samba/sme10/samba-4.2.10-fix_ntlm_auth_issues.patch

From db5a50fc60daaec47cbb520af1802f49c51cb5ec Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 11 May 2016 17:59:32 +0200
Subject: [PATCH] s3:ntlm_auth: make ntlm_auth_generate_session_info() more
 complete
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The generate_session_info() function maybe called more than once
per session.

Some may try to look/dereference session_info->security_token,
so we provide simplified token.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11914

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 825cce1f88b797c80116769e1755328dee2ba0e1)
---
 source3/utils/ntlm_auth.c | 51 ++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 46 insertions(+), 5 deletions(-)

diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index d01c522..0fa8997 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -27,6 +27,7 @@
 #include "includes.h"
 #include "lib/param/param.h"
 #include "popt_common.h"
+#include "libcli/security/security.h"
 #include "utils/ntlm_auth.h"
 #include "../libcli/auth/libcli_auth.h"
 #include "auth/ntlmssp/ntlmssp.h"
@@ -705,18 +706,58 @@ static NTSTATUS ntlm_auth_generate_session_info(struct auth4_context *auth_conte
                                                uint32_t session_info_flags,
                                                struct auth_session_info **session_info_out)
 {
-       char *unix_username = (char *)server_returned_info;
-       struct auth_session_info *session_info = talloc_zero(mem_ctx, struct auth_session_info);
-       if (!session_info) {
+       const char *unix_username = (const char *)server_returned_info;
+       bool ok;
+       struct dom_sid *sids = NULL;
+       struct auth_session_info *session_info = NULL;
+
+       session_info = talloc_zero(mem_ctx, struct auth_session_info);
+       if (session_info == NULL) {
                return NT_STATUS_NO_MEMORY;
        }
 
        session_info->unix_info = talloc_zero(session_info, struct auth_user_info_unix);
-       if (!session_info->unix_info) {
+       if (session_info->unix_info == NULL) {
+               TALLOC_FREE(session_info);
+               return NT_STATUS_NO_MEMORY;
+       }
+       session_info->unix_info->unix_name = talloc_strdup(session_info->unix_info,
+                                                          unix_username);
+       if (session_info->unix_info->unix_name == NULL) {
+               TALLOC_FREE(session_info);
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       session_info->security_token = talloc_zero(session_info, struct security_token);
+       if (session_info->security_token == NULL) {
                TALLOC_FREE(session_info);
                return NT_STATUS_NO_MEMORY;
        }
-       session_info->unix_info->unix_name = talloc_steal(session_info->unix_info, unix_username);
+
+       sids = talloc_zero_array(session_info->security_token,
+                                struct dom_sid, 3);
+       if (sids == NULL) {
+               TALLOC_FREE(session_info);
+               return NT_STATUS_NO_MEMORY;
+       }
+       ok = dom_sid_parse(SID_WORLD, &sids[0]);
+       if (!ok) {
+               TALLOC_FREE(session_info);
+               return NT_STATUS_INTERNAL_ERROR;
+       }
+       ok = dom_sid_parse(SID_NT_NETWORK, &sids[1]);
+       if (!ok) {
+               TALLOC_FREE(session_info);
+               return NT_STATUS_INTERNAL_ERROR;
+       }
+       ok = dom_sid_parse(SID_NT_AUTHENTICATED_USERS, &sids[2]);
+       if (!ok) {
+               TALLOC_FREE(session_info);
+               return NT_STATUS_INTERNAL_ERROR;
+       }
+
+       session_info->security_token->num_sids = talloc_array_length(sids);
+       session_info->security_token->sids = sids;
 
        *session_info_out = session_info;
 
-- 
1.9.1

1	vip-ire	1.1	From db5a50fc60daaec47cbb520af1802f49c51cb5ec Mon Sep 17 00:00:00 2001
2			From: Stefan Metzmacher <metze@samba.org>
3			Date: Wed, 11 May 2016 17:59:32 +0200
4			Subject: [PATCH] s3:ntlm_auth: make ntlm_auth_generate_session_info() more
5			complete
6			MIME-Version: 1.0
7			Content-Type: text/plain; charset=UTF-8
8			Content-Transfer-Encoding: 8bit
9
10			The generate_session_info() function maybe called more than once
11			per session.
12
13			Some may try to look/dereference session_info->security_token,
14			so we provide simplified token.
15
16			BUG: https://bugzilla.samba.org/show_bug.cgi?id=11914
17
18			Signed-off-by: Stefan Metzmacher <metze@samba.org>
19			Reviewed-by: Andreas Schneider <asn@samba.org>
20			Reviewed-by: Günther Deschner <gd@samba.org>
21			(cherry picked from commit 825cce1f88b797c80116769e1755328dee2ba0e1)
22			---
23			source3/utils/ntlm_auth.c \| 51 ++++++++++++++++++++++++++++++++++++++++++-----
24			1 file changed, 46 insertions(+), 5 deletions(-)
25
26			diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
27			index d01c522..0fa8997 100644
28			--- a/source3/utils/ntlm_auth.c
29			+++ b/source3/utils/ntlm_auth.c
30			@@ -27,6 +27,7 @@
31			#include "includes.h"
32			#include "lib/param/param.h"
33			#include "popt_common.h"
34			+#include "libcli/security/security.h"
35			#include "utils/ntlm_auth.h"
36			#include "../libcli/auth/libcli_auth.h"
37			#include "auth/ntlmssp/ntlmssp.h"
38			@@ -705,18 +706,58 @@ static NTSTATUS ntlm_auth_generate_session_info(struct auth4_context *auth_conte
39			uint32_t session_info_flags,
40			struct auth_session_info **session_info_out)
41			{
42			- char unix_username = (char )server_returned_info;
43			- struct auth_session_info *session_info = talloc_zero(mem_ctx, struct auth_session_info);
44			- if (!session_info) {
45			+ const char unix_username = (const char )server_returned_info;
46			+ bool ok;
47			+ struct dom_sid *sids = NULL;
48			+ struct auth_session_info *session_info = NULL;
49			+
50			+ session_info = talloc_zero(mem_ctx, struct auth_session_info);
51			+ if (session_info == NULL) {
52			return NT_STATUS_NO_MEMORY;
53			}
54
55			session_info->unix_info = talloc_zero(session_info, struct auth_user_info_unix);
56			- if (!session_info->unix_info) {
57			+ if (session_info->unix_info == NULL) {
58			+ TALLOC_FREE(session_info);
59			+ return NT_STATUS_NO_MEMORY;
60			+ }
61			+ session_info->unix_info->unix_name = talloc_strdup(session_info->unix_info,
62			+ unix_username);
63			+ if (session_info->unix_info->unix_name == NULL) {
64			+ TALLOC_FREE(session_info);
65			+ return NT_STATUS_NO_MEMORY;
66			+ }
67			+
68			+ session_info->security_token = talloc_zero(session_info, struct security_token);
69			+ if (session_info->security_token == NULL) {
70			TALLOC_FREE(session_info);
71			return NT_STATUS_NO_MEMORY;
72			}
73			- session_info->unix_info->unix_name = talloc_steal(session_info->unix_info, unix_username);
74			+
75			+ sids = talloc_zero_array(session_info->security_token,
76			+ struct dom_sid, 3);
77			+ if (sids == NULL) {
78			+ TALLOC_FREE(session_info);
79			+ return NT_STATUS_NO_MEMORY;
80			+ }
81			+ ok = dom_sid_parse(SID_WORLD, &sids[0]);
82			+ if (!ok) {
83			+ TALLOC_FREE(session_info);
84			+ return NT_STATUS_INTERNAL_ERROR;
85			+ }
86			+ ok = dom_sid_parse(SID_NT_NETWORK, &sids[1]);
87			+ if (!ok) {
88			+ TALLOC_FREE(session_info);
89			+ return NT_STATUS_INTERNAL_ERROR;
90			+ }
91			+ ok = dom_sid_parse(SID_NT_AUTHENTICATED_USERS, &sids[2]);
92			+ if (!ok) {
93			+ TALLOC_FREE(session_info);
94			+ return NT_STATUS_INTERNAL_ERROR;
95			+ }
96			+
97			+ session_info->security_token->num_sids = talloc_array_length(sids);
98			+ session_info->security_token->sids = sids;
99
100			*session_info_out = session_info;
101
102			--
103			1.9.1
104