| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Return NULL instead of valid-but-misleading cast from 'false' to
pointer.
Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Thu Apr 23 20:53:10 UTC 2026 on atb-devel-224
|
|
The KCC service runs a periodic samba_kcc child process (every 300s,
first at 15s after startup) with a 40 second timeout. If a test calls
DsExecuteKCC while the periodic child is running, kccsrv returns
NT_STATUS_DS_BUSY which propagates as EPT_NT_CANT_PERFORM_OP to the
client, causing flaky test failures.
UNEXPECTED(error): samba4.drs.samba_tool_drs_showrepl.python(schema_pair_dc).samba_tool_drs_showrepl.SambaToolDrsShowReplTests.test_samba_tool_showrepl(schema_pair_dc:local)
REASON: Exception: Exception: Traceback (most recent call last):
File "/builds/samba-testbase/samba-def-build/source4/torture/drs/python/samba_tool_drs_showrepl.py", line 57, in test_samba_tool_showrepl
kcc_out = self.check_output("samba-tool drs kcc %s %s" % (self.dc1,
File "/builds/samba-testbase/samba-def-build/bin/python/samba/tests/__init__.py", line 593, in check_output
raise BlackboxProcessError(retcode, line, stdoutdata, stderrdata)
samba.tests.BlackboxProcessError: Command 'python3 bin/samba-tool drs kcc liveupgrade1dc -USCHEMADOMAIN/Administrator%locDCpass1'; shell True; exit status 255;
stdout: ''; stderr: 'ERROR(runtime): DsExecuteKCC failed - (3221356597, 'The operation cannot be performed.')
3221356597 => 0xc0020035 (EPT_NT_CANT_PERFORM_OP)
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Apr 23 07:55:04 UTC 2026 on atb-devel-224
|
|
Note that if this test fails, it is like something else creating keys.
The last time it was a crashing smbd which left a key in the database
and this test failed as a result.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Apr 22 16:35:58 UTC 2026 on atb-devel-224
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Apr 22 14:19:03 UTC 2026 on atb-devel-224
|
|
This was only added to prevent problems with the fixes for
CVE-2016-2118.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
For CVE-2026-40170 see:
https://github.com/ngtcp2/ngtcp2/security/advisories/GHSA-f523-465f-8c8f)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
vfs_ceph_release_fh() was called explicitly then again via the FSP
extension destructor triggered by vfs_ceph_remove_fh(). Drop the
explicit call and let the destructor handle cleanup.
Signed-off-by: Shweta Sodani <ssodani@redhat.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Tue Apr 21 22:18:42 UTC 2026 on atb-devel-224
|
|
-ENOMEM cast to uint64_t is not the error sentinel UINT64_MAX and
leaves errno unset. Set errno and return UINT64_MAX instead.
Also replace UINT64_MAX instead of (uint64_t)-1) in all error path.
Signed-off-by: Shweta Sodani <ssodani@redhat.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
|
|
END_PROFILE omits the per-service counter; replace with END_PROFILE_X
to match the START_PROFILE_X on the strict_allocate path.
Signed-off-by: Shweta Sodani <ssodani@redhat.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
|
|
The functions 'brl_lock_windows_default' and 'brl_lock_posix' uses
explicit 'errno_ret' value to avoid possible errno overwrite. Use in
failure case.
Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Shwetha Acharya <Shwetha.K.Acharya@ibm.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Apr 21 02:05:57 UTC 2026 on atb-devel-224
|
|
This adds a new global parameter "automount fs types" that allows
administrators to configure additional filesystem types that should
trigger automounting, beyond the always-supported autofs filesystem.
To enable 'samba unaware FS' automounting, add:
automount fs types = 0x12345678
This allows e.g. ZFS snapshots in <dataset root>/.zfs/snapshot to be
mounted. To find out the magic number that is not listed
in /usr/include/linux/magic.h, run:
stat -f -c '0x%t' /path/to/mountpoint
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15991
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Mon Apr 20 19:57:42 UTC 2026 on atb-devel-224
|
|
This avoids mixing malloc and talloc allocation patterns and
aligns the code with Samba's memory management conventions.
Signed-off-by: Shwetha Acharya <Shwetha.K.Acharya@ibm.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Sat Apr 18 20:58:22 UTC 2026 on atb-devel-224
|
|
This avoids generating a warning like:
WARNING: Public IP <ip> hosted on interface <iface> but VNN says <altname>
every time a public IP is removed from an interface that is configured
via an altname.
The new check will nearly always be successful because the IP will be
on the expected interface during releaseip/updateip.
The original check is now used as a backup when the IP is not on the
expected interface. To allow the mask bits check to cover both cases,
the original check and the associated interface check needs to be
inside the else clause.
Update the unit test to reflect the change.
Best reviewed with "git show -w" or similar.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Fri Apr 17 00:11:50 UTC 2026 on atb-devel-224
|
|
This shows that a warning is generated whenever an IP address is
removed using an altname.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
|
|
Only implemented for these commands. I don't even want to think about
doing this for ip route right now.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
|
|
Reimplement to set prefix instead of maskbits. Rename to
get_ip_prefix_iface().
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
|
|
Reimplement ip_maskbits_iface() using the ip -brief option. Do less
parsing, no longer extract maskbits but return whole prefix.
Retain ip_maskbits_iface() for backward compatibility in case custom
event scripts are using it.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
|
|
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
|
|
Status is different to state and should not be repeated. For example:
eth0 UP aa:bb:cc:dd:ee:ff <BROADCAST,MULTICAST,UP,LOWER_UP>
Clearly nothing looks at this field but it should be correct.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
|
|
ip addr assumes these defaults anyway. They are just noise.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
|
|
Using $_bcast to determine if the address is an IPv6 one is lazy. It
causes anyone reading the code (including the original author) to have
to go back and confirm that the condition makes sense.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
|
|
For consistency with new ip_addr_del().
Update all callers of add_ip_to_iface() to use this function
instead.
Retain add_ip_to_iface() for backward compatibility in case custom
event scripts are using it.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
|
|
Using a prefix is more natural because it matches "ip addr ..." usage.
It should also allow for less parsing.
Update all callers of delete_ip_from_iface() to use this function
instead.
Retain delete_ip_from_iface() for backward compatibility in case
custom event scripts are using it.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
|
|
get_iface_ip_maskbits() now sets iface="" when the IP is unassigned,
allowing dependent code to be conditional.
Currently, ctdb_takeover.c:ctdb_control_release_ip() ensures no
releaseip event is triggered if the public address is not on the node.
So, no change of behaviour for releaseip.
The previous attempt at making updateip behave more like takeip when
the IP isn't currently assigned caused commands with missing mask bits
to be run. Avoid this.
Best reviewed with "git show -w" or similar.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
|
|
Negate the condition in the if-statement so the current else part goes
first. It always returns or exits, so the remainder (current if part)
can just follow.
This makes a subsequent change easier to understand.
Probably best reviewed with "git show -w" or similar.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
|
|
This has been bizarrely wrong since commit
095fac9491bfe6a29127d9c3f76c15bc947cf591.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
|
|
Since commit 6471541d6d2bc9f2af0ff92b280abbd1d933cf88 this is
completely unnecessary because interface $oiface is determined by
looking at the system.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
|
|
That is, add using $_maskbits, not $maskbits.
In the rare case where the mask bits were inconsistent on the old
interface, $maskbits will be needed for removal from the old
interface.
However, the specified mask bits ($_maskbits) must always be used when
adding to the new interface. Circumstances where this matters are
likely to be very rare.
It matters more if the address is unexpectedly not assigned at all.
In this case $maskbits will not be set, so the address can't be added
to the new interface using that variable.
This got confused in commit 6471541d6d2bc9f2af0ff92b280abbd1d933cf88.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
|
|
Well known, explicit structured programming constructs are arguably
easier to understand than implicit shell magic.
Only change instances that will be updated by subsequent commits.
Doing this separately, instead of in each subsequent commit, will make
those commits easier to understand.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
|
|
Best reviewed with "git show -w" or similar.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
|
|
In ctdb/config/events/legacy/11.natgw.script line 174:
read _old_natgwleader <"$natgw_leader_old"
^--^ SC2162 (info): read without -r will mangle backslashes.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: John Mulligan <jmulligan@redhat.com>
|
|
When 'synthetic_smb_fname' fails due to memory error, it returns NULL.
Fix this error-case logic in 'delete_all_streams'.
Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Thu Apr 16 13:48:23 UTC 2026 on atb-devel-224
|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Apr 16 01:57:42 UTC 2026 on atb-devel-224
|
|
We know the components are all less than 64 bytes long.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
it means 63 or 0x3f, and is the maximum length of a DNS/NBT component.
We also simplify an error message that was fond of long hex
representations of small numbers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
We use a copy function that returns false if the copied string
contains the bad characters, and true otherwise.
As a special case, we allow a '.' as the last character, because an
NBT name with a trailing dot is sometimes used as a username, and we
need to match these exactly, even though the dotless form is
semantically the same (per RFC).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
When ndr_pull_struct_blob fails (which it will for labels containing
dots, now rejected by the new dns_component_copy check), name remains
uninitialized and the subsequent push call dereference it.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
RFC 1035 says the maximum length for a DNS name is 255 characters, and
one of the factors that allowed CVE-2020-10745 is that Samba did not
enforce that directly, enabling names around 8k long.
We fix that by keeping track of the name length. It is easier and more
efficient to use a 64 byte buffer for the components, and this will
help us to introduce further hardening in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
Until now NBT and DNS have used talloc contexts of different lifetimes
to allocate component strings. The actual talloc context doesn't
really matter -- these strings are immediately copied and can be freed
straight after. So that is what we do.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
To retain exactly the same behaviour with regard to memory contexts
and error messages, we add an is_nbt flag.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
This will allow NBT to use the same function (after modifications in
the next commit).
This is post CVE-2020-10745 hardening and optimisation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
the dns_packet tests originally checked only for a particular DoS
situation (CVE-2020-10745) but now we widen them to ensure Samba's
replies to invalid packets resembles those of Windows (in particular,
Windows 2012r2). We want Samba to reply only when Windows replies, and
with the same rcode.
At present we fail a lot of these tests.
The original CVE-2020-10745 test is retained and widened indirectly --
any test that leaves the server unable to respond within 0.5 seconds
will count as a failure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
snapper_gmt_fstatat is failing when called on items in a
'previous version' snapshot because the wrong timestamp value is
passed (the raw timewarp value is used) and snapper_gmt_convert cannot
find the valid snapshot instance to use.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16058
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Wed Apr 15 15:29:38 UTC 2026 on atb-devel-224
|
|
when trying to browse on windows a snapper share (exposed via windows previous versions) files in subdirs are not visible. In other words only files that are in the root dir of the versioned share can be seen
/ashare/file1
/ashare/file2
/ashare/subdir
/ashare/subdir/subfile1
For example with the file hierarchy above only file1, file2 and subdir are visible. Navigating into subdir shows an empty dir
snapper_gmt_openat is failing because when calling snapper_gmt_convert
it doesn't take into account the path to the subdirectory.
snapper_gmt_convert is just passed the leaf name where it constructs the
snapper path based on the base dir of the share.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16058
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>
|
|
volume_label() calls lp_servicename() as a fallback when lp_volume()
returns an empty string. lp_servicename() is a FN_LOCAL_SUBSTITUTED_STRING
that falls back to sDefault.szService when the service is invalid. Since
sDefault.szService is initialized to NULL and is never set by
init_globals(), the substitution returns NULL, and the subsequent
strlen() call crashes with a segmentation fault.
Add a NULL guard so volume_label() returns an empty string instead
of crashing.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14978
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 15 00:07:12 UTC 2026 on atb-devel-224
|
|
connections_snum_used check
delete_and_reload_printers() unconditionally calls lp_killservice()
to destroy autoloaded printer services that are no longer in the
printer list. If any active connection is still using the printer
service number, the destroyed service can cause a NULL pointer
dereference on subsequent requests.
Guard the call with connections_snum_used() so the service is only
freed when no connections are using it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14978
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
|
|
connections_snum_used check
_srvsvc_NetShareDel() unconditionally calls lp_killservice() to
destroy the service after deleting a share via RPC. If any active
connection is still using this service number, the destroyed service
can cause a NULL pointer dereference on subsequent requests.
Guard the call with connections_snum_used() so the service is only
freed when no connections are using it. The periodic
load_usershare_shares() sweep will clean up the stale service once
all connections have disconnected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14978
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
|
|
snum_in_use check
lp_servicenumber() calls free_service_byindex() to destroy usershare
services when usershare_exists() returns false or when the usershare
file has been modified. This is unsafe because active connections may
still hold the service number — the destroyed service leaves a NULL
ServicePtrs[] entry that causes a NULL pointer dereference when the
connection subsequently calls lp_servicename() or similar functions.
The crash path is:
get_referred_path() -> lp_servicenumber() -> usershare_exists()
fails (e.g. EACCES) -> free_service_byindex() destroys service ->
later request on same connection -> volume_label() ->
lp_servicename() -> FN_LOCAL_SUBSTITUTED_STRING falls back to
sDefault.szService (NULL) -> strlen(NULL) -> SIGSEGV
Guard both free_service_byindex() call sites with the snum_in_use
callback registered in the previous commit. When the service is in
use by an active connection, skip the destruction and let the
periodic load_usershare_shares() mark-and-sweep handle cleanup
safely via its conn_snum_used() check.
When snum_in_use is NULL (non-smbd programs), the original behaviour
is preserved — services are freed immediately since no connections
can exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14978
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
|
|
Add a mechanism for smbd to register a callback that checks whether
a service number is currently in use by any active connection.
This will be used by subsequent commits to guard free_service_byindex()
calls in lp_servicenumber() and other sites that currently destroy
services without checking if they are in use, which can leave active
connections holding stale service numbers that lead to NULL pointer
dereferences.
The callback is registered by smbd during smbd_process() startup via
connections_snum_used. Non-smbd programs (testparm, net, etc.) leave the
callback as NULL, meaning no connections exist and it is always safe
to free services.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14978
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
|
|
Add a test that verifies smbd does not crash when a usershare
definition file becomes inaccessible while a client is connected.
The test creates a usershare, connects to it, makes the usershare
definition file inaccessible (chmod 000), then issues a volume
query which triggers the volume_label() -> lp_servicename() code
path. It verifies smbd is still alive afterward by connecting to
a different share.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14978
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
|
