sssd.git/src/responder, branch token3

mmap_cache: Do not remove record from chain twice

2013-09-09T11:57:27+00:00

It is not very likely, that record will have the same hash1 and hash2, but it
is possible. In this situation, it does not make sense to remove record twice.

Function sss_mc_rm_rec_from_chain was not robust and sssd_nss could crash
in this situation. It was only possible if record was alone in chain.

Resolves:
https://fedorahosted.org/sssd/ticket/2049

Include sys/types.h for types id_t and uid_t

2013-09-03T11:59:04+00:00

DP: Use the correct type for DBus boolean

2013-08-28T17:28:22+00:00

https://fedorahosted.org/sssd/ticket/2057

NSS: Descend into subdomains if enumerate=true

2013-08-28T16:08:42+00:00

Since we now store the enumerate flag in sysdb for subdomains, we can
always descend to all available subdomains and if they do not allow
enumeration, simply skip them.

mmap_cache: Use stricter check for hash keys.

2013-08-28T14:47:41+00:00

ht_size is size of hash_table in bytes, but hash keys have type uint32_t

mmap_cache: Skip records which doesn't have same hash

2013-08-28T14:43:50+00:00

The code uses 2 hashes for each record, but only one hash table to
index them both, furthermore each record has only one single 'next'
pointer.

This means that in certain conditions a record main end up being on a
hash chain even though its hashes do not match the hash chain. This can
happen when another record 'drags' it in from another hash chain where
they both belong.

If the record without matching hashes happens to be the second of the
chain and the first record is removed, then the non matching record is
left on the wrong chain. On removal of the non-matching record the hash
chain will not be updated and the hash chain will end up pointing to an
invalid slot.
This slot may be later reused for another record and may not be the
first slot of this new record. In this case the hash chain will point to
arbitrary data and may cause issues if the slot is interpreted as the
head of a record.

By skipping any block that has no matching hashes upon removing the
first record in a chain we insure that dangling references cannot be
left in the hash table

Resolves:
https://fedorahosted.org/sssd/ticket/2049

sss_packet_grow: correctly pad packet length to 512B

2013-08-28T14:21:22+00:00

https://fedorahosted.org/sssd/ticket/2059

If len % SSSSRV_PACKET_MEM_SIZE == 0 or some low number,
we can end up with totlen < len and return EINVAL.

It also does not pad the length, but usually allocates
much more memory than is desired.

len = 1024
n = 1024 % 512 + 1 = 0 + 1 = 1
totlen = 1 * 512 = 512
=> totlen < len

len = 511
n = 511 % 512 + 1 = 511 + 1
totlen = 512 * 512 = 262144
totlen is way bigger than it was supposed to be

PAC: Skip SIDs that cannot be resolved to domain

2013-08-26T09:49:17+00:00

PAC: use SID instead of GID to search for groups

2013-08-26T09:44:42+00:00

With the support of POSIX IDs managed on the AD side we may find
non-POSIX groups, i.e. groups which do not have a GID assigned in AD, in
the PAC. Since in this case all cached groups have a SDI attribute it is
more reliable to search the groups by SID instead of GID.

PAC: do not fail if a single group cannot be added/removed

2013-08-26T09:44:42+00:00

When processing a list of groups we try to process as much as possible
only not stop on the first error.