samba.git/source4/libcli/ldap, branch talloc-2.4.0 Unnamed repository; edit this file 'description' to name the repository. s3-librpc: add ads.idl and convert ads_struct to talloc. 2022-12-16T20:38:32+00:00 Günther Deschner gd@samba.org 2016-08-17T09:58:02+00:00 39e8489dfc51b2293afa13d58b167819b46918dc Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
CVE-2020-25720: s4-acl: Change behavior of Create Children check 2022-09-16T02:32:36+00:00 Nadezhda Ivanova nivanova@symas.com 2021-10-25T10:10:56+00:00 08187833fee57a8dba6c67546dfca516cd1f9d7a Up to now, the rights to modify an attribute were not checked during an LDAP add operation. This means that even if a user has no right to modify an attribute, they can still specify any value during object creation, and the validated writes were not checked. This patch changes this behavior. During an add operation, a security descriptor is created that does not include the one provided by the user, and is used to verify that the user has the right to modify the supplied attributes. Exception is made for an object's mandatory attributes, and if the user has Write DACL right, further checks are skipped. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Up to now, the rights to modify an attribute were not checked during an LDAP
add operation. This means that even if a user has no right to modify
an attribute, they can still specify any value during object creation,
and the validated writes were not checked.
This patch changes this behavior. During an add operation,
a security descriptor is created that does not include the one provided by the
user, and is used to verify that the user has the right to modify the supplied attributes.
Exception is made for an object's mandatory attributes, and if the user has Write DACL right,
further checks are skipped.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
dsdb: Return dsdb_password_change control name to DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID 2022-03-17T01:57:38+00:00 Andrew Bartlett abartlet@samba.org 2022-02-09T03:53:08+00:00 0a907c2f45c34efcac784738c9d75303b9d04d2f This makes it clearer that the purpose of this control is to indicate that the password was already checked (by an out-of-band mechanism, eg kpasswd) and so can safely be changed subject to ACLs etc. This essentially reverts bbb9dc806e4399c65dee9b5dc2cde0bfaa9609bd Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
This makes it clearer that the purpose of this control is to indicate that the password
was already checked (by an out-of-band mechanism, eg kpasswd) and so can safely be changed
subject to ACLs etc.

This essentially reverts bbb9dc806e4399c65dee9b5dc2cde0bfaa9609bd

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
auth:creds: Add obtained arg to cli_credentials_set_gensec_features() 2021-04-28T03:43:34+00:00 Andreas Schneider asn@samba.org 2020-08-20T08:50:30+00:00 2fbc63cacc81ab9e1dfdbe6d979c248c3bdea686 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
ldap_client: Make ldap_parse_basic_url() IPv6-address aware 2020-07-02T12:01:06+00:00 Volker Lendecke vl@samba.org 2020-07-01T14:10:17+00:00 7082902d56ab1aa824e6b86bceaa7e1a14b6ef29 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Thu Jul 2 12:01:06 UTC 2020 on sn-devel-184 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jul  2 12:01:06 UTC 2020 on sn-devel-184
ldap_client: Align integer types 2020-07-02T10:38:34+00:00 Volker Lendecke vl@samba.org 2020-06-26T06:31:30+00:00 61bc99362a385fc8b59197c416f480a1054054b6 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
ldap_client: Make ldap_parse_basic_url take care of ldapi as well 2020-07-02T10:38:34+00:00 Volker Lendecke vl@samba.org 2020-06-25T19:20:04+00:00 011a2a82953fa910e1e7dee9862fbb5deaae8651 SUSV4's sscanf has the %m modifier, which allocates the right amount. Remove those SMB_ASSERTS for string buffers. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> 
SUSV4's sscanf has the %m modifier, which allocates the right
amount. Remove those SMB_ASSERTS for string buffers.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
CVE-2020-10704: libcli ldap_message: Add search size limits to ldap_decode 2020-05-04T02:59:32+00:00 Gary Lockyer gary@catalyst.net.nz 2020-04-07T20:49:23+00:00 3149ea0a8aada3b03d1ca0af2e3a0f6304cda43b Add search request size limits to ldap_decode calls. The ldap server uses the smb.conf variable "ldap max search request size" which defaults to 250Kb. For cldap the limit is hard coded as 4096. Credit to OSS-Fuzz REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Add search request size limits to ldap_decode calls.

The ldap server uses the smb.conf variable
"ldap max search request size" which defaults to 250Kb.
For cldap the limit is hard coded as 4096.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2020-10704: lib util asn1: Add ASN.1 max tree depth 2020-05-04T02:59:31+00:00 Gary Lockyer gary@catalyst.net.nz 2020-04-02T23:18:03+00:00 f467727db5ff6a6e58d9b590e4d443a1d974b679 Add maximum parse tree depth to the call to asn1_init, which will be used to limit the depth of the ASN.1 parse tree. Credit to OSS-Fuzz REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Add maximum parse tree depth to the call to asn1_init, which will be
used to limit the depth of the ASN.1 parse tree.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4/libcli/ldab: clang: Fix 'Access results in a deref of a null pointer' 2019-07-16T22:52:24+00:00 Noel Power noel.power@suse.com 2019-07-10T15:13:38+00:00 8aed7e9aae13b3fc64a2af1fbdf835f12038ac9b Fixes: source4/libcli/ldap/ldap_client.c:1023:6: warning: Access to field 'type' results in a dereference of a null pointer <--[clang] if ((*msg)->type != type) { ^~~~~~~~~~~~ Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
Fixes:

source4/libcli/ldap/ldap_client.c:1023:6: warning: Access to field 'type' results in a dereference of a null pointer <--[clang]
        if ((*msg)->type != type) {
            ^~~~~~~~~~~~

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>