diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2014-06-17 16:03:22 +1200 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2014-07-09 08:42:08 +0200 |
| commit | d7b4d10aba90f4a1acf01d1d5ab62161862f62f7 (patch) | |
| tree | f1736d58c520166d476bab49cbd1963594853f7d /source3/passdb | |
| parent | 1592eaa5c781af83aa64bc4e7211339e1d1eafce (diff) | |
| download | samba-d7b4d10aba90f4a1acf01d1d5ab62161862f62f7.tar.gz samba-d7b4d10aba90f4a1acf01d1d5ab62161862f62f7.tar.xz samba-d7b4d10aba90f4a1acf01d1d5ab62161862f62f7.zip | |
dsdb: Always store and return the userParameters as a array of LE 16-bit values
This is not allowed to be odd length, as otherwise we can not send it over the SAMR transport correctly.
Allocating one byte less memory than required causes malloc() heap corruption
and then a crash or lockup of the SAMR server.
Andrew Bartlett
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10130
Change-Id: I5c0c531c1d660141e07f884a4789ebe11c1716f6
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source3/passdb')
| -rw-r--r-- | source3/passdb/pdb_samba_dsdb.c | 31 |
1 files changed, 26 insertions, 5 deletions
diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c index 7e7468dcdb..b04e7b230a 100644 --- a/source3/passdb/pdb_samba_dsdb.c +++ b/source3/passdb/pdb_samba_dsdb.c @@ -259,9 +259,13 @@ static NTSTATUS pdb_samba_dsdb_init_sam_from_priv(struct pdb_methods *m, pdb_set_workstations(sam, str, PDB_SET); } - str = ldb_msg_find_attr_as_string(msg, "userParameters", - NULL); - if (str != NULL) { + blob = ldb_msg_find_ldb_val(msg, "userParameters"); + if (blob != NULL) { + str = base64_encode_data_blob(frame, *blob); + if (str == NULL) { + DEBUG(0, ("base64_encode_data_blob() failed\n")); + goto fail; + } pdb_set_munged_dial(sam, str, PDB_SET); } @@ -555,8 +559,25 @@ static int pdb_samba_dsdb_replace_by_sam(struct pdb_samba_dsdb_state *state, /* This will need work, it is actually a UTF8 'string' with internal NULLs, to handle TS parameters */ if (need_update(sam, PDB_MUNGEDDIAL)) { - ret |= ldb_msg_add_string(msg, "userParameters", - pdb_get_munged_dial(sam)); + const char *base64_munged_dial = NULL; + + base64_munged_dial = pdb_get_munged_dial(sam); + if (base64_munged_dial != NULL && strlen(base64_munged_dial) > 0) { + struct ldb_val blob; + + blob = base64_decode_data_blob_talloc(msg, + base64_munged_dial); + if (blob.data == NULL) { + DEBUG(0, ("Failed to decode userParameters from " + "munged dialback string[%s] for %s\n", + base64_munged_dial, + ldb_dn_get_linearized(msg->dn))); + talloc_free(frame); + return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX; + } + ret |= ldb_msg_add_steal_value(msg, "userParameters", + &blob); + } } if (need_update(sam, PDB_COUNTRY_CODE)) { |