summaryrefslogtreecommitdiffstats
path: root/source/libsmb
Commit message (Collapse)AuthorAgeFilesLines
* Fix denial of service - memory corruption.Karolin Seeger2011-02-281-0/+5
| | | | | | | | | | | | | | | | | | | | | | | CVE-2011-0719 Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open). All current released versions of Samba are vulnerable to a denial of service caused by memory corruption. Range checks on file descriptors being used in the FD_SET macro were not present allowing stack corruption. This can cause the Samba code to crash or to loop attempting to select on a bad file descriptor set. A connection to a file share, or a local account is needed to exploit this problem, either authenticated or unauthenticated (guest connection). Currently we do not believe this flaw is exploitable beyond a crash or causing the code to loop, but on the advice of our security reviewers we are releasing fixes in case an exploit is discovered at a later date. (cherry picked from commit 724e44eed299c618066dec411530aa9f156119ec)
* Fix bug #7669.Jeremy Allison2010-09-151-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in Samba4). CVE-2010-3069: =========== Description =========== All current released versions of Samba are vulnerable to a buffer overrun vulnerability. The sid_parse() function (and related dom_sid_parse() function in the source4 code) do not correctly check their input lengths when reading a binary representation of a Windows SID (Security ID). This allows a malicious client to send a sid that can overflow the stack variable that is being used to store the SID in the Samba smbd server. A connection to a file share is needed to exploit this vulnerability, either authenticated or unauthenticated (guest connection). (cherry picked from commit df1c76e2275068d1006e82a4a21d42b58175268b)
* Fix off-by-one error in working out the limit of the NetServerEnum comment.Jeremy Allison2010-02-221-1/+1
| | | | | | | Jeremy. (cherry picked from commit 9ad6f432f3f5844b4b419e7cbaf3c3e70b052d29) Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3:libsmb: fix NetServerEnum3 rap calls.Stefan Metzmacher2010-02-221-5/+19
| | | | | metze (cherry picked from commit 9b5198dd443a00fdad4faa1f9cdabedd81012d93)
* s3:libsmb: don't reuse the callers stype variable in cli_NetServerEnum()Stefan Metzmacher2010-02-051-2/+3
| | | | | | | | | | | | When we need to do more than one network operation to get the browse list we need to use the same 'stype' value each time. metze (cherry picked from commit c2e4746fa9d68e7601e8e90cc0144d2e65a695b6) Signed-off-by: Stefan Metzmacher <metze@samba.org> Fix bug #7098 (smbclient -L gives wrong results with a large browse list).
* s3: Fix a crash in libsmbclient used against the OpenSolaris CIFS serverVolker Lendecke2010-01-181-1/+1
| | | | | | | | A user has sent me a sniff where the OpenSolaris CIFS server returns "32" in totalentries, but the array in ctr only contains 15 entries. Look at the right delimiter for walking the array. Fix bug #7046 (libsmbclient crash against OpenSolaris CIFS server).
* Fix bug 7045 - Bad (non memory copying) interfaces in smbc_setXXXX calls.Jeremy Allison2010-01-182-10/+31
| | | | | | | | | | | | | | In smbc_free_context libsmbclient just called free() on the string options so it assumes the callers have malloced them before setting them via smbc_set calls. Change to correctly malloc/free string options to the library. Protect against SMB_STRDUP of null. Contains 2d41b1ab78639abe4ae030ff482573f464564dd7 and f85b6ee90b88c7f7b2a92c8a5f3e2ebe59c1087b from master. Jeremy
* s3-libsmbclient: Fix crash bug in SMBC_parse_path().Günther Deschner2010-01-151-1/+1
| | | | | | | | | | | Patch from Tim Waugh <twaugh@redhat.com>. This resolves https://bugzilla.redhat.com/show_bug.cgi?id=552658 LIBSMBCLIENT-OPENDIR torture test checks this as well. Guenther Fix bug #7043 (SIGSEGV in "SMBC_parse_path").
* s3: Fix a segfault in "net" version 3.3Volker Lendecke2009-12-081-1/+1
| | | | | | | | | When neither LOGNAME nor -U is set, "net" and probably other client utils segfault. Reported by "vinnix" on irc. Volker Fix bug #6973 (segfault in client tools).
* s3-kerberos: add a missing reference to authdata headers.Günther Deschner2009-12-021-0/+1
| | | | | Guenther (cherry picked from commit da79cbb0800dd647be864e8bbb5fe1132708174b)
* s3-kerberos: only use krb5 headers where required.Günther Deschner2009-12-022-3/+2
| | | | | | | This seems to be the only way to deal with mixed heimdal/MIT setups during merged build. Guenther
* s3-kerberos: Fix Bug #6929: build with recent heimdal.Günther Deschner2009-12-021-1/+1
| | | | | | | | Heimdal changed the KRB5_DEPRECATED define (which now may not take an identifier for activation) in new releases (like 1.3.1). Guenther (cherry picked from commit 1a8f8382740e352a83133b8c49aaedd4716210cd)
* s3-kerberos: add smb_krb5_principal_get_realm().Günther Deschner2009-12-021-0/+25
| | | | Guenther
* clikrb5: Prefer krb5_free_keytab_entry_contents to krb5_kt_free_entry.Jelmer Vernooij2009-11-241-3/+8
| | | | | | | Both functions exist in MIT Kerberos >= 1.7, but only krb5_free_keytab_entry_contents has a prototype. Part of a fix for bug #6918 (Build breaks with krb5-client-1.7-6.1.i586).
* s3: fixed krb5 build problem on ubuntu karmicAndrew Tridgell2009-11-231-0/+9
| | | | | | | | | | Karmic has MIT krb5 1.7-beta3, which has the symbol krb5_auth_con_set_req_cksumtype but no prototype for it. See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=531635 (cherry picked from commit a6e4cb500b4162cae1d906a1762507370b4ee89e) Part of a fix for bug #6918.
* Fix bug 6880 - cannot list workgroup servers reported by Alban Browaeys ↵Jeremy Allison2009-11-101-5/+14
| | | | <prahal@yahoo.com> with fix. Revert 2e989bab0764c298a2530a2d4c8690258eba210c with extra comments - this broke workgroup enumeration. Jeremy.
* Fix bug 6829 - smbclient does not show special characters properly. All ↵Jeremy Allison2009-10-232-0/+5
| | | | successful calls to cli_session_setup() *must* be followed by calls to cli_init_creds() to stash the credentials we successfully connected with. There were 2 codepaths where this was missing. This caused smbclient to be unable to open the \srvsvc pipe to do an RPC netserverenum, and cause it to fall back to a RAP netserverenum, which uses DOS codepage conversion rather than the full UCS2 of RPC, so the returned characters were not correct (unless the DOS codepage was set correctly). Phew. That was fun to track down :-). Includes logic simplification in libsmb_server.c Jeremy.
* s3:smbclient: Fix bug 6606 (reported as 6744) in 3.3Volker Lendecke2009-10-121-20/+168
| | | | | | This is a port of 1f34ffa0ca and 24309bdb2efc to 3.3. Fix file corruption using smbclient with NT4 server.
* s3-rpc_client: add dcerpc_transport_t to cli_rpc_pipe_open_spnego_ntlmssp ↵Günther Deschner2009-10-081-0/+1
| | | | | | and cli_rpc_pipe_open_ntlmssp. Guenther
* Second part of a fix for bug #6235.Jeremy Allison2009-10-021-1/+1
| | | | Domain enumeration breaks if master browser has space in name.
* Fix bug #6532.Derrell Lipman2009-10-021-1/+2
| | | | Domain enumeration breaks if master browser has space in name.
* s3/getdcname: Fix 'net' crash.Kumar Thangavelu2009-10-021-2/+2
| | | | | | | | | | 'net' command crashed when attempting to join a domain. This occurred in a very specific case where the DC had multiple IPs and one of the IPs was invalid. Signed-off-by: Volker Lendecke <vl@samba.org> Fixes bug #6420.
* s3:libsmb: Correctly chew keepalive packetsVolker Lendecke2009-09-091-0/+6
| | | | | | | | | | | Thanks a *lot* to Günther to send me the relevant traces! Volker Signed-off-by: Günther Deschner <gd@samba.org> Fixes bug #6646 (Winbind authentication issue on 3.2.13/14 and 3.4.0 (was: [Samba] Crazied NTLM_AUTH on samba 3.4.0)).
* s3: Unable to browse DFS when using kerberos in libsmbclientBo Yang2009-08-111-4/+13
| | | | | | Signed-off-by: Bo Yang <boyang@samba.org> Fixes bug #6615.
* s3/libsmb: Fix typo in error message.Karolin Seeger2009-06-171-1/+1
| | | | | | | Thanks to Herb Lewis <hlewis [at] panasas.com> for noticing! Karolin (cherry picked from commit 095f66b0ed74d4b5c7561ca05bbfdf33f60d0600)
* s3/libsmb: Fix debug message.Karolin Seeger2009-06-151-1/+1
| | | | | | | | | | This fixes bug #6472. Karolin Signed-off-by: Volker Lendecke <vl@samba.org> Was commit f92269a6 in master.
* s3-credentials: protect netlogon_creds_server_step() against NULL creds.Guenther Deschner2009-05-191-0/+4
| | | | | | Found by SCHANNEL torture tests. Guenther
* When doing a cli_ulogoff don't invalidate the cnum, invalidate the vuid.Jeremy Allison2009-04-161-1/+1
| | | | Jeremy.
* error-codes: add some service related error codes.Günther Deschner2009-04-081-0/+3
| | | | Guenther
* [Bug 6228] SMBC_open_ctx failure due to path resolve failure doesn't set errnoDerrell Lipman2009-03-273-1/+15
| | | | | | | | | | | | Fixed. It turns out there were a number of places where cli_resolve_path() was called and the error path upon that function failing did not set errno. There were a couple of places the failure handling code did set errno to ENOENT, so I made them all consistent, although I think better errno choices for this condition exist, e.g. EHOSTUNREACH. Derrell
* s3: parse_packet can return NULL which is then dereferenced in ↵Tim Prouty2009-03-261-0/+4
| | | | match_mailslot_name
* Fix two memleaks in the encryption codeVolker Lendecke2009-03-241-1/+2
| | | | | | | | | | ntlmssp_seal_packet creates its own signature data blob, which we then have to free. Jeremy, please check and merge appropriately (Yes, I'm asking you to do the janitor work, I want you to *look* at this :-)) Volker
* s3:dsgetdcname: use parentheses in if condition to make negation clearBjörn Jacke2009-03-241-1/+1
| | | | | Signed-off-by: Günther Deschner <gd@samba.org> (cherry picked from commit 87b428e424e2e3cca975ecd0efed327e72950a1d)
* s3-krb5: Fix Coverity #722 (RESOURCE_LEAK).Günther Deschner2009-03-201-12/+18
| | | | | Guenther (cherry picked from commit 1524abd8bf12d82e1fb0063585fc9a465fc7bf9c)
* s3:libsmb: fix smb signing for fragmented trans/trans2/nttrans requestsStefan Metzmacher2009-03-191-23/+7
| | | | | | | | | | | | | | | | | | | | | | | | Before we send the secondary requests we need to remove the old mid=>seqnum mapping and reset cli->mid and make the new mid=>seqnum mapping "persistent". The bug we had in cli_send_trans was this: The first cli_send_smb() incremented cli->mid and the secondary requests used the incremented mid, but as cli->outbuf still had the correct mid, we send the correct mid to the server. The real problem was that the cli_send_smb() function stored the seqnum under the wrong mid. cli_send_nttrans() was totally broken and now follows the same logic as cli_send_trans(). The good thing is that in practice the problem is unlikely to happen, because max_xmit is large enough to avoid secondary requests. metze (cherry picked from commit 880fbc4e8cd67de73c4bcda94489eb1e1422a04b) (cherry picked from commit 70466990b4b7c68ae95dbbcf741cd3f41f2dd0b3)
* Allow DFS client paths to work when POSIX pathnames have beenJeremy Allison2009-03-181-2/+12
| | | | | selected (we need to path in pathname /that/look/like/this). Jeremy.
* Fix a malloc/talloc mismatch when cli_initialise() failsVolker Lendecke2009-03-151-1/+1
|
* s3:signing: the seqnum should only be decremented by 1 for ntcancel requestsStefan Metzmacher2009-03-101-2/+4
| | | | | | | | | [MS-SMB] 3.3.5.1 Receiving Any Message says that the seqnum is incremented by only for ntcancel requests for any other request it's by incremented by 2, even if it doesn't expect a response. metze
* Fix bug 6124: Attempt to fix the build on IRIXVolker Lendecke2009-02-251-1/+1
| | | | Under irix, "sa_family" is a #define to sa_union.sa_generic.sa_family2
* Make char* parameters constDerrell Lipman2009-02-241-16/+6
| | | | | | | | | | | - Use const in function signatures whenever appropriate, to help prevent errant scribbling on users' buffers. smbc_set_credentials() always acted as if its formal parameters were const char *, and changing the formal declaration to specify that should not cause any change to the ABI. It is still allowable to pass a writable buffer to a function which specifies that it will not write to the buffer. Derrell
* More warning fixes for Solaris.Jeremy Allison2009-02-231-1/+1
| | | | Jeremy.
* Change smbc_set_credentials_with_fallback() (unreleased) to useJeremy Allison2009-02-201-7/+14
| | | | | const approptiately. Jeremy.
* variable grouping: just my OCD desire to keep similar things togetherDerrell Lipman2009-02-201-5/+7
|
* Make libsmbclient work with DFSBo Yang2009-02-206-6/+96
| | | | Signed-off-by: Derrell Lipman <derrell.lipman@unwireduniverse.com>
* Gah, typo :-(. Sorry.Jeremy Allison2009-02-181-1/+1
|
* Fix coverity CID-602. Possible use of uninitialized var.Jeremy Allison2009-02-181-1/+1
| | | | Jeremy.
* Don't miss an absolute pathname as a kerberos keytab path. From Glenn Machin ↵Jeremy Allison2009-02-171-0/+5
| | | | | | <gmachin@sandia.gov>. Jeremy.
* remove accidental white spaceDerrell Lipman2009-02-141-1/+0
|
* Get rid of the warnings I had for testingDerrell Lipman2009-02-141-5/+0
|
* It seems some systems use f_flags instead of f_flag. Use the appropriate one.Derrell Lipman2009-02-141-4/+20
|
generated by cgit (git 2.34.1) at 2025-08-28 23:33:05 +0000