * BUG 13440: s3:utils: Do not segfault on error in DoDNSUpdate(). + * BUG 13480: krb5_plugin: Add winbind localauth plugin for MIT Kerberos. + +o Lukas Slebodnik <lsleb...@fedoraproject.org> + * BUG 13459: ldb: Fix memory leak on module context. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + + ============================= Release Notes for Samba 4.8.2 May 16, 2018 ============================= @@ -86,8 +175,8 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- + ============================= Release Notes for Samba 4.8.1 @@ -450,6 +539,19 @@ This new module integrates with Sophos, F-Secure and ClamAV anti-virus software to provide scanning and filtering of files on a Samba share. +Local authorization plugin for MIT Kerberos +------------------------------------------- + +This plugin controls the relationship between Kerberos principals and AD +accounts through winbind. The module receives the Kerberos principal and the +local account name as inputs and can then check if they match. This can resolve +issues with canonicalized names returned by Kerberos within AD. If the user +tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase), +Kerberos would return ALICE as the username. Kerberos would not be able to map +'alice' to 'ALICE' in this case and auth would fail. With this plugin account +names can be correctly mapped. This only applies to GSSAPI authentication, +not for the geting the initial ticket granting ticket. + REMOVED FEATURES ================ diff --git a/auth/auth_log.c b/auth/auth_log.c index d4c6c44..72d8f81 100644 --- a/auth/auth_log.c +++ b/auth/auth_log.c @@ -350,7 +350,7 @@ static void add_version(struct json_context *context, int major, int minor) static void add_timestamp(struct json_context *context) { char buffer[40]; /* formatted time less usec and timezone */ - char timestamp[50]; /* the formatted ISO 8601 time stamp */ + char timestamp[65]; /* the formatted ISO 8601 time stamp */ char tz[10]; /* formatted time zone */ struct tm* tm_info; /* current local time */ struct timeval tv; /* current system time */ diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c index c0e6cff..ab92f4d 100644 --- a/auth/ntlmssp/gensec_ntlmssp_server.c +++ b/auth/ntlmssp/gensec_ntlmssp_server.c @@ -179,25 +179,6 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; - if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; - } - if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; - - if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) { - /* - * We need to handle NTLMSSP_NEGOTIATE_SIGN as - * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE - * is requested. - */ - ntlmssp_state->force_wrap_seal = true; - } - } - if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; - } if (role == ROLE_STANDALONE) { ntlmssp_state->server.is_standalone = true; diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c index db2003f..54fda41 100644 --- a/auth/ntlmssp/ntlmssp_client.c +++ b/auth/ntlmssp/ntlmssp_client.c @@ -865,13 +865,23 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) * is requested. */ ntlmssp_state->force_wrap_seal = true; - /* - * We want also work against old Samba servers - * which didn't had GENSEC_FEATURE_LDAP_STYLE - * we negotiate SEAL too. We may remove this - * in a few years. As all servers should have - * GENSEC_FEATURE_LDAP_STYLE by then. - */ + } + } + if (ntlmssp_state->force_wrap_seal) { + bool ret; + + /* + * We want also work against old Samba servers + * which didn't had GENSEC_FEATURE_LDAP_STYLE + * we negotiate SEAL too. We may remove this + * in a few years. As all servers should have + * GENSEC_FEATURE_LDAP_STYLE by then. + */ + ret = gensec_setting_bool(gensec_security->settings, + "ntlmssp_client", + "ldap_style_send_seal", + true); + if (ret) { ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL; } } diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c index 37ed2bc..140e89d 100644 --- a/auth/ntlmssp/ntlmssp_server.c +++ b/auth/ntlmssp/ntlmssp_server.c @@ -1080,6 +1080,14 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security, data_blob_free(&ntlmssp_state->challenge_blob); if (gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) { + /* + * We need to handle NTLMSSP_NEGOTIATE_SIGN as + * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE + * is requested. + */ + ntlmssp_state->force_wrap_seal = true; + } nt_status = ntlmssp_sign_init(ntlmssp_state); } diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index 7c461e5..0ba8aae 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -1549,7 +1549,7 @@ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context, } if (!flush && - (kt_entry.vno == kvno) && + ((kt_entry.vno & 0xff) == (kvno & 0xff)) && (kt_entry_enctype != enctype)) { DEBUG(5, (__location__ ": Saving entry with kvno [%d] " diff --git a/lib/ldb/ABI/ldb-1.3.3.sigs b/lib/ldb/ABI/ldb-1.3.4.sigs similarity index 100% copy from lib/ldb/ABI/ldb-1.3.3.sigs copy to lib/ldb/ABI/ldb-1.3.4.sigs diff --git a/lib/ldb/ABI/pyldb-util.py3-1.3.3.sigs b/lib/ldb/ABI/pyldb-util-1.3.4.sigs similarity index 100% copy from lib/ldb/ABI/pyldb-util.py3-1.3.3.sigs copy to lib/ldb/ABI/pyldb-util-1.3.4.sigs diff --git a/lib/ldb/ABI/pyldb-util.py3-1.3.3.sigs b/lib/ldb/ABI/pyldb-util.py3-1.3.4.sigs similarity index 100% copy from lib/ldb/ABI/pyldb-util.py3-1.3.3.sigs copy to lib/ldb/ABI/pyldb-util.py3-1.3.4.sigs diff --git a/lib/ldb/ldb_tdb/ldb_index.c b/lib/ldb/ldb_tdb/ldb_index.c index ee20273..40baeea 100644 --- a/lib/ldb/ldb_tdb/ldb_index.c +++ b/lib/ldb/ldb_tdb/ldb_index.c @@ -403,6 +403,7 @@ normal_index: "expected %d for %s", version, LTDB_INDEXING_VERSION, ldb_dn_get_linearized(dn)); + talloc_free(msg); return LDB_ERR_OPERATIONS_ERROR; } @@ -420,19 +421,26 @@ normal_index: "expected %d for %s", version, LTDB_GUID_INDEXING_VERSION, ldb_dn_get_linearized(dn)); + talloc_free(msg); return LDB_ERR_OPERATIONS_ERROR; } if (el->num_values != 1) { + talloc_free(msg); return LDB_ERR_OPERATIONS_ERROR; } if ((el->values[0].length % LTDB_GUID_SIZE) != 0) { + talloc_free(msg); return LDB_ERR_OPERATIONS_ERROR; } list->count = el->values[0].length / LTDB_GUID_SIZE; list->dn = talloc_array(list, struct ldb_val, list->count); + if (list->dn == NULL) { + talloc_free(msg); + return LDB_ERR_OPERATIONS_ERROR; + } /* * The actual data is on msg, due to @@ -523,9 +531,9 @@ static int ltdb_dn_list_store_full(struct ldb_module *module, if (list->count == 0) { ret = ltdb_delete_noindex(module, msg); if (ret == LDB_ERR_NO_SUCH_OBJECT) { - talloc_free(msg); - return LDB_SUCCESS; + ret = LDB_SUCCESS; } + talloc_free(msg); return ret; } @@ -621,6 +629,9 @@ static int ltdb_dn_list_store(struct ldb_module *module, struct ldb_dn *dn, } key.dptr = discard_const_p(unsigned char, ldb_dn_get_linearized(dn)); + if (key.dptr == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } key.dsize = strlen((char *)key.dptr); rec = tdb_fetch(ltdb->idxptr->itdb, key); @@ -1120,6 +1131,9 @@ static bool list_union(struct ldb_context *ldb, /* * Sort the lists (if not in GUID DN mode) so we can do * the de-duplication during the merge + * + * NOTE: This can sort the in-memory index values, as list or + * list2 might not be a copy! */ ltdb_dn_list_sort(ltdb, list); ltdb_dn_list_sort(ltdb, list2); @@ -1522,27 +1536,64 @@ static int ltdb_index_filter(struct ltdb_private *ltdb, struct ltdb_context *ac, uint32_t *match_count) { - struct ldb_context *ldb; + struct ldb_context *ldb = ldb_module_get_ctx(ac->module); struct ldb_message *msg; struct ldb_message *filtered_msg; unsigned int i; + unsigned int num_keys = 0; uint8_t previous_guid_key[LTDB_GUID_KEY_SIZE] = {}; + TDB_DATA *keys = NULL; + + /* + * We have to allocate the key list (rather than just walk the + * caller supplied list) as the callback could change the list + * (by modifying an indexed attribute hosted in the in-memory + * index cache!) + */ + keys = talloc_array(ac, TDB_DATA, dn_list->count); + if (keys == NULL) { + return ldb_module_oom(ac->module); + } + + if (ltdb->cache->GUID_index_attribute != NULL) { + /* + * We speculate that the keys will be GUID based and so + * pre-fill in enough space for a GUID (avoiding a pile of + * small allocations) + */ + struct guid_tdb_key { + uint8_t guid_key[LTDB_GUID_KEY_SIZE]; + } *key_values = NULL; + + key_values = talloc_array(keys, + struct guid_tdb_key, + dn_list->count); - ldb = ldb_module_get_ctx(ac->module); + if (key_values == NULL) { + talloc_free(keys); + return ldb_module_oom(ac->module); + } + for (i = 0; i < dn_list->count; i++) { + keys[i].dptr = key_values[i].guid_key; + keys[i].dsize = sizeof(key_values[i].guid_key); + } + } else { + for (i = 0; i < dn_list->count; i++) { + keys[i].dptr = NULL; + keys[i].dsize = 0; + } + } for (i = 0; i < dn_list->count; i++) { - uint8_t guid_key[LTDB_GUID_KEY_SIZE]; - TDB_DATA tdb_key = { - .dptr = guid_key, - .dsize = sizeof(guid_key) - }; int ret; - bool matched; - ret = ltdb_idx_to_key(ac->module, ltdb, - ac, &dn_list->dn[i], - &tdb_key); + ret = ltdb_idx_to_key(ac->module, + ltdb, + keys, + &dn_list->dn[i], + &keys[num_keys]); if (ret != LDB_SUCCESS) { + talloc_free(keys); return ret; } @@ -1558,36 +1609,50 @@ static int ltdb_index_filter(struct ltdb_private *ltdb, * LDB_FLAG_INTERNAL_DISABLE_SINGLE_VALUE_CHECK */ - if (memcmp(previous_guid_key, tdb_key.dptr, + if (memcmp(previous_guid_key, + keys[num_keys].dptr, sizeof(previous_guid_key)) == 0) { continue; } - memcpy(previous_guid_key, tdb_key.dptr, + memcpy(previous_guid_key, + keys[num_keys].dptr, sizeof(previous_guid_key)); } + num_keys++; + } + + /* + * Now that the list is a safe copy, send the callbacks + */ + for (i = 0; i < num_keys; i++) { + int ret; + bool matched; msg = ldb_msg_new(ac); if (!msg) { + talloc_free(keys); return LDB_ERR_OPERATIONS_ERROR; } - ret = ltdb_search_key(ac->module, ltdb, - tdb_key, msg, -- Samba Shared Repository