The branch, master has been updated
via c52244b7e0a s3:libsmb: Make parse_node_status() more robust
via dfbd950a1d4 s3:winbind: Fix heap buffer overflow in winbind
via 267f20ec30c s3:utils: Fix memory leak in test_lmv2_ntlmv2_broken()
via 4f3fbb75d54 s3:utils: Fix memory leak in ntlm_auth_diagnostics
via dcd8851a4dd s3:utils: Remove trailing spaces in
ntlm_auth_diagnostics.c
via 8500336bf0b s3:utils: Fix memory leak in ntlm_auth
via c7a98bb3d80 s4:client: Fix memory leaks in smblcient4
via a48a1cba195 s4:client: Remove trailing spaces in client.c
via c8979f384db s4:torture: Fix memory leak in
torture_decode_compare_pac()
via 1a9ca80960e s4:torture: Remove trailing spaces in winbind.c
via 64294d21873 nsswitch: Fix memory leak in wbcDomainInfoList
via 9672f9918b4 nsswitch: Fix memory leak in nsstest
via 6a1196c5677 nsswitch: Fix memory leak in wbinfo_auth_krb5()
from 826b75bf038 Fix pam failure to register Pin following mfa poll
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit c52244b7e0a92b62f4a02f72d43ffc4a39d8412a
Author: Andreas Schneider <[email protected]>
Date: Fri Oct 18 08:07:47 2024 +0200
s3:libsmb: Make parse_node_status() more robust
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Martin Schwenke <[email protected]>
Autobuild-User(master): Martin Schwenke <[email protected]>
Autobuild-Date(master): Thu Oct 24 12:05:10 UTC 2024 on atb-devel-224
commit dfbd950a1d424e0bfbd69cee346d983fb5343d54
Author: Andreas Schneider <[email protected]>
Date: Thu Oct 17 19:33:47 2024 +0200
s3:winbind: Fix heap buffer overflow in winbind
==36258==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x51300000b096 at pc 0x7fb6b4880b46 bp 0x7ffc67d44b40 sp 0x7ffc67d44300
READ of size 1 at 0x51300000b096 thread T0
#0 0x7fb6b4880b45 in strlen
../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:391
#1 0x560fe898cde3 in winbindd_wins_byip_done
../../source3/winbindd/winbindd_wins_byip.c:111
#2 0x7fb6b4ef8ae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#3 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
#4 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
#5 0x7fb6b1e24c80 in node_status_query_done
../../source3/libsmb/namequery.c:904
#6 0x7fb6b4ef8ae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#7 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
#8 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
#9 0x7fb6b1e250bc in nb_trans_done ../../source3/libsmb/namequery.c:756
#10 0x7fb6b4ef8ae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#11 0x7fb6b4ef8d1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#12 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
#13 0x7fb6b1e270af in sock_packet_read_got_socket
../../source3/libsmb/namequery.c:537
#14 0x7fb6b4ef8ae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#15 0x7fb6b4ef8d1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#16 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
#17 0x7fb6b33db183 in tdgram_recvfrom_done
../../lib/tsocket/tsocket.c:240
#18 0x7fb6b4ef8ae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#19 0x7fb6b4ef8d1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#20 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
#21 0x7fb6b33e0d99 in tdgram_bsd_recvfrom_handler
../../lib/tsocket/tsocket_bsd.c:1087
#22 0x7fb6b33e0263 in tdgram_bsd_fde_handler
../../lib/tsocket/tsocket_bsd.c:811
#23 0x7fb6b4ef5ac1 in tevent_common_invoke_fd_handler
../../lib/tevent/tevent_fd.c:174
#24 0x7fb6b4f0b185 in epoll_event_loop
../../lib/tevent/tevent_epoll.c:696
#25 0x7fb6b4f0b185 in epoll_event_loop_once
../../lib/tevent/tevent_epoll.c:926
#26 0x7fb6b4f037b8 in std_event_loop_once
../../lib/tevent/tevent_standard.c:110
#27 0x7fb6b4ef3549 in _tevent_loop_once ../../lib/tevent/tevent.c:820
#28 0x560fe8a15198 in main ../../source3/winbindd/winbindd.c:1729
#29 0x7fb6afe2a2ad in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#30 0x7fb6afe2a378 in __libc_start_main_impl ../csu/libc-start.c:360
#31 0x560fe89454e4 in _start ../sysdeps/x86_64/start.S:115
0x51300000b096 is located 12 bytes after 330-byte region
[0x51300000af40,0x51300000b08a)
allocated by thread T0 here:
#0 0x7fb6b48fc777 in malloc
../../../../libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fb6b3a64c57 in __talloc_with_prefix ../../lib/talloc/talloc.c:783
#2 0x7fb6b3a66acf in __talloc ../../lib/talloc/talloc.c:825
#3 0x7fb6b3a66acf in _talloc_named_const ../../lib/talloc/talloc.c:982
#4 0x7fb6b3a66acf in _talloc_array ../../lib/talloc/talloc.c:2784
#5 0x7fb6b1e2b43e in parse_node_status
../../source3/libsmb/namequery.c:337
#6 0x7fb6b1e2b43e in node_status_query_recv
../../source3/libsmb/namequery.c:921
#7 0x560fe898cc4f in winbindd_wins_byip_done
../../source3/winbindd/winbindd_wins_byip.c:87
#8 0x7fb6b4ef8ae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#9 0x7fb6b4ef8d1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
#10 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
#11 0x7fb6b1e24c80 in node_status_query_done
../../source3/libsmb/namequery.c:904
#12 0x7fb6b4ef8ae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#13 0x7fb6b4ef8d1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#14 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
#15 0x7fb6b1e250bc in nb_trans_done ../../source3/libsmb/namequery.c:756
#16 0x7fb6b4ef8ae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#17 0x7fb6b4ef8d1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#18 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
#19 0x7fb6b1e270af in sock_packet_read_got_socket
../../source3/libsmb/namequery.c:537
#20 0x7fb6b4ef8ae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#21 0x7fb6b4ef8d1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#22 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
#23 0x7fb6b33db183 in tdgram_recvfrom_done
../../lib/tsocket/tsocket.c:240
#24 0x7fb6b4ef8ae5 in _tevent_req_notify_callback
../../lib/tevent/tevent_req.c:177
#25 0x7fb6b4ef8d1c in tevent_req_finish
../../lib/tevent/tevent_req.c:234
#26 0x7fb6b4ef8d84 in _tevent_req_done ../../lib/tevent/tevent_req.c:240
#27 0x7fb6b33e0d99 in tdgram_bsd_recvfrom_handler
../../lib/tsocket/tsocket_bsd.c:1087
#28 0x7fb6b33e0263 in tdgram_bsd_fde_handler
../../lib/tsocket/tsocket_bsd.c:811
#29 0x7fb6b4ef5ac1 in tevent_common_invoke_fd_handler
../../lib/tevent/tevent_fd.c:174
#30 0x7fb6b4f0b185 in epoll_event_loop
../../lib/tevent/tevent_epoll.c:696
#31 0x7fb6b4f0b185 in epoll_event_loop_once
../../lib/tevent/tevent_epoll.c:926
#32 0x7fb6b4f037b8 in std_event_loop_once
../../lib/tevent/tevent_standard.c:110
#33 0x7fb6b4ef3549 in _tevent_loop_once ../../lib/tevent/tevent.c:820
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Martin Schwenke <[email protected]>
commit 267f20ec30c7e8ead37cb43b6c8a04c19a3d4ad7
Author: Andreas Schneider <[email protected]>
Date: Fri Oct 18 15:32:58 2024 +0200
s3:utils: Fix memory leak in test_lmv2_ntlmv2_broken()
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Martin Schwenke <[email protected]>
commit 4f3fbb75d54bf109105e6b455f0dd14b90d7adaf
Author: Andreas Schneider <[email protected]>
Date: Thu Oct 17 15:10:22 2024 +0200
s3:utils: Fix memory leak in ntlm_auth_diagnostics
Direct leak of 120 byte(s) in 1 object(s) allocated from:
#0 0x7f2f7f0fc777 in malloc
../../../../libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7f2f7ee24c57 in __talloc_with_prefix ../../lib/talloc/talloc.c:783
#2 0x7f2f7ee26acf in __talloc ../../lib/talloc/talloc.c:825
#3 0x7f2f7ee26acf in _talloc_named_const ../../lib/talloc/talloc.c:982
#4 0x7f2f7ee26acf in _talloc_array ../../lib/talloc/talloc.c:2784
#5 0x7f2f7e3f6a99 in data_blob_talloc_named
../../lib/util/data_blob.c:58
#6 0x7f2f7e3f6b1b in data_blob_named ../../lib/util/data_blob.c:40
#7 0x5570b9e36100 in test_lm_ntlm_broken
../../source3/utils/ntlm_auth_diagnostics.c:56
#8 0x5570b9e36b5d in test_ntlm
../../source3/utils/ntlm_auth_diagnostics.c:180
#9 0x5570b9e387f3 in diagnose_ntlm_auth
../../source3/utils/ntlm_auth_diagnostics.c:707
#10 0x5570b9e34efd in main ../../source3/utils/ntlm_auth.c:2855
#11 0x7f2f7ba2a2ad in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
Reviewed-by: Martin Schwenke <[email protected]>
commit dcd8851a4dd0744685a853407628a3fb30da7531
Author: Andreas Schneider <[email protected]>
Date: Thu Oct 17 15:12:02 2024 +0200
s3:utils: Remove trailing spaces in ntlm_auth_diagnostics.c
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Martin Schwenke <[email protected]>
commit 8500336bf0b328e763c71a8e99f1be1e566e08cc
Author: Andreas Schneider <[email protected]>
Date: Tue Oct 15 17:49:38 2024 +0200
s3:utils: Fix memory leak in ntlm_auth
Direct leak of 192 byte(s) in 1 object(s) allocated from:
#0 0x7fc5afefc777 in malloc
../../../../libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fc5afaefc57 in __talloc_with_prefix ../../lib/talloc/talloc.c:783
#2 0x7fc5afaf18cf in __talloc ../../lib/talloc/talloc.c:825
#3 0x7fc5afaf18cf in _talloc_named_const ../../lib/talloc/talloc.c:982
#4 0x7fc5afaf18cf in _talloc_zero ../../lib/talloc/talloc.c:2421
#5 0x7fc5aeac4809 in loadparm_init_s3 ../../lib/param/loadparm.c:3223
#6 0x560ee34b3949 in main ../../source3/utils/ntlm_auth.c:2806
#7 0x7fc5ac62a2ad in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Martin Schwenke <[email protected]>
commit c7a98bb3d80711210219c0d8033816b7f55a7712
Author: Andreas Schneider <[email protected]>
Date: Tue Oct 15 17:41:57 2024 +0200
s4:client: Fix memory leaks in smblcient4
==375711==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 20 byte(s) in 1 object(s) allocated from:
#0 0x7f83838f6880 in strdup
../../../../libsanitizer/asan/asan_interceptors.cpp:578
#1 0x55a06cc7c244 in main ../../source4/client/client.c:3470
#2 0x7f837fe2a2ad in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Martin Schwenke <[email protected]>
commit a48a1cba19518e4add1d3a92c20b6dcdc6d50a69
Author: Andreas Schneider <[email protected]>
Date: Wed Oct 16 08:46:43 2024 +0200
s4:client: Remove trailing spaces in client.c
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Martin Schwenke <[email protected]>
commit c8979f384db013336995092d5ee7d19996a388b6
Author: Andreas Schneider <[email protected]>
Date: Thu Oct 17 15:04:34 2024 +0200
s4:torture: Fix memory leak in torture_decode_compare_pac()
Direct leak of 200 byte(s) in 1 object(s) allocated from:
#0 0x7f42972fc130 in calloc
../../../../libsanitizer/asan/asan_malloc_linux.cpp:77
#1 0x7f4296cf3054 in wbcAllocateMemory
../../nsswitch/libwbclient/wbclient.c:216
#2 0x7f4296cf386c in wbc_create_auth_info
../../nsswitch/libwbclient/wbc_pam.c:96
#3 0x7f4296cf59a1 in wbcCtxAuthenticateUserEx
../../nsswitch/libwbclient/wbc_pam.c:561
#4 0x7f4296cf5d98 in wbcAuthenticateUserEx
../../nsswitch/libwbclient/wbc_pam.c:578
#5 0x55f8ff6023f1 in torture_decode_compare_pac
../../source4/torture/winbind/winbind.c:120
#6 0x55f8ff6023f1 in torture_winbind_pac
../../source4/torture/winbind/winbind.c:291
#7 0x55f8ff603c98 in torture_winbind_pac_gss_spnego
../../source4/torture/winbind/winbind.c:303
#8 0x7f4295ff560c in wrap_simple_test ../../lib/torture/torture.c:712
#9 0x7f4295ff748d in internal_torture_run_test
../../lib/torture/torture.c:520
#10 0x7f4295ff7904 in torture_run_tcase_restricted
../../lib/torture/torture.c:585
#11 0x7f4295ff7e69 in torture_run_suite_restricted
../../lib/torture/torture.c:439
#12 0x55f8ff7980ba in run_matching ../../source4/torture/smbtorture.c:96
#13 0x55f8ff798141 in run_matching
../../source4/torture/smbtorture.c:106
#14 0x55f8ff798e41 in torture_run_named_tests
../../source4/torture/smbtorture.c:173
#15 0x55f8ff79cf03 in main ../../source4/torture/smbtorture.c:754
#16 0x7f4291a2a2ad in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Martin Schwenke <[email protected]>
commit 1a9ca80960e77998b4b32940f71ddc98c28cc53e
Author: Andreas Schneider <[email protected]>
Date: Thu Oct 17 15:11:26 2024 +0200
s4:torture: Remove trailing spaces in winbind.c
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Martin Schwenke <[email protected]>
commit 64294d21873d888083be39cb5010eb0dd73c8896
Author: Andreas Schneider <[email protected]>
Date: Tue Oct 15 17:46:24 2024 +0200
nsswitch: Fix memory leak in wbcDomainInfoList
==379167==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 44 byte(s) in 2 object(s) allocated from:
#0 0x7f54522f6880 in strdup
../../../../libsanitizer/asan/asan_interceptors.cpp:578
#1 0x7f54520d5a95 in process_domain_info_string
../../nsswitch/libwbclient/wbc_util.c:471
#2 0x7f54520d5a95 in wbcCtxListTrusts
../../nsswitch/libwbclient/wbc_util.c:612
#3 0x7f54520d6426 in wbcListTrusts
../../nsswitch/libwbclient/wbc_util.c:632
#4 0x558c48799cf7 in wbinfo_list_domains ../../nsswitch/wbinfo.c:515
#5 0x558c487a72db in main ../../nsswitch/wbinfo.c:3300
#6 0x7f544f42a2ad in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Martin Schwenke <[email protected]>
commit 9672f9918b49cf8d9e6ff99f8fbd100572624940
Author: Andreas Schneider <[email protected]>
Date: Tue Oct 15 17:12:07 2024 +0200
nsswitch: Fix memory leak in nsstest
Direct leak of 832 byte(s) in 13 object(s) allocated from:
#0 0x7efc8e0fc777 in malloc
../../../../libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x562cb6e96d44 in nss_test_initgroups ../../nsswitch/nsstest.c:381
#2 0x562cb6e96d44 in nss_test_users ../../nsswitch/nsstest.c:424
#3 0x562cb6e96d44 in main ../../nsswitch/nsstest.c:493
#4 0x7efc8dc2a2ad in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Martin Schwenke <[email protected]>
commit 6a1196c5677519d6280a9f01149eb8a01ca106bd
Author: Andreas Schneider <[email protected]>
Date: Tue Oct 15 08:51:43 2024 +0200
nsswitch: Fix memory leak in wbinfo_auth_krb5()
Direct leak of 48 byte(s) in 1 object(s) allocated from:
#0 0x7ff206afc130 in calloc
../../../../libsanitizer/asan/asan_malloc_linux.cpp:77
#1 0x7ff206837054 in wbcAllocateMemory
../../nsswitch/libwbclient/wbclient.c:216
#2 0x7ff20683c76a in wbc_create_password_policy_info
../../nsswitch/libwbclient/wbc_pam.c:295
#3 0x7ff20683c76a in wbcCtxLogonUser
../../nsswitch/libwbclient/wbc_pam.c:1290
#4 0x7ff20683caec in wbcLogonUser
../../nsswitch/libwbclient/wbc_pam.c:1307
#5 0x556ea348db12 in wbinfo_auth_krb5 ../../nsswitch/wbinfo.c:1723
#6 0x556ea348db12 in main ../../nsswitch/wbinfo.c:3238
#7 0x7ff203c2a2ad in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Martin Schwenke <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
nsswitch/libwbclient/wbc_util.c | 1 +
nsswitch/nsstest.c | 1 +
nsswitch/wbinfo.c | 10 +-
source3/libsmb/namequery.c | 57 ++--
source3/utils/ntlm_auth.c | 2 +-
source3/utils/ntlm_auth_diagnostics.c | 109 ++++----
source3/winbindd/winbindd_wins_byip.c | 3 +-
source4/client/client.c | 492 +++++++++++++++++-----------------
source4/torture/winbind/winbind.c | 14 +-
9 files changed, 368 insertions(+), 321 deletions(-)
Changeset truncated at 500 lines:
diff --git a/nsswitch/libwbclient/wbc_util.c b/nsswitch/libwbclient/wbc_util.c
index 9e54baf54d7..5618039a89d 100644
--- a/nsswitch/libwbclient/wbc_util.c
+++ b/nsswitch/libwbclient/wbc_util.c
@@ -549,6 +549,7 @@ static void wbcDomainInfoListDestructor(void *ptr)
while (i->short_name != NULL) {
free(i->short_name);
free(i->dns_name);
+ free(i->trust_routing);
i += 1;
}
}
diff --git a/nsswitch/nsstest.c b/nsswitch/nsstest.c
index 45270cdc459..21d04b53126 100644
--- a/nsswitch/nsstest.c
+++ b/nsswitch/nsstest.c
@@ -395,6 +395,7 @@ static void nss_test_initgroups(char *name, gid_t gid)
printf("%lu, ", (unsigned long)groups[i]);
}
printf("%lu\n", (unsigned long)groups[i]);
+ SAFE_FREE(groups);
}
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 6148b204043..87053fac9a7 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -1656,9 +1656,9 @@ static bool wbinfo_auth_krb5(char *username, const char
*cctype, uint32_t flags)
char *local_cctype = NULL;
uid_t uid;
struct wbcLogonUserParams params;
- struct wbcLogonUserInfo *info;
- struct wbcAuthErrorInfo *error;
- struct wbcUserPasswordPolicyInfo *policy;
+ struct wbcLogonUserInfo *info = NULL;
+ struct wbcAuthErrorInfo *error = NULL;
+ struct wbcUserPasswordPolicyInfo *policy = NULL;
TALLOC_CTX *frame = talloc_tos();
if ((s = talloc_strdup(frame, username)) == NULL) {
@@ -1762,7 +1762,9 @@ static bool wbinfo_auth_krb5(char *username, const char
*cctype, uint32_t flags)
}
}
done:
-
+ wbcFreeMemory(error);
+ wbcFreeMemory(policy);
+ wbcFreeMemory(info);
wbcFreeMemory(params.blobs);
return WBC_ERROR_IS_OK(wbc_status);
diff --git a/source3/libsmb/namequery.c b/source3/libsmb/namequery.c
index b1500b85e0b..c855e43284e 100644
--- a/source3/libsmb/namequery.c
+++ b/source3/libsmb/namequery.c
@@ -321,39 +321,63 @@ static int generate_trn_id(void)
Parse a node status response into an array of structures.
****************************************************************************/
-static struct node_status *parse_node_status(TALLOC_CTX *mem_ctx, char *p,
- size_t *num_names,
- struct node_status_extra *extra)
+static struct node_status *parse_node_status(TALLOC_CTX *mem_ctx,
+ const char *rdata,
+ size_t rdlen,
+ size_t *num_names,
+ struct node_status_extra *extra)
{
struct node_status *ret;
size_t i;
+ size_t len = 0;
size_t result_count = 0;
+ const size_t result_len = MAX_NETBIOSNAME_LEN + sizeof(uint8_t) +
+ sizeof(char);
+ const char *r = NULL;
+
+ *num_names = 0;
+ if (rdlen == 0) {
+ return NULL;
+ }
- result_count = CVAL(p,0);
+ result_count = PULL_LE_U8(rdata, 0);
+ if (result_count == 0) {
+ return NULL;
+ }
+ r = rdata + 1;
- if (result_count == 0)
+ len = result_len * result_count + sizeof(uint8_t);
+ if (len > rdlen) {
return NULL;
+ }
- ret = talloc_array(mem_ctx, struct node_status,result_count);
+ ret = talloc_zero_array(mem_ctx, struct node_status, result_count);
if (!ret)
return NULL;
- p++;
- for (i=0;i< result_count;i++) {
- strlcpy(ret[i].name,p,16);
+ for (i = 0; i < result_count; i++) {
+ strlcpy(ret[i].name, r, MAX_NETBIOSNAME_LEN);
trim_char(ret[i].name,'\0',' ');
- ret[i].type = CVAL(p,15);
- ret[i].flags = p[16];
- p += 18;
+ ret[i].type = PULL_LE_U8(r, 15);
+ ret[i].flags = r[16];
+
+ r += result_len;
+
DEBUG(10, ("%s#%02x: flags = 0x%02x\n", ret[i].name,
ret[i].type, ret[i].flags));
}
+
/*
* Also, pick up the MAC address ...
*/
if (extra) {
- memcpy(&extra->mac_addr, p, 6); /* Fill in the mac addr */
+ if (len + 6 > rdlen) {
+ TALLOC_FREE(ret);
+ return NULL;
+ }
+ memcpy(&extra->mac_addr, r, 6); /* Fill in the mac addr */
}
+
*num_names = result_count;
return ret;
}
@@ -919,8 +943,11 @@ NTSTATUS node_status_query_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
return status;
}
node_status = parse_node_status(
- mem_ctx, &state->packet->packet.nmb.answers->rdata[0],
- &num_names, extra);
+ mem_ctx,
+ state->packet->packet.nmb.answers->rdata,
+ state->packet->packet.nmb.answers->rdlength,
+ &num_names,
+ extra);
if (node_status == NULL) {
return NT_STATUS_NO_MEMORY;
}
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index e9b644724d9..3642df89c8d 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -2803,7 +2803,7 @@ enum {
opt_workstation = "";
}
- lp_ctx = loadparm_init_s3(NULL, loadparm_s3_helpers());
+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
if (lp_ctx == NULL) {
fprintf(stderr, "loadparm_init_s3() failed!\n");
exit(1);
diff --git a/source3/utils/ntlm_auth_diagnostics.c
b/source3/utils/ntlm_auth_diagnostics.c
index 6a76e733982..69034434148 100644
--- a/source3/utils/ntlm_auth_diagnostics.c
+++ b/source3/utils/ntlm_auth_diagnostics.c
@@ -1,22 +1,22 @@
-/*
+/*
Unix SMB/CIFS implementation.
Winbind status program.
Copyright (C) Tim Potter 2000-2003
Copyright (C) Andrew Bartlett <[email protected]> 2003-2004
- Copyright (C) Francesco Chemolli <[email protected]> 2000
+ Copyright (C) Francesco Chemolli <[email protected]> 2000
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -37,12 +37,12 @@ enum ntlm_break {
NO_NT
};
-/*
+/*
Authenticate a user with a challenge/response, checking session key
and valid authentication types
*/
-/*
+/*
* Test the normal 'LM and NTLM' combination
*/
@@ -62,7 +62,7 @@ static bool test_lm_ntlm_broken(enum ntlm_break break_which,
uchar nt_hash[16];
DATA_BLOB chall = get_challenge();
char *error_string;
-
+
ZERO_STRUCT(lm_key);
ZERO_STRUCT(user_session_key);
@@ -70,7 +70,7 @@ static bool test_lm_ntlm_broken(enum ntlm_break break_which,
flags |= WBFLAG_PAM_USER_SESSION_KEY;
SMBencrypt(opt_password,chall.data,lm_response.data);
- E_deshash(opt_password, lm_hash);
+ E_deshash(opt_password, lm_hash);
SMBNTencrypt(opt_password,chall.data,nt_response.data);
@@ -94,24 +94,27 @@ static bool test_lm_ntlm_broken(enum ntlm_break break_which,
break;
}
- nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
+ nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
opt_workstation,
&chall,
&lm_response,
&nt_response,
flags, 0,
- lm_key,
+ lm_key,
user_session_key,
&authoritative,
&error_string, NULL);
-
+
data_blob_free(&lm_response);
+ data_blob_free(&nt_response);
if (!NT_STATUS_IS_OK(nt_status)) {
- d_printf("%s (0x%x)\n",
+ d_printf("%s (0x%x)\n",
error_string,
NT_STATUS_V(nt_status));
SAFE_FREE(error_string);
+ data_blob_free(&session_key);
+
return break_which == BREAK_NT;
}
@@ -138,7 +141,7 @@ static bool test_lm_ntlm_broken(enum ntlm_break break_which,
}
if (break_which == NO_NT) {
- if (memcmp(lm_hash, user_session_key,
+ if (memcmp(lm_hash, user_session_key,
8) != 0) {
DEBUG(1, ("NT Session Key does not match expectations
(should be LM hash)!\n"));
DEBUG(1, ("user_session_key:\n"));
@@ -147,8 +150,8 @@ static bool test_lm_ntlm_broken(enum ntlm_break break_which,
dump_data(1, lm_hash, sizeof(lm_hash));
pass = False;
}
- } else {
- if (memcmp(session_key.data, user_session_key,
+ } else {
+ if (memcmp(session_key.data, user_session_key,
sizeof(user_session_key)) != 0) {
DEBUG(1, ("NT Session Key does not match
expectations!\n"));
DEBUG(1, ("user_session_key:\n"));
@@ -158,10 +161,12 @@ static bool test_lm_ntlm_broken(enum ntlm_break
break_which,
pass = False;
}
}
+ data_blob_free(&session_key);
+
return pass;
}
-/*
+/*
* Test LM authentication, no NT response supplied
*/
@@ -171,7 +176,7 @@ static bool test_lm(bool lanman_support_expected)
return test_lm_ntlm_broken(NO_NT, lanman_support_expected);
}
-/*
+/*
* Test the NTLM response only, no LM.
*/
@@ -180,7 +185,7 @@ static bool test_ntlm(bool lanman_support_expected)
return test_lm_ntlm_broken(NO_LM, lanman_support_expected);
}
-/*
+/*
* Test the NTLM response only, but in the LM field.
*/
@@ -196,7 +201,7 @@ static bool test_ntlm_in_lm(bool lanman_support_expected)
uchar user_session_key[16];
DATA_BLOB chall = get_challenge();
char *error_string;
-
+
ZERO_STRUCT(user_session_key);
flags |= WBFLAG_PAM_LMKEY;
@@ -204,9 +209,9 @@ static bool test_ntlm_in_lm(bool lanman_support_expected)
SMBNTencrypt(opt_password,chall.data,nt_response.data);
- E_deshash(opt_password, lm_hash);
+ E_deshash(opt_password, lm_hash);
- nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
+ nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
opt_workstation,
&chall,
&nt_response,
@@ -216,11 +221,11 @@ static bool test_ntlm_in_lm(bool lanman_support_expected)
user_session_key,
&authoritative,
&error_string, NULL);
-
+
data_blob_free(&nt_response);
if (!NT_STATUS_IS_OK(nt_status)) {
- d_printf("%s (0x%x)\n",
+ d_printf("%s (0x%x)\n",
error_string,
NT_STATUS_V(nt_status));
SAFE_FREE(error_string);
@@ -267,7 +272,7 @@ static bool test_ntlm_in_lm(bool lanman_support_expected)
return pass;
}
-/*
+/*
* Test the NTLM response only, but in the both the NT and LM fields.
*/
@@ -285,7 +290,7 @@ static bool test_ntlm_in_both(bool lanman_support_expected)
uint8_t nt_hash[16];
DATA_BLOB chall = get_challenge();
char *error_string;
-
+
ZERO_STRUCT(lm_key);
ZERO_STRUCT(user_session_key);
@@ -296,9 +301,9 @@ static bool test_ntlm_in_both(bool lanman_support_expected)
E_md4hash(opt_password, nt_hash);
SMBsesskeygen_ntv1(nt_hash, session_key.data);
- E_deshash(opt_password, lm_hash);
+ E_deshash(opt_password, lm_hash);
- nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
+ nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
opt_workstation,
&chall,
&nt_response,
@@ -308,11 +313,11 @@ static bool test_ntlm_in_both(bool
lanman_support_expected)
user_session_key,
&authoritative,
&error_string, NULL);
-
+
data_blob_free(&nt_response);
if (!NT_STATUS_IS_OK(nt_status)) {
- d_printf("%s (0x%x)\n",
+ d_printf("%s (0x%x)\n",
error_string,
NT_STATUS_V(nt_status));
SAFE_FREE(error_string);
@@ -340,7 +345,7 @@ static bool test_ntlm_in_both(bool lanman_support_expected)
pass = False;
}
}
- if (memcmp(session_key.data, user_session_key,
+ if (memcmp(session_key.data, user_session_key,
sizeof(user_session_key)) != 0) {
DEBUG(1, ("NT Session Key does not match expectations!\n"));
DEBUG(1, ("user_session_key:\n"));
@@ -354,11 +359,11 @@ static bool test_ntlm_in_both(bool
lanman_support_expected)
return pass;
}
-/*
+/*
* Test the NTLMv2 and LMv2 responses
*/
-static bool test_lmv2_ntlmv2_broken(enum ntlm_break break_which)
+static bool test_lmv2_ntlmv2_broken(enum ntlm_break break_which)
{
bool pass = True;
NTSTATUS nt_status;
@@ -373,7 +378,7 @@ static bool test_lmv2_ntlmv2_broken(enum ntlm_break
break_which)
char *error_string;
ZERO_STRUCT(user_session_key);
-
+
flags |= WBFLAG_PAM_USER_SESSION_KEY;
if (!SMBNTLMv2encrypt(NULL, opt_username, opt_domain, opt_password,
&chall,
@@ -402,29 +407,29 @@ static bool test_lmv2_ntlmv2_broken(enum ntlm_break
break_which)
break;
}
- nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
+ nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
opt_workstation,
&chall,
&lmv2_response,
&ntlmv2_response,
flags, 0,
- NULL,
+ NULL,
user_session_key,
&authoritative,
&error_string, NULL);
-
+
data_blob_free(&lmv2_response);
data_blob_free(&ntlmv2_response);
if (!NT_STATUS_IS_OK(nt_status)) {
- d_printf("%s (0x%x)\n",
+ d_printf("%s (0x%x)\n",
error_string,
NT_STATUS_V(nt_status));
SAFE_FREE(error_string);
return break_which == BREAK_NT;
}
- if (break_which != NO_NT && break_which != BREAK_NT &&
memcmp(ntlmv2_session_key.data, user_session_key,
+ if (break_which != NO_NT && break_which != BREAK_NT &&
memcmp(ntlmv2_session_key.data, user_session_key,
sizeof(user_session_key)) != 0) {
DEBUG(1, ("USER (NTLMv2) Session Key does not match
expectations!\n"));
DEBUG(1, ("user_session_key:\n"));
@@ -433,10 +438,12 @@ static bool test_lmv2_ntlmv2_broken(enum ntlm_break
break_which)
dump_data(1, ntlmv2_session_key.data,
ntlmv2_session_key.length);
pass = False;
}
+
+ data_blob_free(&ntlmv2_session_key);
return pass;
}
-/*
+/*
* Test the NTLMv2 and LMv2 responses
*/
@@ -445,7 +452,7 @@ static bool test_lmv2_ntlmv2(bool lanman_support_expected)
return test_lmv2_ntlmv2_broken(BREAK_NONE);
}
-/*
+/*
* Test the LMv2 response only
*/
@@ -454,7 +461,7 @@ static bool test_lmv2(bool lanman_support_expected)
return test_lmv2_ntlmv2_broken(NO_NT);
}
-/*
+/*
* Test the NTLMv2 response only
*/
@@ -505,7 +512,7 @@ static bool test_plaintext(enum ntlm_break break_which)
char *error_string;
ZERO_STRUCT(user_session_key);
-
+
flags |= WBFLAG_PAM_LMKEY;
flags |= WBFLAG_PAM_USER_SESSION_KEY;
@@ -526,7 +533,7 @@ static bool test_plaintext(enum ntlm_break break_which)
if (!convert_string_talloc(talloc_tos(), CH_UNIX,
CH_DOS, password,
- strlen(password)+1,
--
Samba Shared Repository
