The branch, v4-11-test has been updated
via f47dc8b8f68 docs-xml: Fix usernames in pam_winbind manpages
via f5ee0cc29e4 libsmb: Protect cli_oem_change_password() from rprcnt<2
via e8ffd6244d6 libsmb: Protect cli_RNetServerEnum against rprcnt<6
via 39a3d728a60 libsmb: Protect cli_RNetShareEnum() against rprcnt<6
via f69c9ea345f libsmb: Fix indentation in cli_RNetShareEnum()
from 84362eef4cf vfs_shadow_copy2: implement case canonicalisation in
shadow_copy2_get_real_filename()
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-11-test
- Log -----------------------------------------------------------------
commit f47dc8b8f68c93e9e57bda704125b28c22bcf731
Author: Andreas Schneider <a...@samba.org>
Date: Tue Apr 28 17:25:35 2020 +0200
docs-xml: Fix usernames in pam_winbind manpages
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Alexander Bokovoy <a...@samba.org>
Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org>
Autobuild-Date(master): Wed Apr 29 09:44:55 UTC 2020 on sn-devel-184
(cherry picked from commit 3abd92d7824e803f1ff53425088ebee30b58894b)
Autobuild-User(v4-11-test): Karolin Seeger <ksee...@samba.org>
Autobuild-Date(v4-11-test): Thu May 14 15:42:16 UTC 2020 on sn-devel-184
commit f5ee0cc29e405b222d2c8ae7ea0eb166671d87be
Author: Volker Lendecke <v...@samba.org>
Date: Sat May 2 15:18:07 2020 +0200
libsmb: Protect cli_oem_change_password() from rprcnt<2
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14366
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org>
Autobuild-Date(master): Tue May 5 17:12:04 UTC 2020 on sn-devel-184
(cherry picked from commit f80c97cb8da64f3cd9904e2e1fd43c29b691166d)
commit e8ffd6244d60866044f3702999eb292bebd0b99c
Author: Volker Lendecke <v...@samba.org>
Date: Sat May 2 15:10:14 2020 +0200
libsmb: Protect cli_RNetServerEnum against rprcnt<6
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14366
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit ce8b70df7bd63e96723b8e8dc864f1690f5fad7b)
commit 39a3d728a605b02d209b39ee764de5bd4d4501fc
Author: Volker Lendecke <v...@samba.org>
Date: Sat May 2 14:59:07 2020 +0200
libsmb: Protect cli_RNetShareEnum() against rprcnt<6
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14366
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit 4a9fe4efefa67d6f24efcbe29722a43fc4859fdc)
commit f69c9ea345fa05a1e63888eeccfba98a6c9182f7
Author: Volker Lendecke <v...@samba.org>
Date: Sat May 2 14:54:01 2020 +0200
libsmb: Fix indentation in cli_RNetShareEnum()
Also remove a level of indentation with a "goto done;"
Best review with "git show -b", almost no code change
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14366
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit ae91d67a247424d4ddc89230f52365558d6ff402)
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/pam_winbind.8.xml | 4 +-
docs-xml/manpages/pam_winbind.conf.5.xml | 4 +-
source3/libsmb/clirap.c | 151 ++++++++++++++++++-------------
3 files changed, 91 insertions(+), 68 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/pam_winbind.8.xml
b/docs-xml/manpages/pam_winbind.8.xml
index b8af5b54c58..a9a227f1647 100644
--- a/docs-xml/manpages/pam_winbind.8.xml
+++ b/docs-xml/manpages/pam_winbind.8.xml
@@ -83,8 +83,8 @@
<listitem><para>
If this option is set, pam_winbind will only succeed if the
user is a member of the given SID or NAME. A SID
can be either a group-SID, an alias-SID or even an user-SID. It
is also possible to give a NAME instead of the
- SID. That name must have the form:
<parameter>MYDOMAIN\\mygroup</parameter> or
- <parameter>MYDOMAIN\\myuser</parameter>. pam_winbind will, in
that case, lookup the SID internally. Note that
+ SID. That name must have the form:
<parameter>MYDOMAIN\mygroup</parameter> or
+ <parameter>MYDOMAIN\myuser</parameter>. pam_winbind will, in
that case, lookup the SID internally. Note that
NAME may not contain any spaces. It is thus recommended to only
use SIDs. You can verify the list of SIDs a
user is a member of with <command>wbinfo
--user-sids=SID</command>.
</para>
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml
b/docs-xml/manpages/pam_winbind.conf.5.xml
index a5aaa01504d..193a0dc971c 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -68,8 +68,8 @@
<listitem><para>
If this option is set, pam_winbind will only succeed if the
user is a member of the given SID or NAME. A SID
can be either a group-SID, an alias-SID or even an user-SID. It
is also possible to give a NAME instead of the
- SID. That name must have the form:
<parameter>MYDOMAIN\\mygroup</parameter> or
- <parameter>MYDOMAIN\\myuser</parameter>. pam_winbind will, in
that case, lookup the SID internally. Note that
+ SID. That name must have the form:
<parameter>MYDOMAIN\mygroup</parameter> or
+ <parameter>MYDOMAIN\myuser</parameter>. pam_winbind will, in
that case, lookup the SID internally. Note that
NAME may not contain any spaces. It is thus recommended to only
use SIDs. You can verify the list of SIDs a
user is a member of with <command>wbinfo
--user-sids=SID</command>. This setting is empty by default.
</para>
diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c
index b4b40ebdab4..8a844050461 100644
--- a/source3/libsmb/clirap.c
+++ b/source3/libsmb/clirap.c
@@ -174,6 +174,8 @@ int cli_RNetShareEnum(struct cli_state *cli, void
(*fn)(const char *, uint32_t,
unsigned int rdrcnt,rprcnt;
char param[1024];
int count = -1;
+ bool ok;
+ int res;
/* now send a SMBtrans command with api RNetShareEnum */
p = param;
@@ -191,74 +193,82 @@ int cli_RNetShareEnum(struct cli_state *cli, void
(*fn)(const char *, uint32_t,
SSVAL(p,2,0xFFE0);
p += 4;
- if (cli_api(cli,
- param, PTR_DIFF(p,param), 1024, /* Param, length, maxlen */
- NULL, 0, 0xFFE0, /* data, length, maxlen - Win2k
needs a small buffer here too ! */
- &rparam, &rprcnt, /* return params, length */
- &rdata, &rdrcnt)) /* return data, length */
- {
- int res = rparam? SVAL(rparam,0) : -1;
-
- if (res == 0 || res == ERRmoredata) {
- int converter=SVAL(rparam,2);
- int i;
- char *rdata_end = rdata + rdrcnt;
-
- count=SVAL(rparam,4);
- p = rdata;
-
- for (i=0;i<count;i++,p+=20) {
- char *sname;
- int type;
- int comment_offset;
- const char *cmnt;
- const char *p1;
- char *s1, *s2;
- size_t len;
- TALLOC_CTX *frame = talloc_stackframe();
-
- if (p + 20 > rdata_end) {
- TALLOC_FREE(frame);
- break;
- }
-
- sname = p;
- type = SVAL(p,14);
- comment_offset = (IVAL(p,16) & 0xFFFF)
- converter;
- if (comment_offset < 0 ||
- comment_offset >
(int)rdrcnt) {
- TALLOC_FREE(frame);
- break;
- }
- cmnt =
comment_offset?(rdata+comment_offset):"";
-
- /* Work out the comment length. */
- for (p1 = cmnt, len = 0; *p1 &&
- p1 < rdata_end; len++)
- p1++;
- if (!*p1) {
- len++;
- }
- pull_string_talloc(frame,rdata,0,
- &s1,sname,14,STR_ASCII);
- pull_string_talloc(frame,rdata,0,
- &s2,cmnt,len,STR_ASCII);
- if (!s1 || !s2) {
- TALLOC_FREE(frame);
- continue;
- }
-
- fn(s1, type, s2, state);
+ ok = cli_api(
+ cli,
+ param, PTR_DIFF(p,param), 1024, /* Param, length, maxlen */
+ NULL, 0, 0xFFE0, /* data, length, maxlen - Win2k
needs a small buffer here too ! */
+ &rparam, &rprcnt, /* return params, length */
+ &rdata, &rdrcnt); /* return data, length */
+ if (!ok) {
+ DEBUG(4,("NetShareEnum failed\n"));
+ goto done;
+ }
- TALLOC_FREE(frame);
- }
- } else {
- DEBUG(4,("NetShareEnum res=%d\n", res));
+ if (rprcnt < 6) {
+ DBG_ERR("Got invalid result: rprcnt=%u\n", rprcnt);
+ goto done;
+ }
+
+ res = rparam? SVAL(rparam,0) : -1;
+
+ if (res == 0 || res == ERRmoredata) {
+ int converter=SVAL(rparam,2);
+ int i;
+ char *rdata_end = rdata + rdrcnt;
+
+ count=SVAL(rparam,4);
+ p = rdata;
+
+ for (i=0;i<count;i++,p+=20) {
+ char *sname;
+ int type;
+ int comment_offset;
+ const char *cmnt;
+ const char *p1;
+ char *s1, *s2;
+ size_t len;
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ if (p + 20 > rdata_end) {
+ TALLOC_FREE(frame);
+ break;
}
- } else {
- DEBUG(4,("NetShareEnum failed\n"));
+
+ sname = p;
+ type = SVAL(p,14);
+ comment_offset = (IVAL(p,16) & 0xFFFF) - converter;
+ if (comment_offset < 0 ||
+ comment_offset > (int)rdrcnt) {
+ TALLOC_FREE(frame);
+ break;
+ }
+ cmnt = comment_offset?(rdata+comment_offset):"";
+
+ /* Work out the comment length. */
+ for (p1 = cmnt, len = 0; *p1 &&
+ p1 < rdata_end; len++)
+ p1++;
+ if (!*p1) {
+ len++;
+ }
+ pull_string_talloc(frame,rdata,0,
+ &s1,sname,14,STR_ASCII);
+ pull_string_talloc(frame,rdata,0,
+ &s2,cmnt,len,STR_ASCII);
+ if (!s1 || !s2) {
+ TALLOC_FREE(frame);
+ continue;
+ }
+
+ fn(s1, type, s2, state);
+
+ TALLOC_FREE(frame);
}
+ } else {
+ DEBUG(4,("NetShareEnum res=%d\n", res));
+ }
+done:
SAFE_FREE(rparam);
SAFE_FREE(rdata);
@@ -362,6 +372,13 @@ bool cli_NetServerEnum(struct cli_state *cli, char
*workgroup, uint32_t stype,
}
rdata_end = rdata + rdrcnt;
+
+ if (rprcnt < 6) {
+ DBG_ERR("Got invalid result: rprcnt=%u\n", rprcnt);
+ res = -1;
+ break;
+ }
+
res = rparam ? SVAL(rparam,0) : -1;
if (res == 0 || res == ERRmoredata ||
@@ -560,10 +577,16 @@ bool cli_oem_change_password(struct cli_state *cli, const
char *user, const char
return False;
}
+ if (rdrcnt < 2) {
+ cli->rap_error = ERRbadformat;
+ goto done;
+ }
+
if (rparam) {
cli->rap_error = SVAL(rparam,0);
}
+done:
SAFE_FREE(rparam);
SAFE_FREE(rdata);
--
Samba Shared Repository
