| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2011-0719
Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open).
All current released versions of Samba are vulnerable to
a denial of service caused by memory corruption. Range
checks on file descriptors being used in the FD_SET macro
were not present allowing stack corruption. This can cause
the Samba code to crash or to loop attempting to select
on a bad file descriptor set.
A connection to a file share, or a local account is needed
to exploit this problem, either authenticated or unauthenticated
(guest connection).
Currently we do not believe this flaw is exploitable
beyond a crash or causing the code to loop, but on the
advice of our security reviewers we are releasing fixes
in case an exploit is discovered at a later date.
|
|
|
|
|
| |
Jeremy.
(cherry picked from commit aea38950ff4865f1d791cd19619fadcd59eaf480)
|
|
|
|
| |
(cherry picked from commit d521529b3fcbcd7b183eb466bc06497998fd7e28)
|
|
|
|
|
| |
Jeremy.
(cherry picked from commit c2515026807e08c7836ef1bd6220bd7eab3a1a5b)
|
|
|
|
| |
(cherry picked from commit e4505156522560fb0c7ee3aadd75d4fc9d446609)
|
|
|
|
|
| |
Jeremy.
(cherry picked from commit 77a4a3976af353f517b5193bae9cfbe0f3ad6f4c)
|
|
|
|
|
|
| |
in a forked child.
Jeremy.
(cherry picked from commit e7433112f4f05aeaf9a3c03ec58962c4d9e16c7d)
|
|
|
|
|
| |
metze
(cherry picked from commit a632a1bcd694cff03de3456dac582800e94c451e)
|
|
|
|
|
|
|
|
| |
cancel_named_event() is stupid by design and also only cancels
one single event.
metze
(cherry picked from commit d605077effaf265ea4df66fcaf9007004db61acc)
|
|
|
|
|
| |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit d6eb7f1af2f4097085a4a14e9e88327f039bdf29)
|
|
|
|
|
| |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit ada3145ffe40dfbe89f968e844bfb139a58eab5d)
|
|
|
|
|
|
|
|
| |
reinit_after_fork() already calls messaging_reinit()
metze
(cherry picked from commit 429276556a4930fa1bc782904447120950073190)
(cherry picked from commit 6bd2276d426bb92e2fc195ea69aeeb4aa7a574e7)
|
|
|
|
|
|
| |
commit 79103000b13c95325534db749a0da638a3eb1807)
(cherry picked from commit 72a2b9615025c249c7cf1376ebeeb6a29537504f)
|
|
|
|
|
|
| |
5314f06dcdf14ce5e038a03a3e4dfded227bd00c)
(cherry picked from commit fa20fa5d243ee640f5d564525358c1f5ba2df3a7)
|
|
|
|
|
|
|
| |
keytab.
Guenther
(cherry picked from commit 43991cd0ef972ebefabb0318a630403b9e42b67b)
|
|
|
|
|
|
| |
Guenther
(This used to be commit 543dfdc1cf6baf60bffc23c6aebc542fd58d2d2e)
(cherry picked from commit 61f51d78b34f1ed80cef9758cdcded6f6fa82c19)
|
|
|
|
|
|
| |
Guenther
(This used to be commit 15b72d44cbde0b8a375d8ed3d045c40ae97ec05a)
(cherry picked from commit 4721049e840846c2ac4ba829c5eb669576b0fa0f)
|
|
|
|
|
| |
Jeremy.
(cherry picked from commit d6d41e85d4c7c041683057fb39196898c6218212)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
"rescan_trusted_domain".
From analysis by hargagan <shargagan@novell.com> :
"The winbindd_child_died() is also getting called from process_loop() in case of
SIGCHLD signal. In this case it doesn't make the timeout_handler to NULL for
the first request. It then initiate a new request using
schedule_async_request() which installs a new timeout handler for the same
request. In such a case, for a badly unresponsive system both the timeout
handler can be called. For the first call the "private_data" will be cleared
and for another call the timeout handler will be detecting the double free. So,
for such a case as well, the winbindd_child_died() should make the
timeout_handler to NULL."
Jeremy.
(cherry picked from commit 6be98cbb23f4cdb65353a426ae5edbf0290774d8)
|
|
|
|
| |
(cherry picked from commit 8d82a75ec9875137928c69370bbaf621bf4fc3fb)
|
|
|
|
|
|
|
| |
patch from shargagan@novell.com
Jeremy.
(cherry picked from commit d5c490d79024ee41544512f7968999a6b3a313dc)
|
|
|
|
|
|
|
|
|
|
| |
The scanner did not figure out that we always have a primary domain, so it
complained about us potentially passing a NULL pointer down to
set_domain_online_request() where it is dereferenced.
Make the code a bit clearer.
(cherry picked from commit e6e8d108f95ed974f98f3f57adcfbbde4e00fad9)
(cherry picked from commit 70dbc13aaef893b25e3164fdcf187a01ec27b392)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When SIGCHLD handling is delayed for some reason, sending a request to a child
can fail early because the child has died already. In this case
async_main_request_sent() directly called the continuation function without
properly removing the malfunctioning child process and the requests in the
queue. The next request would then crash in the DLIST_ADD_END() in
async_request() because the request pending for the child had been
talloc_free()'ed and yet still was referenced in the list.
This one is *old*...
Volker
(cherry picked from commit 8691709626b0d461de91b8fc9d10c730d1f183dd)
|
|
|
|
|
|
|
|
| |
In reloading the smb.conf, if a "log file" is specified in smb.conf,
winbind children will overwrite the logfile name to be the same as the
parent.
Jeremy.
|
|
|
|
|
|
|
|
| |
smbcontrol winbindd debug level would only set the debug level of the
parent winbindd process and not the child processes. This patch adds
the functionality of broadcasting the debug message to all winbindd
children. Now the debug level message is propagated to all the winbindd
processes that includes parent and children.
|
|
|
|
|
| |
not keeping primary domain online status up to date.
Jeremy.
|
|
|
|
|
|
| |
way - deleting the socket!
Jeremy.
|
|
|
|
|
|
|
|
| |
83b04c60fac76ccd2d5aecb14f8896a07d488b1f..6e66512d5beb256a44c6703cdb8c7fa7e0fd8537.
We still need to address https://bugzilla.redhat.com/show_bug.cgi?id=429024, but this
will come later.
Jeremy.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
call :
CatchChild();
*before* we fork the domain child. This call establishes a signal handler that
eats SIGCLD signals and doesn't call sys_select_signal() as the main daemon
SIGCLD handler should do. This causes the parent to ignore dead children and
time out, instead of calling winbind_child_died() on receipt of the signal. The
correct fix is to move the CatchChild call into the child code after the fork.
Jeremy.
|
|
|
|
|
|
|
|
| |
in particular closing and reopening logs on SIGHUP.
Conflicts:
source/winbindd/winbindd.c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Thanks to Glenn Curtis and Kyle Stemen @ Likewise. Their explanation is:
In winbindd_dual.c, there is a list of children processes that
is maintained using macros DTLIST_ADD and DTLIST_REMOVE. In the
case when a scheduled_async_request fails, the particular child
was located in the list, and its attributes were cleared out
and it was reused for a subsequent async request. The bug was that
the new request would queue the same node into the doubly-linked
list and would result in list->next pointing to the same node as
list itself. This would set up an infinite loop in the processing of
the for loop when the list of children was referenced.
Solution was to fully remove the child node from the list, such that
it could be inserted without risk of being inserted twice.
Note that the child is re-added to the list in fork_domain_child() again.
|
|
|
|
|
|
|
| |
We now open messages.tdb even before we do the become_daemon. become_daemon()
involves a fork and an immediate exit of the parent, thus the
parent_is_longlived argument must be set to false in this case. The parent is
not really long lived :-)
|
|
|
|
| |
metze
|
|
|
|
| |
Winbind can't be allowed to connect to the local smbd.
|
|
|
|
| |
Guenther
|
| |
|
|\ |
|
| |
| |
| |
| | |
Michael
|
| |
| |
| |
| | |
Guenther
|
| |
| |
| |
| |
| |
| |
| | |
The child struct is immediately reused, and this results
in a panic when child->logfilename == NULL.
Michael
|
|/
|
|
|
|
|
| |
This patch make sure we do not try to contact smbd in the main dameon
to avoid deadlocks.
All the operations that require connecting to smbd are performed in
the domain child anyway.
|
|
|
|
| |
metze
|
|
|
|
|
|
|
| |
Add struct_ prefix to struct based protocol specific
elemetens struct winbindd_child_dispatch_table.
metze
|
|
|
|
|
|
| |
them with malloc'ing accessor functions. Should save a
lot of static space :-).
Jeremy.
|
|
|
|
|
| |
inside winbindd. Remove unused pstring types.
Jeremy.
|
|
|
|
|
|
|
|
|
|
| |
Each cli struct has it's own local copy of this variable,
so use that in client code. In the smbd server, add one
static to smbd/proccess.c and use that inside smbd. Fix
a bunch of places where smb_rw_error could be set by
calling read_data() in places where we weren't reading
from the SMB client socket (ie. winbindd).
Jeremy.
|
|
|
|
|
| |
metze
(cherry picked from commit abbb36a37c1dba2218a6c7ec31739eba5f250127)
|
|
|
|
|
|
|
| |
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
|
| |
|