[Pkg-samba-maint] [Git][samba-team/samba][upstream_4.17] 86 commits: VERSION: Bump version up to Samba 4.17.1...

Michael Tokarev (@mjt) gitlab at salsa.debian.org
Wed Oct 19 20:25:02 BST 2022



Michael Tokarev pushed to branch upstream_4.17 at Debian Samba Team / samba


Commits:
31bfee4b by Jule Anger at 2022-09-13T17:56:54+02:00
VERSION: Bump version up to Samba 4.17.1...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
cb7fbb42 by Joseph Sutton at 2022-09-19T04:02:12+00:00
s3:rpc_server: Fix typo in error message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6932ccf3ccffbd9ab1907c4fb39b46c971e88d49)

- - - - -
1b0f292e by Joseph Sutton at 2022-09-19T04:02:12+00:00
lib:crypto: Zero auth_tag array in encryption test

If samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt() does not fill the
array completely, we may be comparing uninitialised bytes.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f9850c776f81d596ffbd2761c85fe7a72d369bae)

- - - - -
7656b3e7 by Joseph Sutton at 2022-09-19T04:02:12+00:00
s4:torture: Zero samr_UserInfo union in password set test

If init_samr_CryptPasswordAES() does not fill the
u.info31.password.auth_data array completely, we may be comparing
uninitialised bytes.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 03f0e4d55be80a1a6dcc0dba8e6ed74d9da63dc3)

- - - - -
af7c57e0 by Joseph Sutton at 2022-09-19T04:02:12+00:00
lib:crypto: Check for overflow before filling pauth_tag array

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit cec59b82f7041a305c228091a84257c28e0818d5)

- - - - -
1263a8a5 by Joseph Sutton at 2022-09-19T04:02:12+00:00
lib:crypto: Use constant time memory comparison to check HMAC

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 121e439e24a9c03ae900ffca1ae1dda8e059008c)

- - - - -
d4ae8610 by Joseph Sutton at 2022-09-19T04:02:12+00:00
CVE-2021-20251 lib:crypto: Add des_crypt_blob_16() for encrypting data with DES

This lets us access single-DES from Python. This function is used in a
following commit for encrypting an NT hash to obtain the verifier for a
SAMR password change.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b27a67af0216811d330d8a4c52390cf4fc04b5fd)

- - - - -
518818b3 by Joseph Sutton at 2022-09-19T04:02:12+00:00
CVE-2021-20251 lib:crypto: Add md4_hash_blob() for hashing data with MD4

This lets us access MD4, which might not be available in hashlib, from
Python. This function is used in a following commit for hashing a
password to obtain the verifier for a SAMR password change.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 17b8d164f69a5ed79d9b7b7fc2f3f84f8ea534c8)

- - - - -
0b3604e6 by Joseph Sutton at 2022-09-19T04:02:12+00:00
CVE-2021-20251 lib:crypto: Add Python functions for AES SAMR password change

These functions allow us to perform key derivation and AES256 encryption
in Python. They will be used in a following commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4bb9d85fed8498566bdb87baa71a3147806baafc)

- - - - -
b8254397 by Joseph Sutton at 2022-09-19T04:02:12+00:00
CVE-2021-20251 tests/krb5: Add tests for password lockout race

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 91e2e5616ccd507fcaf097533c5fc25974119c1e)

[jsutton at samba.org Fixed conflicts in usage.py, knownfails, and tests.py
 due to not having claims tests]

- - - - -
276d8136 by Andrew Bartlett at 2022-09-19T04:02:12+00:00
CVE-2021-20251 s4-rpc_server: Use authsam_search_account() to find the user

This helps the bad password and audit log handling code as it
allows assumptions to be made about the attributes found in
the variable "msg", such as that DSDB_SEARCH_SHOW_EXTENDED_DN
was used.

This ensures we can re-search on the DN via the embedded GUID,
which in in turn rename-proof.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 439f96a2cfe77f6cbf331d965a387512c2db91c6)

- - - - -
2dc965ad by Gary Lockyer at 2022-09-19T04:02:12+00:00
CVE-2021-20251 auth4: split samdb_result_msds_LockoutObservationWindow() out

samdb_result_msds_LockoutObservationWindow() is split out of
samdb_result_effective_badPwdCount()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2087b0cd986b8959b2a402b9a1891472e47ca0b0)

- - - - -
d57c4ea9 by Gary Lockyer at 2022-09-19T04:02:12+00:00
CVE-2021-20251 s4 auth: Prepare to make bad password count increment atomic

To ensure that the bad password count is incremented atomically,
and that the successful logon accounting data is updated atomically,
without always opening a transaction, we will need to make a note
of all bad and successful passwords in a side-DB outside the
transaction lock.

This provides the functions needed for that and hooks them in
(future commits will handle errors and use the results).

Based on patches by Gary Lockyer <gary at catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 408717242aad8adf4551f2394eee2d80a06c7e63)

- - - - -
674dbeac by Andrew Bartlett at 2022-09-19T04:02:12+00:00
CVE-2021-20251 auth4: Reread the user record if a bad password is noticed..

As is, this is pointless, as we need a transaction to make this
any less of a race, but this provides the steps towards that goal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 7b8e32efc336fb728e0c7e3dd6fbe2ed54122124)

- - - - -
2e4c6196 by Gary Lockyer at 2022-09-19T04:02:12+00:00
CVE-2021-20251 s4 auth test: Unit tests for source4/auth/sam.c

cmocka unit tests for the authsam_reread_user_logon_data in
source4/auth/sam.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d6cf245b96fb02edb3bcc52733d040d5f03fb918)

- - - - -
180784c4 by Joseph Sutton at 2022-09-19T04:02:12+00:00
CVE-2021-20251 auth4: Detect ACCOUNT_LOCKED_OUT error for password change

This is more specific than NT_STATUS_UNSUCCESSFUL, and for the SAMR
password change, matches the result the call to samdb_result_passwords()
would give.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 336e303cf1962b56b64c0d9d2b05ac15d00e8692)

- - - - -
d07f34ec by Andrew Bartlett at 2022-09-19T04:02:12+00:00
CVE-2021-20251 s4 auth: make bad password count increment atomic

Ensure that the bad password count is incremented atomically,
and that the successful logon accounting data is updated atomically.

Use bad password indicator (in a distinct TDB) to determine if to open a transaction

We open a transaction when we have seen the hint that this user
has recorded a bad password.  This allows us to avoid always
needing one, while not missing a possible lockout.

We also go back and get a transation if we did not take out
one out but we chose to do a write (eg for lastLogonTimestamp)

Based on patches by Gary Lockyer <gary at catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit de4cc0a3dae89f3e51a099282615cf80c8539e11)

- - - - -
e0fdfce1 by Andrew Bartlett at 2022-09-19T04:02:12+00:00
CVE-2021-20251 auth4: Add missing newline to debug message on PSO read failure

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 4a9e0fdccfa218fbb2c3eb87e1a955ade0364b98)

- - - - -
fa22c9bf by Gary Lockyer at 2022-09-19T04:02:12+00:00
CVE-2021-20251 auth4: Return only the result message and free the surrounding result

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit b954acfde258a1909ed60c1c3e1015701582719f)

- - - - -
ffe43511 by Andrew Bartlett at 2022-09-19T04:02:12+00:00
CVE-2021-20251 auth4: Split authsam_calculate_lastlogon_sync_interval() out

authsam_calculate_lastlogon_sync_interval() is split out of authsam_update_lastlogon_timestamp()

Based on work by Gary Lockyer <gary at catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 55147335aec8194b6439169b040556a96db22e95)

- - - - -
11673522 by Andrew Bartlett at 2022-09-19T04:02:12+00:00
CVE-2021-20251 auth4: Inline samdb_result_effective_badPwdCount() in authsam_logon_success_accounting()

By bringing this function inline it can then be split out in a
subsequent commit.

Based on work by Gary Lockyer <gary at catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 712181032a47318576ef35f6a6cf0f958aa538fb)

- - - - -
446cfe34 by Andrew Bartlett at 2022-09-19T04:02:12+00:00
CVE-2021-20251 auth4: Avoid reading the database twice by precaculating some variables

These variables are not important to protect against a race with
and a double-read can easily be avoided by moving them up the file
a little.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit b5f78b7b895a6b92cfdc9221b18d67ab18bc2a24)

- - - - -
3a96ccbb by Joseph Sutton at 2022-09-19T04:02:12+00:00
CVE-2021-20251 s4-auth: Pass through error code from badPwdCount update

The error code may be NT_STATUS_ACCOUNT_LOCKED_OUT, which we use in
preference to NT_STATUS_WRONG_PASSWORD.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d8a862cb811489abb67d4cf3a7fbd83d05c7e5cb)

- - - - -
254e9489 by Joseph Sutton at 2022-09-19T04:02:12+00:00
CVE-2021-20251 s4:dsdb: Update bad password count inside transaction

Previously, there was a gap between calling dsdb_update_bad_pwd_count()
and dsdb_module_modify() where no transaction was in effect. Another
process could slip in and modify badPwdCount, only for our update to
immediately overwrite it. Doing the update inside the transaction will
help for the following commit when we make it atomic.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a65147a9e98ead70869cdfa20ffcc9c167dbf535)

- - - - -
4d0cba69 by Joseph Sutton at 2022-09-19T04:02:12+00:00
CVE-2021-20251 s4:dsdb: Make badPwdCount update atomic

We reread the account details inside the transaction in case the account
has been locked out in the meantime. If it has, we return the
appropriate error code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 96479747bdb5bc5f33d903085f5f69793f369e3a)

- - - - -
5f1bafdd by Joseph Sutton at 2022-09-19T04:02:12+00:00
CVE-2021-20251 s4:kdc: Move logon success accounting code into existing branch

This simplifies the code for the following commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2b593c34c4f5cb82440b940766e53626c1cbec5b)

- - - - -
4adcada4 by Joseph Sutton at 2022-09-19T04:02:12+00:00
CVE-2021-20251 s4:kdc: Check return status of authsam_logon_success_accounting()

If we find that the user has been locked out sometime during the request
(due to a race), we will now return an error code.

Note that we cannot avoid the MIT KDC aspect of the issue by checking
the return status of mit_samba_zero_bad_password_count(), because
kdb_vftabl::audit_as_req() returning void means we cannot pass on the
result.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b1e740896ebae14ba64250da2f718e1d707e9eed)

- - - - -
5befe31c by Joseph Sutton at 2022-09-19T04:02:12+00:00
CVE-2021-20251 s4:kdc: Check badPwdCount update return status

If the account has been locked out in the meantime (indicated by
NT_STATUS_ACCOUNT_LOCKED_OUT), we should return the appropriate error
code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit bdfc9d96f8fe5070ab8a189bbf42ccb7e77afb73)

[jsutton at samba.org Fixed knownfail conflicts due to not having claims
 tests]

- - - - -
b3f48fae by Joseph Sutton at 2022-09-19T04:02:12+00:00
CVE-2021-20251 s4-rpc_server: Check badPwdCount update return status

If the account has been locked out in the meantime (indicated by
NT_STATUS_ACCOUNT_LOCKED_OUT), we should return the appropriate error
code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a268a1a0e304d0702469e4ac146d8af5e7384c39)

- - - - -
13efa626 by Joseph Sutton at 2022-09-19T04:02:12+00:00
CVE-2021-20251 s4:auth_winbind: Check return status of authsam_logon_success_accounting()

This may return an error if we find the account is locked out.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 268ea7bef5af4b9c8a02f4f5856113ff0664d9e8)

- - - - -
5c8bbe3e by Jeremy Allison at 2022-09-19T04:02:12+00:00
CVE-2021-20251 s3: ensure bad password count atomic updates

The bad password count is supposed to limit the number of failed login
attempt a user can make before being temporarily locked out, but race
conditions between processes have allowed determined attackers to make
many more than the specified number of attempts.  This is especially
bad on constrained or overcommitted hardware.

To fix this, once a bad password is detected, we reload the sam account
information under a user-specific mutex, ensuring we have an up to
date bad password count.

Discovered by Nathaniel W. Turner.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8587734bf989aeaafa9d09d78d0f381caf52d285)

- - - - -
3e54aabd by Joseph Sutton at 2022-09-19T04:02:12+00:00
CVE-2021-20251 s3: Ensure bad password count atomic updates for SAMR password change

The bad password count is supposed to limit the number of failed login
attempt a user can make before being temporarily locked out, but race
conditions between processes have allowed determined attackers to make
many more than the specified number of attempts.  This is especially
bad on constrained or overcommitted hardware.

To fix this, once a bad password is detected, we reload the sam account
information under a user-specific mutex, ensuring we have an up to
date bad password count.

Derived from a similar patch to source3/auth/check_samsec.c by
Jeremy Allison <jra at samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 65c473d4a53fc8a22a0d531aff45203ea3a4d99b)

- - - - -
c3d6964f by Joseph Sutton at 2022-09-19T04:02:12+00:00
lib:util: Check memset_s() error code in talloc_keep_secret_destructor()

Panic if memset_s() fails.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 03a50d8f7d872b6ef701d1207061c88b73d171bb)

- - - - -
beb63ae0 by Joseph Sutton at 2022-09-19T04:02:12+00:00
libcli:auth: Keep passwords from convert_string_talloc() secret

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6edf88f5c40421b9881666a2e78038ea9c547c24)

- - - - -
3d7a2a36 by Pavel Filipenský at 2022-09-19T04:02:12+00:00
lib:replace: Add macro BURN_STR() to zero memory of a string

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 8564380346ace981b957bb8464f2ecf007032062)

- - - - -
0044f598 by Joseph Sutton at 2022-09-19T04:02:12+00:00
s3:rpc_server: Use BURN_STR() to zero password

This ensures these calls are not optimised away.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1258746ba85b8702628f95a19aba9afea96eab8b)

- - - - -
b8c123d0 by Joseph Sutton at 2022-09-19T04:02:12+00:00
CVE-2021-20251 s4-rpc_server: Use authsam_search_account() to find the user

This helps the bad password and audit log handling code as it
allows assumptions to be made about the attributes found in
the variable "msg", such as that DSDB_SEARCH_SHOW_EXTENDED_DN
was used.

This ensures we can re-search on the DN via the embedded GUID,
which in in turn rename-proof.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit fabbea25310a31c0409b1c11eaced39bd8cde8dd)

- - - - -
7b28bd10 by Joseph Sutton at 2022-09-19T04:02:12+00:00
CVE-2021-20251 s4-rpc_server: Use user privileges for SAMR password change

We don't (and shouldn't) need system prvileges to perform the password
change, so drop to the privileges of the user by setting
DSDB_SESSION_INFO. We need to reuse the same sam_ctx: creating a new one
with only user privileges would not work, because any database
modifications would be blocked by the transaction taken out on the
original context.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f74f92aea164af40d9177b332778a76d7ecabcbd)

- - - - -
7fe10442 by Joseph Sutton at 2022-09-19T04:02:12+00:00
CVE-2021-20251 s4-rpc_server: Extend scope of transaction for ChangePasswordUser3

Now the initial account search is performed under the transaction,
ensuring the overall password change is atomic. We set DSDB_SESSION_INFO
to drop our privileges to those of the user before we perform the actual
password change, and restore them afterwards if we need to update the
bad password count.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit fcabcb326d385c1e1daaa8dae9820e33a3868f56)

- - - - -
619ffc2a by Joseph Sutton at 2022-09-19T04:02:12+00:00
CVE-2021-20251 dsdb/common: Remove transaction logic from samdb_set_password()

All of its callers, where necessary, take out a transaction covering the
entire password set or change operation, so a transaction is no longer
needed here.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7981cba87e3a7256b12bfc5fdd89b136c12979ff)

- - - - -
9aabf782 by Joseph Sutton at 2022-09-19T04:02:12+00:00
CVE-2021-20251 s3:rpc_server: Split change_oem_password() call out of samr_set_password_aes()

Now samr_set_password_aes() just returns the new password in a similar
manner to check_oem_password(). This simplifies the logic for the
following change to recheck whether the account is locked out, and to
update the bad password count.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1d869a2a666cfada1495d891021de6c2b8567a96)

- - - - -
bb86d2f3 by Joseph Sutton at 2022-09-19T05:03:03+00:00
CVE-2021-20251 s3: Ensure bad password count atomic updates for SAMR AES password change

The bad password count is supposed to limit the number of failed login
attempt a user can make before being temporarily locked out, but race
conditions between processes have allowed determined attackers to make
many more than the specified number of attempts.  This is especially
bad on constrained or overcommitted hardware.

To fix this, once a bad password is detected, we reload the sam account
information under a user-specific mutex, ensuring we have an up to
date bad password count.

We also update the bad password count if the password is wrong, which we
did not previously do.

Derived from a similar patch to source3/auth/check_samsec.c by
Jeremy Allison <jra at samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Sep 13 00:08:07 UTC 2022 on sn-devel-184

(cherry picked from commit 8ae0c38d54f065915e927bbfe1b656400a79eb13)

Autobuild-User(v4-17-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-17-test): Mon Sep 19 05:03:03 UTC 2022 on sn-devel-184

- - - - -
1b4f782c by Volker Lendecke at 2022-10-07T08:48:17+00:00
vfs_gpfs: Prevent mangling of GPFS timestamps after 2106

gpfs_set_times as of August 2020 stores 32-bit unsigned tv_sec. We
should not silently garble time stamps but reject the attempt to set
an out-of-range timestamp.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15151
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
(cherry picked from commit b954d181cd25d9029d3c222e8d97fe7a3b0b2400)

- - - - -
9364c930 by Volker Lendecke at 2022-10-07T08:48:17+00:00
lib: Map ERANGE to NT_STATUS_INTEGER_OVERFLOW

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15151
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>

Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Fri Aug 19 12:43:06 UTC 2022 on sn-devel-184

(cherry picked from commit 06f35edaf129ce3195960905d38af73ec12fc716)
(cherry picked from commit e56c18d356bd3419abebd36e1fae39019cabbfaf)

- - - - -
ecf8a66e by Volker Lendecke at 2022-10-07T08:48:17+00:00
vfs_gpfs: Protect against timestamps before the Unix epoch

In addition to b954d181cd2 we should also protect against timestamps
before the epoch.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15151
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>

Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Fri Sep 23 06:50:17 UTC 2022 on sn-devel-184

(cherry picked from commit f6b391e04a4d5974b908f4f375bd2876083aa7b2)

- - - - -
7bef45d9 by Jeremy Allison at 2022-10-07T08:48:17+00:00
s3: smbd: Fix memory leak in smbd_server_connection_terminate_done().

The function smbd_server_connection_terminate_done() does not free subreq
which is allocated in smbXsrv_connection_shutdown_send, this can be a
memory leakage if multi-channel is enabled.

Suggested fix by haihua yang <hhyangdev at gmail.com>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15174

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>

Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Fri Sep 23 09:51:20 UTC 2022 on sn-devel-184

(cherry picked from commit b600b0c8d9690cb5eeded1e5925c8e667c11af04)

- - - - -
df5d4e48 by Andreas Schneider at 2022-10-07T08:48:17+00:00
s3:auth: Flush the GETPWSID in memory cache for NTLM auth

Example valgrind output:

==22502== 22,747,002 bytes in 21,049 blocks are possibly lost in loss record 1,075 of 1,075
==22502==    at 0x4C29F73: malloc (vg_replace_malloc.c:309)
==22502==    by 0x11D7089C: _talloc_pooled_object (in /usr/lib64/libtalloc.so.2.1.16)
==22502==    by 0x9027834: tcopy_passwd (in /usr/lib64/libsmbconf.so.0)
==22502==    by 0x6A1E1A3: pdb_copy_sam_account (in /usr/lib64/libsamba-passdb.so.0.27.2)
==22502==    by 0x6A28AB7: pdb_getsampwnam (in /usr/lib64/libsamba-passdb.so.0.27.2)
==22502==    by 0x65D0BC4: check_sam_security (in /usr/lib64/samba/libauth-samba4.so)
==22502==    by 0x65C70F0: ??? (in /usr/lib64/samba/libauth-samba4.so)
==22502==    by 0x65C781A: auth_check_ntlm_password (in /usr/lib64/samba/libauth-samba4.so)
==22502==    by 0x14E464: ??? (in /usr/sbin/winbindd)
==22502==    by 0x151CED: winbind_dual_SamLogon (in /usr/sbin/winbindd)
==22502==    by 0x152072: winbindd_dual_pam_auth_crap (in /usr/sbin/winbindd)
==22502==    by 0x167DE0: ??? (in /usr/sbin/winbindd)
==22502==    by 0x12F29B12: tevent_common_invoke_fd_handler (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F30086: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F2E056: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F2925C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x16A243: ??? (in /usr/sbin/winbindd)
==22502==    by 0x16AA04: ??? (in /usr/sbin/winbindd)
==22502==    by 0x12F29F68: tevent_common_invoke_immediate_handler (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F29F8F: tevent_common_loop_immediate (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F2FE3C: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F2E056: ??? (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F2925C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.39)
==22502==    by 0x12F4C7: main (in /usr/sbin/winbindd)

You can find one for each string in pdb_copy_sam_account(), in total
this already has 67 MB in total for this valgrind run.

pdb_getsampwnam() -> memcache_add_talloc(NULL, PDB_GETPWSID_CACHE, ...)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15169

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Sep 16 20:30:31 UTC 2022 on sn-devel-184

(cherry picked from commit 9ef2f7345f0d387567fca598cc7008af95598903)

- - - - -
02ededec by Douglas Bagnall at 2022-10-07T08:48:17+00:00
pytest: add file removal helpers for TestCaseInTempDir

In several places we end a test by deleting a number of files and
directories, but we do it rather haphazardly with unintentionally
differing error handling. For example, in some tests we currently have
something like:

        try:
            shutil.rmtree(os.path.join(self.tempdir, "a"))
            os.remove(os.path.join(self.tempdir, "b"))
            shutil.rmtree(os.path.join(self.tempdir, "c"))
        except Exception:
            pass

where if, for example, the removal of "b" fails, the removal of "c" will
not be attempted. That will result in the tearDown method raising an
exception, and we're no better off. If the above code is replaced with

        self.rm_files('b')
        self.rm_dirs('a', 'c')

the failure to remove 'b' will cause a test error, *unless* the failure
was due to a FileNotFoundError (a.k.a. an OSError with errno ENOENT),
in which case we ignore it, as was probably the original intention.

If on the other hand, we have

        self.rm_files('b', must_exist=True)
        self.rm_dirs('a', 'c')

then the FileNotFoundError causes a failure (not an error).

We take a little bit of care to stay within self.tempdir, to protect
test authors who accidentally write something like `self.rm_dirs('/')`.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
(cherry picked from commit 2359741b2854a8de9d151fe189be80a4bd087ff9)

- - - - -
4486028b by Douglas Bagnall at 2022-10-07T08:48:17+00:00
pytest/downgradedatabase: use TestCaseInTempDir.rm_files

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
(cherry picked from commit 85bc1552e3919d049d39a065824172a24933d38b)

- - - - -
79b5156e by Douglas Bagnall at 2022-10-07T08:48:17+00:00
pytest/samdb_api: use TestCaseInTempDir.rm_files

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
(cherry picked from commit 4e3dabad0be0900a203896c2c2acb270d31b0a42)

- - - - -
ad768b1c by Douglas Bagnall at 2022-10-07T08:48:17+00:00
pytest/join: use TestCaseInTempDir.rm_files/dirs

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
(cherry picked from commit 7455c53fa4f7871b3980f820d22b0fd411195704)

- - - - -
6cc1ac32 by Douglas Bagnall at 2022-10-07T08:48:17+00:00
pytest/samdb: use TestCaseInTempDir.rm_files/.rm_dirs

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
(cherry picked from commit 251360d6e58986dd53f0317319544e930dc61444)

- - - - -
e80ec63f by Douglas Bagnall at 2022-10-07T08:48:17+00:00
pytest/samba_tool_drs: use TestCaseInTempDir.rm_files/.rm_dirs

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
(cherry picked from commit 3f0aab45c81c9f9b6b87eb68bc785902619dc10d)

- - - - -
4425351f by Douglas Bagnall at 2022-10-07T08:48:17+00:00
pytest/samba_tool_drs_no_dns: use TestCaseInTempDir.rm_files/.rm_dirs

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
(cherry picked from commit 24f7d71416753b792d6fe029da6f366adb10383e)

- - - - -
6671f6f5 by Andrew Bartlett at 2022-10-07T08:48:17+00:00
selftest: Prepare for "old Samba" mode regarding getncchanges GET_ANC/GET_TGT

The chgdcpass environment will emulate older verions of Samba
that fail to implement DRSUAPI_DRS_GET_ANC correctly and
totally fails to support DRSUAPI_DRS_GET_TGT.

This will allow testing of a client-side fallback, allowing migration
from sites that run very old Samba versions over DRSUAPI (currently
the only option is to attempt an in-place upgrade).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 62b426243f4eaa4978c249b6e6ce90d35aeaefe4)

- - - - -
7bde5d32 by Andrew Bartlett at 2022-10-07T08:48:17+00:00
selftest: Add tests for GetNCChanges GET_ANC using samba-tool drs clone-dc-database

This test, compared with the direct to RPC tests, will succeed, then fail once the
server is changed to emulate Samba 4.5 and and again succeed once the python code
changes to allow skipping the DRSUAPI_DRS_CRITICAL_ONLY step

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 7ff743d65dcf27ffe0c6861720e8ce531bfa378d)

- - - - -
a64c4a7e by Andrew Bartlett at 2022-10-07T08:48:17+00:00
s4-rpc_server:getncchanges Add "old Samba" mode regarding GET_ANC/GET_TGT

This emulates older verions of Samba that fail to implement
DRSUAPI_DRS_GET_ANC correctly and totally fails to support
DRSUAPI_DRS_GET_TGT.

This will allow testing of a client-side fallback, allowing migration
from sites that run very old Samba versions over DRSUAPI (currently
the only option is to attempt an in-place upgrade).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 314bc44fa9b8fc99c80bfcfff71f2cec67bbda36)

- - - - -
eb939d4b by Andrew Bartlett at 2022-10-07T08:48:17+00:00
selftest: Enable "old Samba" mode regarding GET_ANC/GET_TGT

The chgdcpass server now emulates older verions of Samba that
fail to implement DRSUAPI_DRS_GET_ANC correctly and totally fails to support
DRSUAPI_DRS_GET_TGT.

We now show this is in effect by the fact that tests now fail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit b0bbc94d4124d63b1d5a35ccbc88ffd51d520ba0)

- - - - -
79283760 by Andrew Bartlett at 2022-10-07T08:48:17+00:00
s4-libnet: Add messages to object count mismatch failures

This helps explain these better than WERR_GEN_FAILURE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 483c48f52d6ff5e8149ed12bfeb2b6608c946f01)

- - - - -
bac9532f by Andrew Bartlett at 2022-10-07T08:48:17+00:00
python-drs: Add client-side debug and fallback for GET_ANC

Samba 4.5 and earlier will fail to do GET_ANC correctly and will not
replicate non-critical parents of objects with isCriticalSystemObject=TRUE
when DRSUAPI_DRS_CRITICAL_ONLY is set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit bff2bc9c7d69ec2fbe9339c2353a0a846182f1ea)

- - - - -
cb27978c by Anoop C S at 2022-10-07T09:59:55+00:00
vfs_glusterfs: Remove special handling of O_CREAT flag

Special handling of O_CREAT flag in SMB_VFS_OPENAT code path was the
only option to ensure correctness due to a bug in libgfapi as detailed
in issue #3838[1] from GlusterFS upstream. This has been fixed recently
so that O_CREAT is handled correctly within glfs_openat() enbaling us to
remove the corresponding special case from vfs_gluster_openat().

[1] https://github.com/gluster/glusterfs/issues/3838

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15192

Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Oct  6 08:34:56 UTC 2022 on sn-devel-184

(cherry picked from commit 9a8bc67f4a5e4afecd648523f43a8e97584fcfd0)

Autobuild-User(v4-17-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-17-test): Fri Oct  7 09:59:55 UTC 2022 on sn-devel-184

- - - - -
41e016e4 by Stefan Metzmacher at 2022-10-18T13:32:10+00:00
smbXsrv_client: ignore NAME_NOT_FOUND from smb2srv_client_connection_passed

If we hit a race, when a client disconnects the connection after the initial
SMB2 Negotiate request, before the connection is completely passed to
process serving the given client guid, the temporary smbd which accepted the
new connection may already detected the disconnect and exitted before
the long term smbd servicing the client guid was able to send the
MSG_SMBXSRV_CONNECTION_PASSED message.

The result was a log message like this:

  smbXsrv_client_connection_pass_loop: smb2srv_client_connection_passed() failed => NT_STATUS_OBJECT_NAME_NOT_FOUND

and all connections belonging to the client guid were dropped,
because we called exit_server_cleanly().

Now we ignore NT_STATUS_OBJECT_NAME_NOT_FOUND from
smb2srv_client_connection_passed() and let the normal
event loop detect the broken connection, so that only
that connection is terminated (not the whole smbd process).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15200

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 636ec45c93ad040ba70296aa543884c145b3e789)

- - - - -
abc48aec by Stefan Metzmacher at 2022-10-18T13:32:11+00:00
smbXsrv_client: fix a debug message in smbXsrv_client_global_verify_record()

DBG_WARNING() already adds the function name as prefix.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15200

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit acb3d821deaf06faa16f6428682ecdb02babeb98)

- - - - -
fd4c80fc by Stefan Metzmacher at 2022-10-18T13:32:11+00:00
smbXsrv_client: call smb2srv_client_connection_{pass,drop}() before dbwrap_watched_watch_send()

dbwrap_watched_watch_send() should typically be the last thing to call
before the db record is unlocked, as it's not that easy to undo.

In future we want to recover from smb2srv_client_connection_{pass,drop}()
returning NT_STATUS_OBJECT_NAME_NOT_FOUND and it would add complexity if
would need to undo dbwrap_watched_watch_send() at that point.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15200

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 56c597bc2b29dc3e555f737ba189f521d0e31e8c)

- - - - -
4a44febb by Stefan Metzmacher at 2022-10-18T13:32:11+00:00
smbXsrv_client: make sure we only wait for smb2srv_client_mc_negprot_filter once and only when needed

This will simplify the following changes...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15200

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 8c8d8cf01e01c2726d03fa1c81e0ce9992ee736c)

- - - - -
6d05908e by Stefan Metzmacher at 2022-10-18T13:32:11+00:00
smbXsrv_client: handle NAME_NOT_FOUND from smb2srv_client_connection_{pass,drop}()

If we get NT_STATUS_OBJECT_NOT_FOUND from smb2srv_client_connection_{pass,drop}()
we should just keep the connection and overwrite the stale record in
smbXsrv_client_global.tdb. It's basically a race with serverid_exists()
and a process that doesn't cleanly teardown.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15200

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 5d66d5b84f87267243dcd5223210906ce589af91)

- - - - -
4c6b7983 by Jeremy Allison at 2022-10-18T13:32:11+00:00
s4: smbtorture: Add fsync_resource_fork test to fruit tests.

This shows we currently hang when sending an SMB2_OP_FLUSH on
an AFP_Resource fork.

Adds knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15182

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
(cherry picked from commit 1b8a8732848169c632af12b7c2b4cd3ee73be244)

- - - - -
54d4b0f6 by Jeremy Allison at 2022-10-18T13:32:11+00:00
s3: VFS: fruit. Implement fsync_send()/fsync_recv().

For type == ADOUBLE_META, fio->fake_fd is true so
writes are already synchronous, just call tevent_req_post().

For type == ADOUBLE_RSRC we know we are configured
with FRUIT_RSRC_ADFILE (because fruit_must_handle_aio_stream()
returned true), so we can just call SMB_VFS_NEXT_FSYNC_SEND()
after replacing fsp with fio->ad_fsp.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15182

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
(cherry picked from commit 35c637f2e6c671acf8fb9c2a67774bd5e74dd7d0)

- - - - -
a1453f16 by Ralph Boehme at 2022-10-18T13:32:11+00:00
vfs_fruit: add missing calls to tevent_req_received()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15182

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
(cherry picked from commit a7fba3ff5996330158d3cc6bc24746a59492b690)

- - - - -
e0ae6332 by Noel Power at 2022-10-18T13:32:11+00:00
s3/rpcclient: Duplicate string returned from poptGetArg

popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.

==4407== Invalid read of size 1
==4407==    at 0x146263: main (rpcclient.c:1262)
==4407==  Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
==4407==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x146227: main (rpcclient.c:1251)
==4407==  Block was alloc'd at
==4407==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x1461BC: main (rpcclient.c:1219)
==4407==
==4407== Invalid read of size 1
==4407==    at 0x14627D: main (rpcclient.c:1263)
==4407==  Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
==4407==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x146227: main (rpcclient.c:1251)
==4407==  Block was alloc'd at
==4407==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x1461BC: main (rpcclient.c:1219)
==4407==
==4407== Invalid read of size 1
==4407==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x4980E1C: talloc_strdup (talloc.c:2470)
==4407==    by 0x488CD96: dcerpc_parse_binding (binding.c:320)
==4407==    by 0x1462B1: main (rpcclient.c:1267)
==4407==  Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
==4407==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x146227: main (rpcclient.c:1251)
==4407==  Block was alloc'd at
==4407==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x1461BC: main (rpcclient.c:1219)
==4407==
==4407== Invalid read of size 1
==4407==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x4980E1C: talloc_strdup (talloc.c:2470)
==4407==    by 0x488CD96: dcerpc_parse_binding (binding.c:320)
==4407==    by 0x1462B1: main (rpcclient.c:1267)
==4407==  Address 0x7b67cd1 is 1 bytes inside a block of size 10 free'd
==4407==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x146227: main (rpcclient.c:1251)
==4407==  Block was alloc'd at
==4407==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x1461BC: main (rpcclient.c:1219)
==4407==
==4407== Invalid read of size 8
==4407==    at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x4980DC2: __talloc_strlendup (talloc.c:2457)
==4407==    by 0x4980E32: talloc_strdup (talloc.c:2470)
==4407==    by 0x488CD96: dcerpc_parse_binding (binding.c:320)
==4407==    by 0x1462B1: main (rpcclient.c:1267)
==4407==  Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
==4407==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x146227: main (rpcclient.c:1251)
==4407==  Block was alloc'd at
==4407==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x1461BC: main (rpcclient.c:1219)
==4407==
==4407== Invalid read of size 1
==4407==    at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x4980DC2: __talloc_strlendup (talloc.c:2457)
==4407==    by 0x4980E32: talloc_strdup (talloc.c:2470)
==4407==    by 0x488CD96: dcerpc_parse_binding (binding.c:320)
==4407==    by 0x1462B1: main (rpcclient.c:1267)
==4407==  Address 0x7b67cd8 is 8 bytes inside a block of size 10 free'd
==4407==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x146227: main (rpcclient.c:1251)
==4407==  Block was alloc'd at
==4407==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4407==    by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==4407==    by 0x1461BC: main (rpcclient.c:1219)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit d26d3d9bff61f796c9c9ab54990ea078f575ab1e)

- - - - -
4c03cfd6 by Noel Power at 2022-10-18T13:32:11+00:00
s3/param: Fix use after free with popt-1.19

popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.

==5325== Invalid read of size 1
==5325==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859E1C: talloc_strdup (talloc.c:2470)
==5325==    by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325==    by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859E1C: talloc_strdup (talloc.c:2470)
==5325==    by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325==    by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8b1 is 1 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 8
==5325==    at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325==    by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325==    by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 2
==5325==    at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325==    by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325==    by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8c0 is 16 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325==    at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325==    by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325==    by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8c2 is 18 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859E1C: talloc_strdup (talloc.c:2470)
==5325==    by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325==    by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859E1C: talloc_strdup (talloc.c:2470)
==5325==    by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325==    by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8b1 is 1 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 8
==5325==    at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325==    by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325==    by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 2
==5325==    at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325==    by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325==    by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8c0 is 16 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325==    at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325==    by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325==    by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8c2 is 18 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit ff003fc87b8164610dfd6572347c05308c4b2fd7)

- - - - -
1e865210 by Noel Power at 2022-10-18T13:32:11+00:00
s3/utils: Add missing poptFreeContext

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 31d3d10b260f05080ca0a3cf9434aa4704d60739)

- - - - -
3a9733ce by Noel Power at 2022-10-18T13:32:11+00:00
s3/utils: Fix use after free with popt 1.19

popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.

==5914== Invalid read of size 1
==5914==    at 0x4FDF740: strlcpy (in /usr/lib64/libbsd.so.0.11.6)
==5914==    by 0x49E09A9: tdbsam_getsampwnam (pdb_tdb.c:583)
==5914==    by 0x49D94E5: pdb_getsampwnam (pdb_interface.c:340)
==5914==    by 0x10DED1: print_user_info (pdbedit.c:372)
==5914==    by 0x111413: main (pdbedit.c:1324)
==5914==  Address 0x73b6750 is 0 bytes inside a block of size 7 free'd
==5914==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5914==    by 0x4C508B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5914==    by 0x4C515D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5914==    by 0x1113E6: main (pdbedit.c:1323)
==5914==  Block was alloc'd at
==5914==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5914==    by 0x4C522EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5914==    by 0x110AE5: main (pdbedit.c:1137)
==5914==

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit e82699fcca3716d9ed0450263fd83f948de8ffbe)

- - - - -
21890fcb by Noel Power at 2022-10-18T13:32:11+00:00
s3/utils: Fix use after free with popt 1.19

popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.

==6055== Command: ./bin/testparm /etc/samba/smb.conf
==6055==
==6055== Invalid read of size 1
==6055==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4C1E50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6055==    by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x10EBFA: main (testparm.c:862)
==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4C1E50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6055==    by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x10EBFA: main (testparm.c:862)
==6055==  Address 0x72dab71 is 1 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x4C44DD0: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6055==    by 0x4C1E39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6055==    by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x10EBFA: main (testparm.c:862)
==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x4C44DDF: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6055==    by 0x4C1E39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6055==    by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
==6055==    by 0x10EBFA: main (testparm.c:862)
==6055==  Address 0x72dab72 is 2 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
Load smb config files from /etc/samba/smb.conf
==6055== Invalid read of size 1
==6055==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927E1C: talloc_strdup (talloc.c:2470)
==6055==    by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055==    by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927E1C: talloc_strdup (talloc.c:2470)
==6055==    by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055==    by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab71 is 1 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 8
==6055==    at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055==    by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055==    by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 2
==6055==    at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055==    by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055==    by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab80 is 16 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055==    by 0x48B5D37: talloc_sub_basic (substitute.c:303)
==6055==    by 0x4889B98: lp_load_ex (loadparm.c:4004)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab82 is 18 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927E1C: talloc_strdup (talloc.c:2470)
==6055==    by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055==    by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927E1C: talloc_strdup (talloc.c:2470)
==6055==    by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055==    by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab71 is 1 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 8
==6055==    at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055==    by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055==    by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 2
==6055==    at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055==    by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055==    by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab80 is 16 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==
==6055== Invalid read of size 1
==6055==    at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
==6055==    by 0x4B5974B: add_to_file_list (loadparm.c:1023)
==6055==    by 0x4889BD4: lp_load_ex (loadparm.c:4011)
==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
==6055==    by 0x10EC06: main (testparm.c:864)
==6055==  Address 0x72dab82 is 18 bytes inside a block of size 20 free'd
==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EBAC: main (testparm.c:854)
==6055==  Block was alloc'd at
==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6055==    by 0x10EB2E: main (testparm.c:830)
==6055==

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 4b15d8c2a5c8547b84e7926fed9890b5676b8bc3)

- - - - -
ee2858ab by Noel Power at 2022-10-18T13:32:11+00:00
s4/lib/registry: Fix use after free with popt 1.19

popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.

==6357== Command: ./bin/regpatch file
==6357==
Can't load /home/npower/samba-back/INSTALL_DIR/etc/smb.conf - run testparm to debug it
==6357== Syscall param openat(filename) points to unaddressable byte(s)
==6357==    at 0x4BFE535: open (in /usr/lib64/libc.so.6)
==6357==    by 0x4861432: reg_diff_load (patchfile.c:345)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4B5D50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4B5D50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d1 is 1 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357==    at 0x4B83DD0: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6357==    by 0x4B5D39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357==    at 0x4B83DDF: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6357==    by 0x4B5D39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d2 is 2 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
Error reading registry patch file `file'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Fri Oct 14 13:38:55 UTC 2022 on sn-devel-184

(cherry picked from commit 7e0e3f47cd67e4cadc101691cd14837f45d9506a)

- - - - -
fac483e3 by Noel Power at 2022-10-18T13:32:11+00:00
s3/param: Check return of talloc_strdup

followup to commit ff003fc87b8164610dfd6572347c05308c4b2fd7

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 19eb88bc53e481327bbd437b0c145d5765c6dcec)

- - - - -
d5e39d1b by Noel Power at 2022-10-18T13:32:11+00:00
s3/utils: Check return of talloc_strdup

followup to e82699fcca3716d9ed0450263fd83f948de8ffbe

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 972127daddc7a32d23fb84d97102557035b06f5b)

- - - - -
93d6f403 by Noel Power at 2022-10-18T14:28:13+00:00
s3/utils: check result of talloc_strdup

follow to commit 4b15d8c2a5c8547b84e7926fed9890b5676b8bc3

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Oct 17 19:49:37 UTC 2022 on sn-devel-184

(cherry picked from commit 0326549a052c22e4929e3760fd5011c35e32fe33)

Autobuild-User(v4-17-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-17-test): Tue Oct 18 14:28:13 UTC 2022 on sn-devel-184

- - - - -
68a0ef3b by Stefan Metzmacher at 2022-10-19T08:40:14+00:00
s4:messaging: add imessaging_init_discard_incoming()

We often create imessaging contexts just for sending messages,
but we'll never process incoming messages because a temporary event
context was used and we just queue a lot of imessaging_post_state
structures with immediate events.

With imessaging_init_discard_incoming() we'll discard any incoming messages
unless we have pending irpc requests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15201

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit a120fb1c724dfaed5a99e34aaf979502586f17c0)

- - - - -
28c65ce3 by Stefan Metzmacher at 2022-10-19T08:40:14+00:00
s3:auth_samba4: make use of imessaging_init_discard_incoming()

Otherwise we'll generate a memory leak of imessaging_post_state/
tevent_immediate structures per incoming message!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15201

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 32df5e4961cf064b72bb496157cc6092126d9b8e)

- - - - -
7540755d by Stefan Metzmacher at 2022-10-19T09:51:29+00:00
s4:messaging: let imessaging_client_init() use imessaging_init_discard_incoming()

imessaging_client_init() is for temporary stuff only, so we should drop
(unexpected) incoming messages unless we expect irpc responses.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15201

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Oct 13 13:32:30 UTC 2022 on sn-devel-184

(cherry picked from commit 266bcedc18efc52e29efde6bad220623a5423e30)

Autobuild-User(v4-17-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-17-test): Wed Oct 19 09:51:29 UTC 2022 on sn-devel-184

- - - - -
09ec2b13 by Jeremy Allison at 2022-10-19T10:51:11+00:00
s4: torture: libsmbclient: Add a torture test to ensure smbc_stat() returns ENOENT on a non-existent file.

Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15195

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
(cherry picked from commit 9eda432836bfff3d3d4a365a08a5ecb54f0f2e34)

- - - - -
142a771d by Jeremy Allison at 2022-10-19T11:52:24+00:00
s3: libsmbclient: Fix smbc_stat() to return ENOENT on a non-existent file..

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15195

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Oct 19 00:13:56 UTC 2022 on sn-devel-184

(cherry picked from commit fd0c01da1c744ae6fd9d8675616d8b6d3531e469)

Autobuild-User(v4-17-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-17-test): Wed Oct 19 11:52:24 UTC 2022 on sn-devel-184

- - - - -
cda9e1cc by Jule Anger at 2022-10-19T14:12:49+02:00
WHATSNEW: Add release notes for Samba 4.17.1.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
ed12d435 by Jule Anger at 2022-10-19T14:13:18+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.17.1 release.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
74e5200a by Michael Tokarev at 2022-10-19T21:28:42+03:00
New upstream version 4.17.1+dfsg
- - - - -


30 changed files:

- VERSION
- WHATSNEW.txt
- ctdb/doc/ctdb-etcd.7
- ctdb/doc/ctdb-script.options.5
- ctdb/doc/ctdb-statistics.7
- ctdb/doc/ctdb-tunables.7
- ctdb/doc/ctdb.1
- ctdb/doc/ctdb.7
- ctdb/doc/ctdb.conf.5
- ctdb/doc/ctdb.sysconfig.5
- ctdb/doc/ctdb_diagnostics.1
- ctdb/doc/ctdb_mutex_ceph_rados_helper.7
- ctdb/doc/ctdbd.1
- ctdb/doc/ltdbtool.1
- ctdb/doc/onnode.1
- ctdb/doc/ping_pong.1
- docs/manpages/cifsdd.8
- docs/manpages/dbwrap_tool.1
- docs/manpages/eventlogadm.8
- docs/manpages/idmap_ad.8
- docs/manpages/idmap_autorid.8
- docs/manpages/idmap_hash.8
- docs/manpages/idmap_ldap.8
- docs/manpages/idmap_nss.8
- docs/manpages/idmap_rfc2307.8
- docs/manpages/idmap_rid.8
- docs/manpages/idmap_script.8
- docs/manpages/idmap_tdb.8
- docs/manpages/idmap_tdb2.8
- docs/manpages/libsmbclient.7


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/cb2019da2f4db0d3aebf5f04a587448ea9f0dabf...74e5200a99002ea2b5dd72e10ac3a9ffcf925a88

-- 
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/cb2019da2f4db0d3aebf5f04a587448ea9f0dabf...74e5200a99002ea2b5dd72e10ac3a9ffcf925a88
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20221019/26c57a71/attachment-0001.htm>


More information about the Pkg-samba-maint mailing list