From 14e792c2a8e741f2b24c0548449f795af32298a9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 9 Dec 2006 02:58:18 +0000 Subject: r20090: Fix a class of bugs found by James Peach. Ensure we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. --- source/auth/auth_util.c | 117 +++++++++++++++++++++++++++++++----------------- 1 file changed, 77 insertions(+), 40 deletions(-) (limited to 'source/auth') diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c index 357ca5f6266..87794cd5bb4 100644 --- a/source/auth/auth_util.c +++ b/source/auth/auth_util.c @@ -605,8 +605,12 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, "for gid %d!\n", gids[i])); continue; } - add_sid_to_array_unique( result, &unix_group_sid, - &result->sids, &result->num_sids ); + if (!add_sid_to_array_unique( result, &unix_group_sid, + &result->sids, &result->num_sids )) { + result->sam_account = NULL; /* Don't free on error exit. */ + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } } /* For now we throw away the gids and convert via sid_to_gid @@ -657,10 +661,9 @@ static NTSTATUS add_aliases(const DOM_SID *domain_sid, for (i=0; iuser_sids, - &token->num_sids); - if (token->user_sids == NULL) { + &token->num_sids)) { DEBUG(0, ("add_sid_to_array failed\n")); TALLOC_FREE(tmp_ctx); return NT_STATUS_NO_MEMORY; @@ -733,8 +736,10 @@ static NTSTATUS add_builtin_administrators( struct nt_user_token *token ) /* Add Administrators if the user beloongs to Domain Admins */ if ( nt_token_check_sid( &domadm, token ) ) { - add_sid_to_array(token, &global_sid_Builtin_Administrators, - &token->user_sids, &token->num_sids); + if (!add_sid_to_array(token, &global_sid_Builtin_Administrators, + &token->user_sids, &token->num_sids)) { + return NT_STATUS_NO_MEMORY; + } } return NT_STATUS_OK; @@ -843,28 +848,40 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, /* Add the user and primary group sid */ - add_sid_to_array(result, user_sid, - &result->user_sids, &result->num_sids); + if (!add_sid_to_array(result, user_sid, + &result->user_sids, &result->num_sids)) { + return NULL; + } /* For guest, num_groupsids may be zero. */ if (num_groupsids) { - add_sid_to_array(result, &groupsids[0], - &result->user_sids, &result->num_sids); + if (!add_sid_to_array(result, &groupsids[0], + &result->user_sids, &result->num_sids)) { + return NULL; + } } /* Add in BUILTIN sids */ - add_sid_to_array(result, &global_sid_World, - &result->user_sids, &result->num_sids); - add_sid_to_array(result, &global_sid_Network, - &result->user_sids, &result->num_sids); + if (!add_sid_to_array(result, &global_sid_World, + &result->user_sids, &result->num_sids)) { + return NULL; + } + if (!add_sid_to_array(result, &global_sid_Network, + &result->user_sids, &result->num_sids)) { + return NULL; + } if (is_guest) { - add_sid_to_array(result, &global_sid_Builtin_Guests, - &result->user_sids, &result->num_sids); + if (!add_sid_to_array(result, &global_sid_Builtin_Guests, + &result->user_sids, &result->num_sids)) { + return NULL; + } } else { - add_sid_to_array(result, &global_sid_Authenticated_Users, - &result->user_sids, &result->num_sids); + if (!add_sid_to_array(result, &global_sid_Authenticated_Users, + &result->user_sids, &result->num_sids)) { + return NULL; + } } /* Now the SIDs we got from authentication. These are the ones from @@ -874,8 +891,10 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, * first group sid as primary above. */ for (i=1; iuser_sids, &result->num_sids); + if (!add_sid_to_array_unique(result, &groupsids[i], + &result->user_sids, &result->num_sids)) { + return NULL; + } } /* Deal with the BUILTIN\Administrators group. If the SID can @@ -1018,8 +1037,11 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) "ignoring it\n", sid_string_static(sid))); continue; } - add_gid_to_array_unique(server_info, gid, &server_info->groups, - &server_info->n_groups); + if (!add_gid_to_array_unique(server_info, gid, &server_info->groups, + &server_info->n_groups)) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } } debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok); @@ -1060,7 +1082,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, DOM_SID user_sid; enum lsa_SidType type; gid_t *gids; - DOM_SID primary_group_sid; DOM_SID *group_sids; DOM_SID unix_group_sid; size_t num_group_sids; @@ -1109,7 +1130,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto unix_user; } - result = pdb_enum_group_memberships(tmp_ctx, sam_acct, + result = pdb_enum_group_memberships(mem_ctx, sam_acct, &group_sids, &gids, &num_group_sids); if (!NT_STATUS_IS_OK(result)) { @@ -1157,7 +1178,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - group_sids = talloc_array(tmp_ctx, DOM_SID, num_group_sids); + /* group_sids can be realloced - must be done on mem_ctx not tmp_ctx. */ + group_sids = talloc_array(mem_ctx, DOM_SID, num_group_sids); if (group_sids == NULL) { DEBUG(1, ("talloc_array failed\n")); result = NT_STATUS_NO_MEMORY; @@ -1185,18 +1207,24 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, uint32 dummy; - sid_copy(&primary_group_sid, &user_sid); - sid_split_rid(&primary_group_sid, &dummy); - sid_append_rid(&primary_group_sid, DOMAIN_GROUP_RID_USERS); + num_group_sids = 1; + group_sids = talloc_array(mem_ctx, DOM_SID, num_group_sids); + if (group_sids == NULL) { + DEBUG(1, ("talloc_array failed\n")); + result = NT_STATUS_NO_MEMORY; + goto done; + } + + sid_copy(&group_sids[0], &user_sid); + sid_split_rid(&group_sids[0], &dummy); + sid_append_rid(&group_sids[0], DOMAIN_GROUP_RID_USERS); - if (!sid_to_gid(&primary_group_sid, gid)) { + if (!sid_to_gid(&group_sids[0], gid)) { DEBUG(1, ("sid_to_gid(%s) failed\n", - sid_string_static(&primary_group_sid))); + sid_string_static(&group_sids[0]))); goto done; } - num_group_sids = 1; - group_sids = &primary_group_sid; gids = gid; *found_username = talloc_strdup(mem_ctx, username); @@ -1223,8 +1251,11 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, "for gid %d!\n", gids[i])); continue; } - add_sid_to_array_unique( mem_ctx, &unix_group_sid, - &group_sids, &num_group_sids ); + if (!add_sid_to_array_unique( mem_ctx, &unix_group_sid, + &group_sids, &num_group_sids )) { + result = NT_STATUS_NO_MEMORY; + goto done; + } } *token = create_local_nt_token(mem_ctx, &user_sid, @@ -1869,8 +1900,11 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, TALLOC_FREE(result); return NT_STATUS_INVALID_PARAMETER; } - add_sid_to_array(result, &sid, &result->sids, - &result->num_sids); + if (!add_sid_to_array(result, &sid, &result->sids, + &result->num_sids)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } } /* Copy 'other' sids. We need to do sid filtering here to @@ -1880,9 +1914,12 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, */ for (i = 0; i < info3->num_other_sids; i++) { - add_sid_to_array(result, &info3->other_sids[i].sid, - &result->sids, - &result->num_sids); + if (!add_sid_to_array(result, &info3->other_sids[i].sid, + &result->sids, + &result->num_sids)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } } result->login_server = unistr2_tdup(result, -- cgit