The branch, master has been updated via f38077ea5ee pidl: Handle obtaining objects from a fixed-size array via 1261894ecae pidl/python: allocate objects with ref pointers via 7e19779b66d pytests/segfault: pidl inline arrays via 272e20adbbb pytests/segfaults: dcerpc ref elements segfault via 4dd725b1b59 pytests: rpc echo should not segfault via 220cf67776f s4/rpc/dcerpc_connect: no crash on NULL dest_host from 963a639101f ctdb-tests: Add tests for cmdline_add() api
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit f38077ea5ee0a8d3d18970e3e183c3ee516fa121 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Oct 29 21:19:05 2019 +0000 pidl: Handle obtaining objects from a fixed-size array Previously we would assume the array head was the talloc context however this is not the case if the array is a fixed size inline array within the parent struct. In that case the overall object's talloc context is the correct context to reference. Signed-off-by: Andrew Bartlett <abart...@samba.org> Pair-programmed-with: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Noel Power <npo...@samba.org> Autobuild-User(master): Noel Power <npo...@samba.org> Autobuild-Date(master): Thu Nov 14 17:36:49 UTC 2019 on sn-devel-184 commit 1261894ecaebc1a3340c42e818be25caa69f6364 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Tue Oct 29 11:58:32 2019 +1300 pidl/python: allocate objects with ref pointers Struct members that are marked as ref pointers need to have an object allocated for them. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Pair-programmed-with: Andrew Bartlett <abart...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Noel Power <npo...@samba.org> commit 7e19779b66d7329e4208eaa5801cec0b6feb3754 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Tue Oct 29 22:11:41 2019 +0000 pytests/segfault: pidl inline arrays Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Noel Power <npo...@samba.org> commit 272e20adbbbaebd7bbf94c79f44f1ff42d2831d8 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Tue Oct 29 12:02:04 2019 +1300 pytests/segfaults: dcerpc ref elements segfault These are just a couple of examples. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Noel Power <npo...@samba.org> commit 4dd725b1b599968fb787c93f6eb3a42af007b21c Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Oct 24 10:41:28 2019 +1300 pytests: rpc echo should not segfault Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Noel Power <npo...@samba.org> commit 220cf67776f16467488805ecd6d1905c708eaa17 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Jul 24 17:50:35 2019 +1200 s4/rpc/dcerpc_connect: no crash on NULL dest_host Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Noel Power <npo...@samba.org> ----------------------------------------------------------------------- Summary of changes: pidl/lib/Parse/Pidl/Samba4/Python.pm | 63 ++++++++++++++++++++++++++++++++++-- python/samba/tests/segfault.py | 24 +++++++++++++- source4/librpc/rpc/dcerpc_connect.c | 2 +- 3 files changed, 85 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/pidl/lib/Parse/Pidl/Samba4/Python.pm b/pidl/lib/Parse/Pidl/Samba4/Python.pm index 8d5de31e7bb..161521c6e3a 100644 --- a/pidl/lib/Parse/Pidl/Samba4/Python.pm +++ b/pidl/lib/Parse/Pidl/Samba4/Python.pm @@ -499,7 +499,62 @@ sub PythonFunctionStruct($$$$) $self->pidl("static PyObject *py_$name\_new(PyTypeObject *type, PyObject *args, PyObject *kwargs)"); $self->pidl("{"); $self->indent; - $self->pidl("return pytalloc_new($cname, type);"); + + # This creates a new, zeroed C structure and python object. + # Thse may not be valid or sensible values, but this is as + # well as we can do. + + $self->pidl("PyObject *self = pytalloc_new($cname, type);"); + + # If there are any children that are ref pointers, we need to + # allocate something for them to point to just as the pull + # routine will when parsing the stucture from NDR. + # + # We then make those pointers point to zeroed memory + # + # A ref pointer is a pointer in the C structure but a scalar + # on the wire. It is for a remote function like: + # + # int foo(int *i) + # + # This may be called with the pointer by reference eg foo(&i) + # + # That is why this only goes as far as the next level; deeply + # nested pointer chains will end in a NULL. + + my @ref_elements; + foreach my $e (@{$fn->{ELEMENTS}}) { + if (has_property($e, "ref") && ! has_property($e, "charset")) { + if (!has_property($e, 'in') && !has_property($e, 'out')) { + die "ref pointer that is not in or out"; + } + push @ref_elements, $e; + } + } + if (@ref_elements) { + $self->pidl("$cname *_self = ($cname *)pytalloc_get_ptr(self);"); + $self->pidl("TALLOC_CTX *mem_ctx = pytalloc_get_mem_ctx(self);"); + foreach my $e (@ref_elements) { + my $ename = $e->{NAME}; + my $t = mapTypeName($e->{TYPE}); + my $p = $e->{ORIGINAL}->{POINTERS} // 1; + if ($p > 1) { + $self->pidl("/* a pointer to a NULL pointer */"); + $t .= ' ' . '*' x ($p - 1); + } + + # We checked in the loop above that each ref + # pointer is in or out (or both) + if (has_property($e, 'in')) { + $self->pidl("_self->in.$ename = talloc_zero(mem_ctx, $t);"); + } + + if (has_property($e, 'out')) { + $self->pidl("_self->out.$ename = talloc_zero(mem_ctx, $t);"); + } + } + } + $self->pidl("return self;"); $self->deindent; $self->pidl("}"); $self->pidl(""); @@ -2234,7 +2289,11 @@ sub ConvertObjectToPythonLevel($$$$$$$) $self->indent; my $member_var = "py_$e->{NAME}_$l->{LEVEL_INDEX}"; $self->pidl("PyObject *$member_var;"); - $self->ConvertObjectToPythonLevel($var_name, $env, $e, $nl, $var_name."[$counter]", $member_var, $fail, $recurse); + if (ArrayDynamicallyAllocated($e, $l)) { + $self->ConvertObjectToPythonLevel($var_name, $env, $e, $nl, $var_name."[$counter]", $member_var, $fail, $recurse); + } else { + $self->ConvertObjectToPythonLevel($mem_ctx, $env, $e, $nl, $var_name."[$counter]", $member_var, $fail, $recurse); + } $self->pidl("PyList_SetItem($py_var, $counter, $member_var);"); $self->deindent; $self->pidl("}"); diff --git a/python/samba/tests/segfault.py b/python/samba/tests/segfault.py index 66c0b1004c9..07e2d46d56a 100644 --- a/python/samba/tests/segfault.py +++ b/python/samba/tests/segfault.py @@ -25,7 +25,7 @@ import sys from samba.net import Net, LIBNET_JOIN_AUTOMATIC from samba.credentials import DONT_USE_KERBEROS from samba import NTSTATUSError, ntstatus -from samba.dcerpc import misc, drsuapi +from samba.dcerpc import misc, drsuapi, samr, unixinfo, dnsserver from samba import auth, gensec from samba.samdb import SamDB from samba import netbios @@ -152,3 +152,25 @@ class SegfaultTests(samba.tests.TestCase): @segfault_detector def test_messaging_deregister(self): messaging.deregister('s', 's', 's', False) + + @segfault_detector + def test_rpcecho(self): + from dcerpc import echo + echo.rpcecho("") + + @segfault_detector + def test_dcerpc_idl_ref_elements(self): + """There are many pidl generated functions that crashed on this + pattern, where a NULL pointer was created rather than an empty + structure.""" + samr.Connect5().out_info_out = 1 + + @segfault_detector + def test_dcerpc_idl_unixinfo_elements(self): + """Dereferencing is sufficient to crash""" + unixinfo.GetPWUid().out_infos + + @segfault_detector + def test_dcerpc_idl_inline_arrays(self): + """Inline arrays were incorrectly handled.""" + dnsserver.DNS_RPC_SERVER_INFO_DOTNET().pExtensions diff --git a/source4/librpc/rpc/dcerpc_connect.c b/source4/librpc/rpc/dcerpc_connect.c index 4c0ed15396f..ad355fc3c4d 100644 --- a/source4/librpc/rpc/dcerpc_connect.c +++ b/source4/librpc/rpc/dcerpc_connect.c @@ -226,7 +226,7 @@ static struct composite_context *dcerpc_pipe_connect_ncacn_np_smb_send(TALLOC_CT target_hostname = conn->in.dest_host; } - if (is_ipaddress(conn->in.dest_host)) { + if (conn->in.dest_host != NULL && is_ipaddress(conn->in.dest_host)) { dest_address = conn->in.dest_host; } -- Samba Shared Repository