samba/sme10/samba-4.2.3-fix_map_to_guest_bad_uid.patch

From 4438a33e0e3621e9b178620ba0e543069bf85012 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 19 Aug 2015 16:11:47 +0200
Subject: [PATCH 1/3] s3-auth: Fix 'map to guest = Bad Uid' support

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 34965d4d98d172e848e2b96fad8a9e0b99288ba7)
---
 source3/auth/auth_util.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 1c2cf80..dcf173d 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1397,6 +1397,14 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
                                     &username_was_mapped);
 
        if (!NT_STATUS_IS_OK(nt_status)) {
+               /* Handle 'map to guest = Bad Uid */
+               if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) &&
+                   (lp_security() == SEC_ADS || lp_security() == SEC_DOMAIN) &&
+                   lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) {
+                       DEBUG(2, ("Try to map %s to guest account",
+                                 nt_username));
+                       return make_server_info_guest(mem_ctx, server_info);
+               }
                return nt_status;
        }
 
-- 
2.5.0


From e0cfca754ed1c540f3b8a5adcea3bd85aac74930 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 19 Aug 2015 16:24:08 +0200
Subject: [PATCH 2/3] s3-auth: Pass nt_username to check_account()

We set nt_username above but do not use it in this function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit e8c76932e4ac192a00afa3b9731f5921c4b37da6)
---
 source3/auth/auth_util.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index dcf173d..688072e 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1392,9 +1392,12 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 
        /* this call will try to create the user if necessary */
 
-       nt_status = check_account(mem_ctx, nt_domain, sent_nt_username,
-                                    &found_username, &pwd,
-                                    &username_was_mapped);
+       nt_status = check_account(mem_ctx,
+                                 nt_domain,
+                                 nt_username,
+                                 &found_username,
+                                 &pwd,
+                                 &username_was_mapped);
 
        if (!NT_STATUS_IS_OK(nt_status)) {
                /* Handle 'map to guest = Bad Uid */
-- 
2.5.0


From 2b31b935a824d340876af24568c84bab6d4462cc Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 19 Aug 2015 16:19:30 +0200
Subject: [PATCH 3/3] s3-auth: Fix a memory leak in make_server_info_info3()

We call make_server_info(NULL) and it is possible that we do not free
it, because server_info is not allocated on the memory context we pass
to the function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 6363c0232c2238e1a782e9c22ef762e3ff9b7563)
---
 source3/auth/auth_util.c | 35 +++++++++++++++++++++++------------
 1 file changed, 23 insertions(+), 12 deletions(-)

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 688072e..2b355e4 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1349,6 +1349,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
        bool username_was_mapped;
        struct passwd *pwd;
        struct auth_serversupplied_info *result;
+       TALLOC_CTX *tmp_ctx = talloc_stackframe();
 
        /* 
           Here is where we should check the list of
@@ -1357,15 +1358,17 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
        */
 
        if (!sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid)) {
-               return NT_STATUS_INVALID_PARAMETER;
+               nt_status = NT_STATUS_INVALID_PARAMETER;
+               goto out;
        }
 
        if (!sid_compose(&group_sid, info3->base.domain_sid,
                         info3->base.primary_gid)) {
-               return NT_STATUS_INVALID_PARAMETER;
+               nt_status = NT_STATUS_INVALID_PARAMETER;
+               goto out;
        }
 
-       nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
+       nt_username = talloc_strdup(tmp_ctx, info3->base.account_name.string);
        if (!nt_username) {
                /* If the server didn't give us one, just use the one we sent
                 * them */
@@ -1392,7 +1395,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 
        /* this call will try to create the user if necessary */
 
-       nt_status = check_account(mem_ctx,
+       nt_status = check_account(tmp_ctx,
                                  nt_domain,
                                  nt_username,
                                  &found_username,
@@ -1406,15 +1409,19 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
                    lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) {
                        DEBUG(2, ("Try to map %s to guest account",
                                  nt_username));
-                       return make_server_info_guest(mem_ctx, server_info);
+                       nt_status = make_server_info_guest(tmp_ctx, &result);
+                       if (NT_STATUS_IS_OK(nt_status)) {
+                               *server_info = talloc_move(mem_ctx, &result);
+                       }
                }
-               return nt_status;
+               goto out;
        }
 
-       result = make_server_info(NULL);
+       result = make_server_info(tmp_ctx);
        if (result == NULL) {
                DEBUG(4, ("make_server_info failed!\n"));
-               return NT_STATUS_NO_MEMORY;
+               nt_status = NT_STATUS_NO_MEMORY;
+               goto out;
        }
 
        result->unix_name = talloc_strdup(result, found_username);
@@ -1422,8 +1429,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
        /* copy in the info3 */
        result->info3 = copy_netr_SamInfo3(result, info3);
        if (result->info3 == NULL) {
-               TALLOC_FREE(result);
-               return NT_STATUS_NO_MEMORY;
+               nt_status = NT_STATUS_NO_MEMORY;
+               goto out;
        }
 
        /* Fill in the unix info we found on the way */
@@ -1453,9 +1460,13 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 
        result->guest = (info3->base.user_flags & NETLOGON_GUEST);
 
-       *server_info = result;
+       *server_info = talloc_move(mem_ctx, &result);
 
-       return NT_STATUS_OK;
+       nt_status = NT_STATUS_OK;
+out:
+       talloc_free(tmp_ctx);
+
+       return nt_status;
 }
 
 /*****************************************************************************
-- 
2.5.0

1	From 4438a33e0e3621e9b178620ba0e543069bf85012 Mon Sep 17 00:00:00 2001
2	From: Andreas Schneider <asn@samba.org>
3	Date: Wed, 19 Aug 2015 16:11:47 +0200
4	Subject: [PATCH 1/3] s3-auth: Fix 'map to guest = Bad Uid' support
5
6	BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862
7
8	Signed-off-by: Andreas Schneider <asn@samba.org>
9	Reviewed-by: Guenther Deschner <gd@samba.org>
10	(cherry picked from commit 34965d4d98d172e848e2b96fad8a9e0b99288ba7)
11	---
12	source3/auth/auth_util.c \| 8 ++++++++
13	1 file changed, 8 insertions(+)
14
15	diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
16	index 1c2cf80..dcf173d 100644
17	--- a/source3/auth/auth_util.c
18	+++ b/source3/auth/auth_util.c
19	@@ -1397,6 +1397,14 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
20	&username_was_mapped);
21
22	if (!NT_STATUS_IS_OK(nt_status)) {
23	+ /* Handle 'map to guest = Bad Uid */
24	+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) &&
25	+ (lp_security() == SEC_ADS \|\| lp_security() == SEC_DOMAIN) &&
26	+ lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) {
27	+ DEBUG(2, ("Try to map %s to guest account",
28	+ nt_username));
29	+ return make_server_info_guest(mem_ctx, server_info);
30	+ }
31	return nt_status;
32	}
33
34	--
35	2.5.0
36
37
38	From e0cfca754ed1c540f3b8a5adcea3bd85aac74930 Mon Sep 17 00:00:00 2001
39	From: Andreas Schneider <asn@samba.org>
40	Date: Wed, 19 Aug 2015 16:24:08 +0200
41	Subject: [PATCH 2/3] s3-auth: Pass nt_username to check_account()
42
43	We set nt_username above but do not use it in this function.
44
45	BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862
46
47	Signed-off-by: Andreas Schneider <asn@samba.org>
48	Reviewed-by: Guenther Deschner <gd@samba.org>
49	(cherry picked from commit e8c76932e4ac192a00afa3b9731f5921c4b37da6)
50	---
51	source3/auth/auth_util.c \| 9 ++++++---
52	1 file changed, 6 insertions(+), 3 deletions(-)
53
54	diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
55	index dcf173d..688072e 100644
56	--- a/source3/auth/auth_util.c
57	+++ b/source3/auth/auth_util.c
58	@@ -1392,9 +1392,12 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
59
60	/* this call will try to create the user if necessary */
61
62	- nt_status = check_account(mem_ctx, nt_domain, sent_nt_username,
63	- &found_username, &pwd,
64	- &username_was_mapped);
65	+ nt_status = check_account(mem_ctx,
66	+ nt_domain,
67	+ nt_username,
68	+ &found_username,
69	+ &pwd,
70	+ &username_was_mapped);
71
72	if (!NT_STATUS_IS_OK(nt_status)) {
73	/* Handle 'map to guest = Bad Uid */
74	--
75	2.5.0
76
77
78	From 2b31b935a824d340876af24568c84bab6d4462cc Mon Sep 17 00:00:00 2001
79	From: Andreas Schneider <asn@samba.org>
80	Date: Wed, 19 Aug 2015 16:19:30 +0200
81	Subject: [PATCH 3/3] s3-auth: Fix a memory leak in make_server_info_info3()
82
83	We call make_server_info(NULL) and it is possible that we do not free
84	it, because server_info is not allocated on the memory context we pass
85	to the function.
86
87	BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862
88
89	Signed-off-by: Andreas Schneider <asn@samba.org>
90	Reviewed-by: Guenther Deschner <gd@samba.org>
91	(cherry picked from commit 6363c0232c2238e1a782e9c22ef762e3ff9b7563)
92	---
93	source3/auth/auth_util.c \| 35 +++++++++++++++++++++++------------
94	1 file changed, 23 insertions(+), 12 deletions(-)
95
96	diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
97	index 688072e..2b355e4 100644
98	--- a/source3/auth/auth_util.c
99	+++ b/source3/auth/auth_util.c
100	@@ -1349,6 +1349,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
101	bool username_was_mapped;
102	struct passwd *pwd;
103	struct auth_serversupplied_info *result;
104	+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
105
106	/*
107	Here is where we should check the list of
108	@@ -1357,15 +1358,17 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
109	*/
110
111	if (!sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid)) {
112	- return NT_STATUS_INVALID_PARAMETER;
113	+ nt_status = NT_STATUS_INVALID_PARAMETER;
114	+ goto out;
115	}
116
117	if (!sid_compose(&group_sid, info3->base.domain_sid,
118	info3->base.primary_gid)) {
119	- return NT_STATUS_INVALID_PARAMETER;
120	+ nt_status = NT_STATUS_INVALID_PARAMETER;
121	+ goto out;
122	}
123
124	- nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
125	+ nt_username = talloc_strdup(tmp_ctx, info3->base.account_name.string);
126	if (!nt_username) {
127	/* If the server didn't give us one, just use the one we sent
128	* them */
129	@@ -1392,7 +1395,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
130
131	/* this call will try to create the user if necessary */
132
133	- nt_status = check_account(mem_ctx,
134	+ nt_status = check_account(tmp_ctx,
135	nt_domain,
136	nt_username,
137	&found_username,
138	@@ -1406,15 +1409,19 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
139	lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) {
140	DEBUG(2, ("Try to map %s to guest account",
141	nt_username));
142	- return make_server_info_guest(mem_ctx, server_info);
143	+ nt_status = make_server_info_guest(tmp_ctx, &result);
144	+ if (NT_STATUS_IS_OK(nt_status)) {
145	+ *server_info = talloc_move(mem_ctx, &result);
146	+ }
147	}
148	- return nt_status;
149	+ goto out;
150	}
151
152	- result = make_server_info(NULL);
153	+ result = make_server_info(tmp_ctx);
154	if (result == NULL) {
155	DEBUG(4, ("make_server_info failed!\n"));
156	- return NT_STATUS_NO_MEMORY;
157	+ nt_status = NT_STATUS_NO_MEMORY;
158	+ goto out;
159	}
160
161	result->unix_name = talloc_strdup(result, found_username);
162	@@ -1422,8 +1429,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
163	/* copy in the info3 */
164	result->info3 = copy_netr_SamInfo3(result, info3);
165	if (result->info3 == NULL) {
166	- TALLOC_FREE(result);
167	- return NT_STATUS_NO_MEMORY;
168	+ nt_status = NT_STATUS_NO_MEMORY;
169	+ goto out;
170	}
171
172	/* Fill in the unix info we found on the way */
173	@@ -1453,9 +1460,13 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
174
175	result->guest = (info3->base.user_flags & NETLOGON_GUEST);
176
177	- *server_info = result;
178	+ *server_info = talloc_move(mem_ctx, &result);
179
180	- return NT_STATUS_OK;
181	+ nt_status = NT_STATUS_OK;
182	+out:
183	+ talloc_free(tmp_ctx);
184	+
185	+ return nt_status;
186	}
187
188	/*****************************************************************************
189	--
190	2.5.0
191