| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Apr 16 01:57:42 UTC 2026 on atb-devel-224
|
|
We know the components are all less than 64 bytes long.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
it means 63 or 0x3f, and is the maximum length of a DNS/NBT component.
We also simplify an error message that was fond of long hex
representations of small numbers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
We use a copy function that returns false if the copied string
contains the bad characters, and true otherwise.
As a special case, we allow a '.' as the last character, because an
NBT name with a trailing dot is sometimes used as a username, and we
need to match these exactly, even though the dotless form is
semantically the same (per RFC).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
When ndr_pull_struct_blob fails (which it will for labels containing
dots, now rejected by the new dns_component_copy check), name remains
uninitialized and the subsequent push call dereference it.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
RFC 1035 says the maximum length for a DNS name is 255 characters, and
one of the factors that allowed CVE-2020-10745 is that Samba did not
enforce that directly, enabling names around 8k long.
We fix that by keeping track of the name length. It is easier and more
efficient to use a 64 byte buffer for the components, and this will
help us to introduce further hardening in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
Until now NBT and DNS have used talloc contexts of different lifetimes
to allocate component strings. The actual talloc context doesn't
really matter -- these strings are immediately copied and can be freed
straight after. So that is what we do.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
To retain exactly the same behaviour with regard to memory contexts
and error messages, we add an is_nbt flag.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
This will allow NBT to use the same function (after modifications in
the next commit).
This is post CVE-2020-10745 hardening and optimisation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
Add information about the number of connections a rpc_worker
process is handling and when each connection was initiated.
command
smbcontrol 55063 rpc-dump-worker-status
will output data like below:
rpcd_spoolss pid 55063:
num connections = 2
num_association_groups = 2
last client connection 2026/03/18 06:51:04.482192
last client disconnection 2026/03/18 06:51:00.304951
active connections:
[1] endpoint=ncacn_np:[\pipe\spoolss] client addr=192.168.32.175 server=priu0002 connected at 2026/03/18 06:51:04.482192
[2] endpoint=ncacn_np:[\pipe\spoolss] client addr=192.168.33.232 server=priu0002 connected at 2026/03/18 06:47:08.466157
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Tue Apr 14 12:12:07 UTC 2026 on atb-devel-224
|
|
Don't reference data_blob_null without need
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
|
|
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
|
|
Use the implicit NULLing out of the other struct elements
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
This prevents fuzzing of ndr_pull_KeyMaterialInternal which we want. So instead
allocate against the ndr talloc context, then the callers can talloc_steal,
memcpy the data as appropriate.
5 abort
6 talloc_abort samba/lib/talloc/talloc.c:506:3
7 talloc_chunk_from_ptr samba/lib/talloc/talloc.c:0
8 __talloc_with_prefix samba/lib/talloc/talloc.c:762:12
9 __talloc samba/lib/talloc/talloc.c:825:9
10 _talloc_named_const samba/lib/talloc/talloc.c:982:8
11 _talloc_memdup samba/lib/talloc/talloc.c:2441:9
12 data_blob_talloc_named samba/lib/util/data_blob.c:56:25
13 pull_BCRYPT_RSAPUBLIC_BLOB samba/librpc/ndr/ndr_keycredlink.c:878:17
14 ndr_pull_KeyMaterialInternal samba/librpc/ndr/ndr_keycredlink.c:959:10
15 LLVMFuzzerTestOneInput samba/bin/default/lib/fuzzing/
fuzz_ndr_keycredlink_TYPE_STRUCT.c:282:13
REF: https://issues.oss-fuzz.com/issues/435760432
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Aug 6 05:10:43 UTC 2025 on atb-devel-224
|
|
Remove redundant and unused includes from librpc/ndr/ndr_keycredlink.c
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
ndr_push_struct_into_fixed_blob()
The union switch value is stored by ndr_token_store() which uses talloc to
manage ndr.switch_list. Preallocate a ndr_token array and ndr_token_list on the
stack of size ndr_token_list.fixed_alloc_count and optionally use that in
ndr_token_store().
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Fixes:
*** CID 1660828: Control flow issues (UNREACHABLE)
/librpc/ndr/ndr_keycredlink.c: 752 in pull_DER_RSA_KEY()
746 goto out;
747 }
748 if (!asn1_end_tag(asn)) { /* PublicKeyInfo */
749 return ndr_pull_error(ndr,
750 NDR_ERR_UNREAD_BYTES,
751 "ASN1 element PublicKeyInfo");
>>> CID 1660828: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "goto out;".
752 goto out;
753 }
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Fri Aug 1 14:21:17 UTC 2025 on atb-devel-224
|
|
Apart from it making no sense, without these ranges we end up
allocating a NULL buffer and aborting.
We also put a maximum size on the RSA key, in case we could get
tricked into a DoS by pulling a large buffer and trying crypto maths
on it.
6 0x572ebce2749a in talloc_abort samba/lib/talloc/talloc.c:506:3
7 0x572ebce271d4 in talloc_chunk_from_ptr samba/lib/talloc/talloc.c:0
8 0x572ebce271d4 in __talloc_with_prefix samba/lib/talloc/talloc.c:762:12
9 0x572ebce235f9 in __talloc samba/lib/talloc/talloc.c:825:9
10 0x572ebce235f9 in _talloc_named_const samba/lib/talloc/talloc.c:982:8
11 0x572ebce235f9 in _talloc_memdup samba/lib/talloc/talloc.c:2441:9
12 0x572ebc8f6a4f in data_blob_talloc_named samba/lib/util/data_blob.c:56:25
13 0x572ebc7d23bd in pull_BCRYPT_RSAPUBLIC_BLOB samba/librpc/ndr/ndr_keycredlink.c:878:17
14 0x572ebc7d23bd in ndr_pull_KeyMaterialInternal samba/librpc/ndr/ndr_keycredlink.c:959:10
15 0x572ebc788e90 in LLVMFuzzerTestOneInput samba/bin/default/lib/fuzzing/fuzz_ndr_keycredlink_TYPE_STRUCT.c:282:13
REF: https://issues.oss-fuzz.com/issues/435039896
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Jul 31 05:45:07 UTC 2025 on atb-devel-224
|
|
Add support for X509 encoded public keys in msDSKeyCredentialLink
KeyMaterial.
Note: Only RSA public keys are supported.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
Idl and tests for TPM20_RSAKEY_BLOB, one of the possible encoding of
msDSKeyCredentialLink KeyMaterial
Derived from:
https://dox.ipxe.org/Tpm20_8h_source.html#l00164
https://stackoverflow.com/questions/78958315/cannot-parse-tpm2-0-public-key
Note: this is a greatly simplified implementation that only handles TPM
version 2, RSA public keys.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
Replace // comments with /* */ and document the KeyId and KeyHash
elements.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
Idl and tests for BCRYPT_RSAKEY_BLOB
See https://learn.microsoft.com/en-us/windows/win32/api/
bcrypt/ns-bcrypt-bcrypt_rsakey_blob
This is one of the encodings of msDSKeyCredentialLink KeyMaterial when
KeyUsage is KEY_USAGE_NGC. As there appears to be no official
documentation on the contents of KeyMaterial have based this on.
https://github.com/p0dalirius/pydsinternals/blob/271dd969e07a8939044bfc498d94443082ec6fa9/
dsinternals/common/data/hello/KeyCredential.py#L75-L92
Note: only RSA public keys are handled
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
Idl and supporting helpers for msDS-KeyCredentialLinks.
See [MS-ADTS] 2.2.20 Key Credential Link Structures
Currently the KeyMaterial is treated as a binary blob
The naming and casing of the variable names is close as is possible to
those in the specification.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Jun 19 00:08:31 UTC 2025 on atb-devel-224
|
|
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
|
|
printf can take care of the for-loop
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
|
|
normalize_name_unmap(), depending on the idmap config, can query LDAP
to unmap the username from its alias, e.g., map posix uid to samaccountname.
To avoid blocking this call should be done in the idmap child.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
normalize_name_map(), depending on the idmap config, can query LDAP to map the
username to its alias, e.g., map samaccountname to posix uid.
To avoid blocking this call should be done in the idmap child.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
../../librpc/wsp/wsp_util.c:244:28: warning: result of comparison of constant 160 with expression of type 'char' is always false [-Wtautological-constant-out-of-range-compare]
244 | if (strlen(t) == 1 && *t == 0xa0) {
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
So far the conversion from TGT PAC to
struct auth_user_info_dc back to TGS PAC
looses the information in what part of
the PAC_LOGON_INFO a sid was stored.
With this change we let
make_user_info_dc_{netlogon_validation,pac}()
remember this, so that
auth_convert_user_info_dc_sam{baseinfo,info6}()
can rebuild the information into the desired
parts of the PAC_LOGON_INFO.
This was found and fixed for sid filter related
tests, but it turns out that it already
fixes a few tests from samba.tests.krb5.device_tests.
All other places get an implicit AUTH_SID_ORIGIN_UNKNOWN (=0),
which means we use the same logic as before.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
auth_SidAttr is currently not used for any IPC traffic,
with this change demonstrates that and makes sure it
stays that way.
It means we are free to change auth_SidAttr without the
need to change any ipc protocol version.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
I have captures showing that claims compression depends on the payload
itself and how well it compresses, instead of the pure length of the
payload.
E.g. a single string claim with a value of 68 'a'
characters has an unpressed size of 336
and compressed size is 335.
While a single string with random string s1
has an unpressed size of 504 and it's still
uncompressed on the wire.
A different random string s2 also has an unpressed
size of 504, but it is compressed into a size of 502.
So it really depends if the compression makes it actually
smaller than the uncompressed version.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Feb 14 11:56:49 UTC 2025 on atb-devel-224
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
Sometimes an access allowed object ACE has unneeded trailing bytes,
like this:
aces: struct security_ace
type : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0048 (72)
access_mask : 0x00000100 (256)
object : union security_ace_object_ctr(case 1)
object: struct security_ace_object
flags : 0x00000001 (1)
1: SEC_ACE_OBJECT_TYPE_PRESENT
0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
type : union security_ace_object_type(case 1)
type : edacfd8f-ffb3-11d1-b41d-00a0c968f939
inherited_type : union security_ace_object_inherited_type(case 0)
trustee : S-1-3-0
coda : union security_ace_coda(case 5)
ignored : DATA_BLOB length=32
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
which we need to pull in order to ignore.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Feb 13 15:15:40 UTC 2025 on atb-devel-224
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Feb 8 19:49:33 UTC 2025 on atb-devel-224
|
|
These seem to be new in Windows 2025.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
This is needed in order to use ndr_pack() on them
in python code.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
We already use ndr_size_dom_sid0() and when ForestTrustDataDomainInfo
is used as part of ForestTrustDataScannerInfo, sid_size is 0
and the subcontext for the sid is skipped.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
For know FOREST_TRUST_SCANNER_INFO unknown.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
The dump_data hexdump is much easier to read...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
Keep libndr at 6.0.0, this has not been released yet.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Feb 6 10:45:52 UTC 2025 on atb-devel-224
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
