110 lines
3.5 KiB
Diff
110 lines
3.5 KiB
Diff
From 4a39d8a1610b635760ac182be894d206eb0a1ee7 Mon Sep 17 00:00:00 2001
|
|
From: Ralph Boehme <slow@samba.org>
|
|
Date: Fri, 20 Aug 2021 15:04:49 +0200
|
|
Subject: [PATCH 031/266] CVE-2020-25717 winbind: ensure
|
|
wb_parent_idmap_setup_send() gets called in winbindd_allocate_uid_send()
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14804
|
|
RN: winbindd can crash because idmap child state is not fully initialized
|
|
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
Reviewed-by: Volker Lendecke <vl@samba.org>
|
|
|
|
Autobuild-User(master): Volker Lendecke <vl@samba.org>
|
|
Autobuild-Date(master): Thu Sep 2 15:20:06 UTC 2021 on sn-devel-184
|
|
|
|
(cherry picked from commit d0f6d54354b02f5591706814fbd1e4844788fdfa)
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
|
|
|
|
(cherry picked from commit 446f89510f2e55a551e2975a6cbf01c6a023ba0c)
|
|
---
|
|
source3/winbindd/winbindd_allocate_uid.c | 44 +++++++++++++++++++++---
|
|
1 file changed, 39 insertions(+), 5 deletions(-)
|
|
|
|
Conflict:NA
|
|
Reference:https://git.samba.org/samba.git/?p=samba.git;a=patch;h=4a39d8a1610b635760ac182be894d206eb0a1ee7
|
|
|
|
diff --git a/source3/winbindd/winbindd_allocate_uid.c b/source3/winbindd/winbindd_allocate_uid.c
|
|
index 69ce61c872e..64711f1b661 100644
|
|
--- a/source3/winbindd/winbindd_allocate_uid.c
|
|
+++ b/source3/winbindd/winbindd_allocate_uid.c
|
|
@@ -22,9 +22,11 @@
|
|
#include "librpc/gen_ndr/ndr_winbind_c.h"
|
|
|
|
struct winbindd_allocate_uid_state {
|
|
+ struct tevent_context *ev;
|
|
uint64_t uid;
|
|
};
|
|
|
|
+static void winbindd_allocate_uid_initialized(struct tevent_req *subreq);
|
|
static void winbindd_allocate_uid_done(struct tevent_req *subreq);
|
|
|
|
struct tevent_req *winbindd_allocate_uid_send(TALLOC_CTX *mem_ctx,
|
|
@@ -34,25 +36,57 @@ struct tevent_req *winbindd_allocate_uid_send(TALLOC_CTX *mem_ctx,
|
|
{
|
|
struct tevent_req *req, *subreq;
|
|
struct winbindd_allocate_uid_state *state;
|
|
- struct dcerpc_binding_handle *child_binding_handle = NULL;
|
|
|
|
req = tevent_req_create(mem_ctx, &state,
|
|
struct winbindd_allocate_uid_state);
|
|
if (req == NULL) {
|
|
return NULL;
|
|
}
|
|
+ state->ev = ev;
|
|
|
|
DEBUG(3, ("allocate_uid\n"));
|
|
|
|
- child_binding_handle = idmap_child_handle();
|
|
+ subreq = wb_parent_idmap_setup_send(state, ev);
|
|
+ if (tevent_req_nomem(subreq, req)) {
|
|
+ return tevent_req_post(req, ev);
|
|
+ }
|
|
+ tevent_req_set_callback(subreq, winbindd_allocate_uid_initialized, req);
|
|
+ return req;
|
|
+}
|
|
+
|
|
+static void winbindd_allocate_uid_initialized(struct tevent_req *subreq)
|
|
+{
|
|
+ struct tevent_req *req = tevent_req_callback_data(
|
|
+ subreq, struct tevent_req);
|
|
+ struct dcerpc_binding_handle *child_binding_handle = NULL;
|
|
+ struct winbindd_allocate_uid_state *state = tevent_req_data(
|
|
+ req, struct winbindd_allocate_uid_state);
|
|
+ const struct wb_parent_idmap_config *cfg = NULL;
|
|
+ NTSTATUS status;
|
|
+
|
|
+ status = wb_parent_idmap_setup_recv(subreq, &cfg);
|
|
+ TALLOC_FREE(subreq);
|
|
+ if (tevent_req_nterror(req, status)) {
|
|
+ return;
|
|
+ }
|
|
+ if (cfg->num_doms == 0) {
|
|
+ /*
|
|
+ * idmap_tdb also returns UNSUCCESSFUL if a range is full
|
|
+ */
|
|
+ tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ child_binding_handle = idmap_child_handle();
|
|
|
|
- subreq = dcerpc_wbint_AllocateUid_send(state, ev, child_binding_handle,
|
|
+ subreq = dcerpc_wbint_AllocateUid_send(state,
|
|
+ state->ev,
|
|
+ child_binding_handle,
|
|
&state->uid);
|
|
if (tevent_req_nomem(subreq, req)) {
|
|
- return tevent_req_post(req, ev);
|
|
+ return;
|
|
}
|
|
tevent_req_set_callback(subreq, winbindd_allocate_uid_done, req);
|
|
- return req;
|
|
}
|
|
|
|
static void winbindd_allocate_uid_done(struct tevent_req *subreq)
|
|
--
|
|
2.23.0
|
|
|