134 lines
4.9 KiB
Diff
134 lines
4.9 KiB
Diff
From 19aa47e3db550fd3099f06c9b97dc5800dd5afb3 Mon Sep 17 00:00:00 2001
|
|
From: Samuel Cabrero <scabrero@suse.de>
|
|
Date: Thu, 22 Dec 2022 11:33:12 +0100
|
|
Subject: [PATCH 31/40] CVE-2022-38023 s3:rpc_server/netlogon: add
|
|
talloc_stackframe() to dcesrv_netr_creds_server_step_check()
|
|
|
|
This will simplify the following changes.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
|
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
|
|
|
|
Conflict: NA
|
|
Reference: https://attachments.samba.org/attachment.cgi?id=17736
|
|
---
|
|
source3/rpc_server/netlogon/srv_netlog_nt.c | 38 ++++++++++++---------
|
|
1 file changed, 22 insertions(+), 16 deletions(-)
|
|
|
|
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
|
|
index 3221ebaa2e2..8e907e60f7e 100644
|
|
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
|
|
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
|
|
@@ -1070,6 +1070,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
|
|
struct netr_Authenticator *return_authenticator,
|
|
struct netlogon_creds_CredentialState **creds_out)
|
|
{
|
|
+ TALLOC_CTX *frame = talloc_stackframe();
|
|
NTSTATUS status;
|
|
bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
|
|
bool schannel_required = schannel_global_required;
|
|
@@ -1091,19 +1092,19 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
|
|
|
|
auth_type = p->auth.auth_type;
|
|
|
|
- lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers());
|
|
+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
|
|
if (lp_ctx == NULL) {
|
|
DEBUG(0, ("loadparm_init_s3 failed\n"));
|
|
+ TALLOC_FREE(frame);
|
|
return NT_STATUS_INTERNAL_ERROR;
|
|
}
|
|
|
|
status = schannel_check_creds_state(mem_ctx, lp_ctx,
|
|
computer_name, received_authenticator,
|
|
return_authenticator, &creds);
|
|
- talloc_unlink(mem_ctx, lp_ctx);
|
|
-
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
ZERO_STRUCTP(return_authenticator);
|
|
+ TALLOC_FREE(frame);
|
|
return status;
|
|
}
|
|
|
|
@@ -1124,6 +1125,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
|
|
if (schannel_required) {
|
|
if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
|
|
*creds_out = creds;
|
|
+ TALLOC_FREE(frame);
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
@@ -1131,13 +1133,15 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
|
|
"%s request (opnum[%u]) without schannel from "
|
|
"client_account[%s] client_computer_name[%s]\n",
|
|
opname, opnum,
|
|
- log_escape(mem_ctx, creds->account_name),
|
|
- log_escape(mem_ctx, creds->computer_name));
|
|
+ log_escape(frame, creds->account_name),
|
|
+ log_escape(frame, creds->computer_name));
|
|
DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
|
|
- "'server require schannel:%s = no' is needed! \n",
|
|
- log_escape(mem_ctx, creds->account_name));
|
|
+ "'server require schannel:%s = no' "
|
|
+ "might be needed for a legacy client.\n",
|
|
+ log_escape(frame, creds->account_name));
|
|
TALLOC_FREE(creds);
|
|
ZERO_STRUCTP(return_authenticator);
|
|
+ TALLOC_FREE(frame);
|
|
return NT_STATUS_ACCESS_DENIED;
|
|
}
|
|
|
|
@@ -1156,13 +1160,14 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
|
|
"%s request (opnum[%u]) WITH schannel from "
|
|
"client_account[%s] client_computer_name[%s]\n",
|
|
opname, opnum,
|
|
- log_escape(mem_ctx, creds->account_name),
|
|
- log_escape(mem_ctx, creds->computer_name));
|
|
+ log_escape(frame, creds->account_name),
|
|
+ log_escape(frame, creds->computer_name));
|
|
DBG_ERR("CVE-2020-1472(ZeroLogon): "
|
|
"Option 'server require schannel:%s = no' not needed!?\n",
|
|
- log_escape(mem_ctx, creds->account_name));
|
|
+ log_escape(frame, creds->account_name));
|
|
|
|
*creds_out = creds;
|
|
+ TALLOC_FREE(frame);
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
@@ -1171,24 +1176,25 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
|
|
"%s request (opnum[%u]) without schannel from "
|
|
"client_account[%s] client_computer_name[%s]\n",
|
|
opname, opnum,
|
|
- log_escape(mem_ctx, creds->account_name),
|
|
- log_escape(mem_ctx, creds->computer_name));
|
|
+ log_escape(frame, creds->account_name),
|
|
+ log_escape(frame, creds->computer_name));
|
|
DBG_INFO("CVE-2020-1472(ZeroLogon): "
|
|
"Option 'server require schannel:%s = no' still needed!\n",
|
|
- log_escape(mem_ctx, creds->account_name));
|
|
+ log_escape(frame, creds->account_name));
|
|
} else {
|
|
DBG_ERR("CVE-2020-1472(ZeroLogon): "
|
|
"%s request (opnum[%u]) without schannel from "
|
|
"client_account[%s] client_computer_name[%s]\n",
|
|
opname, opnum,
|
|
- log_escape(mem_ctx, creds->account_name),
|
|
- log_escape(mem_ctx, creds->computer_name));
|
|
+ log_escape(frame, creds->account_name),
|
|
+ log_escape(frame, creds->computer_name));
|
|
DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
|
|
"'server require schannel:%s = no' might be needed!\n",
|
|
- log_escape(mem_ctx, creds->account_name));
|
|
+ log_escape(frame, creds->account_name));
|
|
}
|
|
|
|
*creds_out = creds;
|
|
+ TALLOC_FREE(frame);
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
--
|
|
2.39.0
|