| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2011-0719
Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open).
All current released versions of Samba are vulnerable to
a denial of service caused by memory corruption. Range
checks on file descriptors being used in the FD_SET macro
were not present allowing stack corruption. This can cause
the Samba code to crash or to loop attempting to select
on a bad file descriptor set.
A connection to a file share, or a local account is needed
to exploit this problem, either authenticated or unauthenticated
(guest connection).
Currently we do not believe this flaw is exploitable
beyond a crash or causing the code to loop, but on the
advice of our security reviewers we are releasing fixes
in case an exploit is discovered at a later date.
(cherry picked from commit 724e44eed299c618066dec411530aa9f156119ec)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in
Samba4).
CVE-2010-3069:
===========
Description
===========
All current released versions of Samba are vulnerable to
a buffer overrun vulnerability. The sid_parse() function
(and related dom_sid_parse() function in the source4 code)
do not correctly check their input lengths when reading a
binary representation of a Windows SID (Security ID). This
allows a malicious client to send a sid that can overflow
the stack variable that is being used to store the SID in the
Samba smbd server.
A connection to a file share is needed to exploit this
vulnerability, either authenticated or unauthenticated
(guest connection).
(cherry picked from commit df1c76e2275068d1006e82a4a21d42b58175268b)
|
| |
|
|
|
|
| |
Fix bug #7494 (Buffer overrun possible in chain_reply code in 3.3.x and below.)
and address CVE-2010-2063.
(cherry picked from commit 86ab436a0da958914f99dc8b7e88b10db4692d98)
|
| |
|
|
|
|
|
|
|
| |
to respond to a read or write."
This reverts commit 153357b9bb4d70a168c81cb9ff2da437eae823fc.
This fixes bug #7222 (All users have full rigths on all shares) (CVE-2010-0728).
(cherry picked from commit 007f9c90e952aeea2d8f73cff3ccd0f747a9c06e)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
values in subsequent SMBtrans replies)
There are two problems:
1). The server is off-by-one in the end of buffer space test.
2). The server returns 0 in the totaldata (smb_vwv1) and totalparams (smb_vwv0)
fields in the second and subsequent SMBtrans replies.
This patch fixes both.
Jeremy.
(similar to commit b07a14dc37d2899f662e1cf87064f99c0bd10b25)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
| |
|
|
|
|
|
|
|
| |
A comparison function for qsort needs to return an 'int'!
Otherwise you'll get random results depending on the compiler
and the architecture...
metze
(cherry picked from commit 1686a5e7e7eb1b411b003cbbde5c0d28741c6d02)
|
| |
|
|
|
|
|
|
|
|
| |
containing a '.'
Fix use of uninitialized variable. This can lead to crashes if
mangling = hash processes names with no '.'.
Jeremy.
(cherry picked from commit df13b1303a751962d8f7d5298b39e4a7500fef15)
|
| |
|
|
|
|
|
|
|
|
|
| |
value(s) error when "mangling method = hash"
The charset array allocated in init_chartest() is allocated
by MALLOC, but only some elements of it being set after allocation. Fix is to
memset to zero after allocation.
Jeremy.
(cherry picked from commit a4e8210ba7d6d471cb9f17754244393b9c1e5930)
|
| |
|
|
|
|
|
|
|
|
|
| |
Re-arrange the operations order so SMB_VFS_CONNECT is done
first as root (to allow modules to correctly initialize themselves).
Reviewed modules to check if they needed CONNECT invoked as
a user (which we previously did) and it turns out any of them
that cared needed root permissions anyway.
Jeremy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
a smb.conf reload turns wide links back on after a connection is establised.
Includes git refs :
cd18695fc2e4d09ab75e9eab2f0c43dcc15adf0b
94865e4dbd3d721c9855aada8c55e02be8b3881e
5d92d969dda450cc3564dd2265d2b042d832c542
02a5078f1fe6285e4a0b6ad95a3aea1c5bb3e8cf
a6f402ad87ff0ae14d57d97278d67d0ceaaa1d82
from master.
Jeremy.
Fix bug #7104 ("wide links" and "unix extensions" are incompatible.)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change parameter "wide links" to default to "no".
Ensure "wide links = no" if "unix extensions = yes" on a share.
Fix man pages to refect this.
Remove "within share" checks for a UNIX symlink set - even if
widelinks = no. The server will not follow that link anyway.
Correct DEBUG message in check_reduced_name() to add missing "\n"
so it's really clear when a path is being denied as it's outside
the enclosing share path.
Jeremy.
|
| |
|
|
|
|
|
|
|
|
|
| |
respond to a read or write.
Only works on Linux kernels 2.6.26 and above. Grants CAP_KILL capability
to allow Linux threads under different euids to send signals to each other.
Same as mater commit 899bd0005f56dcc1e95c3988d41ab3f628bb15db.
Jeremy.
|
| |
|
|
|
|
| |
This fixes bug #6642 and bug #6919.
metze
|
| |
|
|
| |
smbd crashes when using mdns (not avahi) support
|
| |
|
|
| |
dns_register_smbd_reply. Restore the code from 3.2 that actually initializes the struct dns_reg_state handle. Jeremy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This bug re-occurred for 3.3.x and above.
The reason is that to change a NT ACL we now have to open the file requesting
WRITE_DAC and WRITE_OWNER access. The mapping from POSIX "w" to NT permissions
in posix_acls doesn't add these bits when "dos filemode = yes", so even though
the permission or owner change would be allowed by the POSIX ACL code, the
NTCreateX call fails with ACCESS_DENIED now we always check NT permissions
first.
Added in the mapping from "w" to WRITE_DAC and WRITE_OWNER access.
Jeremy.
|
| |
|
|
|
|
|
| |
Don't change the contents of a const string via a pointer
alias (or if you do, change it back.....).
Jeremy.
|
| |
|
|
|
|
|
| |
We were returning the wrong sense of the bool. must_mangle()
has to return !NT_STATUS_IS_OK, not NT_STATUS_IS_OK.
Jeremy.
|
| |
|
|
|
|
|
|
| |
Data -> Fille Attributes are returned as 0x220 for LANMAN2.1 dial
Ensure dos_mode can return FILE_ATTRIBUTE_NORMAL, then filter the returned attributes by protocol level.
This makes us consistant in returning DOS attrs across all replies. Tested on OS/2 by Günter Kukkukk.
Jeremy.
|
| |
|
|
|
|
|
| |
Windows 7 is a bit more picky on our NT_STATUS_BUFFER_TOO_SMALL. Announce the
right buffer size, the same amount we later check for.
Fix bug #6850 (Shadow Copy Support for VISTA / Windows 7).
|
| |
|
|
| |
held outside of samba. Fixes case where a connection with a pending lock can me marked "idle", and ensures that the lock queue timeout is always recalculated. Jeremy.
|
| |
|
|
| |
Attributes are returned as 0x220 for LANMAN2.1 dialect Jeremy.
|
| |
|
|
| |
directory with a lot of files. Jeremy.
|
| |
|
|
| |
Jeremy.
|
| |
|
|
| |
Fix bug #6805.
|
| |
|
|
| |
recent versions of Samba. Without this fix, renaming a directory ./a to ./b, whilst a directory ./aa was already open would fail. Jeremy.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Summary:
Specially crafted SMB requests on
authenticated SMB connections can send smbd
into a 100% CPU loop, causing a DoS on the
Samba server.
(cherry picked from commit 5f1f1c47623f846909481073d56bc909d13e5e37)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
===========================================================
== Subject: Misconfigured /etc/passwd file may share folders unexpectedly
==
== CVE ID#: CVE-2009-2813
==
== Versions: All versions of Samba later than 3.0.11
==
== Summary: If a user in /etc/passwd is misconfigured to have
== an empty home directory then connecting to the home
== share of this user will use the root of the filesystem
== as the home directory.
===========================================================
(cherry picked from commit 8afa10ad7d7e81bcae27b6a913210ef8a1ee4426)
|
| |
|
|
|
|
|
|
|
| |
The kernel may return a short read, so we must use read_data() to make sure we
read off the full buffer. If somethign bad happens we also need to kill the
inotify watch because the filedescriptor will return out of sync structures if
we read only part of the data.
Fixes bug #6693.
|
| |
|
|
|
|
|
|
| |
E.g. last mod time is not preserved when "unix extensions=yes" are set - and u
Cancel out any pending "sticky" writes or "last write" changes when
doing a UNIX info level set.
Jeremy.
|
| |
|
|
|
| |
This addresses bug #6498.
(cherry picked from commit a702dea5a86f22e0b7857b67447152a06b3bbea2)
|
| |
|
|
| |
uninitialized variable.
|
| |
|
|
| |
commit 1a0005e1c508cf3b170d1c7e43b94a47b2820506)
|
| |
|
|
|
|
| |
We weren't reaping children in the [x]inetd case.
Jeremy.
|
| |
|
|
| |
to smbd/trans2.c opens up SETFILEINFO calls to POSIX_OPEN only. The change to first smbd/open.c closes 2 holes that would have been exposed by allowing POSIX_OPENS on readonly shares, and their ability to set arbitrary flags permutations. The O_CREAT -> O_CREAT|O_EXCL change removes an illegal combination (O_EXCL without O_CREAT) that previously was being passed down to the open syscall. Jeremy.
|
| |
|
|
| |
others. The reason we couldn't delete was we were erroring out early if requestor was not the owner of the file we wanted to delete, instead of checking if the requestor owned the directory as well. If either of these is true, we must go on and check the ACL. Karolin, this is a must for 3.4.0 and also 3.3.next. I'll update the bug report with patches for 3.4.0 and 3.3.next and ask vl to review. Jeremy.
|
| |
|
|
|
|
|
|
| |
The server side of dnssd has been replaced with native avahi support. The code
is only left in in case some OS/X fan wants to revive it, and the client-side
has not been converted yet.
Fix the build of the server side by removing the #ifdef
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This reverts commit 5a5dcd125fe236ddd93a6e56ae361fc84e306185.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
owner (bug#2346)
The problem of bug #2346 remains for users exported by
winbindd, because create_token_from_username() just fakes
the token when the user is not in the local sam domain. This causes
user_in_group_sid() to give totally wrong results.
In uid_entry_in_group() we need to check if we already
have the full unix token in the current_user struct.
If so we should use the current_user unix token,
instead of doing a very complex user_in_group_sid()
which doesn't give reliable results anyway.
metze
(cherry picked from commit b79eff843be392f3065e912edca1434081d93c44)
|
| |
|
|
| |
This was commit 3d6f4a7af in master.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
underlying problem is that once SMBulogoff is called, all server_info contexts associated with the vuid should become invalid, even if that's the context being currently used by the connection struct (tid). When the SMBtdis comes in it doesn't need a valid vuid value, but the code called inside vfs_full_audit always assumes that there is one (and hence a valid conn->server_info pointer) available.
This is actually a bug inside the vfs_full_audit and other code inside Samba,
which should only indirect conn->server_info on calls which require AS_USER to
be set in our process table. I could fix all these issues, but there's no
guarentee that someone might not add more code that fails this assumption, as
it's a hard assumption to break (it's usually true).
So what I've done is to ensure that on SMBulogoff the previously used
conn->server_info struct is kept around to be used for print debugging purposes
(it won't be used to change to an invalid user context, as such calls need
AS_USER set). This isn't strictly correct, as there's no association with the
(now invalid) context being freed and the call that causes conn->server_info to
be indirected, but it's good enough for most cases.
The hard part was to ensure that once a valid context is used again (via new
sessionsetupX calls, or new calls on a still valid vuid on this tid) that we
don't leak memory by simply replacing the stored conn->server_info pointer. We
would never actually leak the memory (as all conn->server_info pointers are
talloc children of conn), but with the previous patch a malicious client could
cause many server_info structs to be talloced by the right combination of SMB
calls. This new patch introduces free_conn_server_info_if_unused(), which
protects against the above.
Jeremy.
This was commit e46a88ce35e1aba9d9a344773bc97a9f3f2bd616 in master.
|
| |
|
|
|
| |
I don't think we should unconditionally send every refused connection attempt
to a share to syslog, that's where all debug level 0 messages end up.
|
| |
|
|
|
|
| |
This prevents users from getting access to "/" in misconfigured setups.
Michael
|
| |
|
|
|
| |
Always add back the real original owner of the directory in the ACE List after
we steal its ACE for the Administrators group.
|
| |
|
|
|
|
| |
When adding arbitrary aces to an nt_ace_list we need to make sure we
are not actually adding a duplicate.
add_or_replace_ace() takes care of doing the right thing.
|
