samba/sme10/samba-4.2.3-fix_map_to_guest_bad_uid.patch

From 4438a33e0e3621e9b178620ba0e543069bf85012 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 19 Aug 2015 16:11:47 +0200
Subject: [PATCH 1/3] s3-auth: Fix 'map to guest = Bad Uid' support

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 34965d4d98d172e848e2b96fad8a9e0b99288ba7)
---
 source3/auth/auth_util.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 1c2cf80..dcf173d 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1397,6 +1397,14 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
                                     &username_was_mapped);
 
        if (!NT_STATUS_IS_OK(nt_status)) {
+               /* Handle 'map to guest = Bad Uid */
+               if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) &&
+                   (lp_security() == SEC_ADS || lp_security() == SEC_DOMAIN) &&
+                   lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) {
+                       DEBUG(2, ("Try to map %s to guest account",
+                                 nt_username));
+                       return make_server_info_guest(mem_ctx, server_info);
+               }
                return nt_status;
        }
 
-- 
2.5.0


From e0cfca754ed1c540f3b8a5adcea3bd85aac74930 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 19 Aug 2015 16:24:08 +0200
Subject: [PATCH 2/3] s3-auth: Pass nt_username to check_account()

We set nt_username above but do not use it in this function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit e8c76932e4ac192a00afa3b9731f5921c4b37da6)
---
 source3/auth/auth_util.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index dcf173d..688072e 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1392,9 +1392,12 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 
        /* this call will try to create the user if necessary */
 
-       nt_status = check_account(mem_ctx, nt_domain, sent_nt_username,
-                                    &found_username, &pwd,
-                                    &username_was_mapped);
+       nt_status = check_account(mem_ctx,
+                                 nt_domain,
+                                 nt_username,
+                                 &found_username,
+                                 &pwd,
+                                 &username_was_mapped);
 
        if (!NT_STATUS_IS_OK(nt_status)) {
                /* Handle 'map to guest = Bad Uid */
-- 
2.5.0


From 2b31b935a824d340876af24568c84bab6d4462cc Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 19 Aug 2015 16:19:30 +0200
Subject: [PATCH 3/3] s3-auth: Fix a memory leak in make_server_info_info3()

We call make_server_info(NULL) and it is possible that we do not free
it, because server_info is not allocated on the memory context we pass
to the function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 6363c0232c2238e1a782e9c22ef762e3ff9b7563)
---
 source3/auth/auth_util.c | 35 +++++++++++++++++++++++------------
 1 file changed, 23 insertions(+), 12 deletions(-)

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 688072e..2b355e4 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1349,6 +1349,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
        bool username_was_mapped;
        struct passwd *pwd;
        struct auth_serversupplied_info *result;
+       TALLOC_CTX *tmp_ctx = talloc_stackframe();
 
        /* 
           Here is where we should check the list of
@@ -1357,15 +1358,17 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
        */
 
        if (!sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid)) {
-               return NT_STATUS_INVALID_PARAMETER;
+               nt_status = NT_STATUS_INVALID_PARAMETER;
+               goto out;
        }
 
        if (!sid_compose(&group_sid, info3->base.domain_sid,
                         info3->base.primary_gid)) {
-               return NT_STATUS_INVALID_PARAMETER;
+               nt_status = NT_STATUS_INVALID_PARAMETER;
+               goto out;
        }
 
-       nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
+       nt_username = talloc_strdup(tmp_ctx, info3->base.account_name.string);
        if (!nt_username) {
                /* If the server didn't give us one, just use the one we sent
                 * them */
@@ -1392,7 +1395,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 
        /* this call will try to create the user if necessary */
 
-       nt_status = check_account(mem_ctx,
+       nt_status = check_account(tmp_ctx,
                                  nt_domain,
                                  nt_username,
                                  &found_username,
@@ -1406,15 +1409,19 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
                    lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) {
                        DEBUG(2, ("Try to map %s to guest account",
                                  nt_username));
-                       return make_server_info_guest(mem_ctx, server_info);
+                       nt_status = make_server_info_guest(tmp_ctx, &result);
+                       if (NT_STATUS_IS_OK(nt_status)) {
+                               *server_info = talloc_move(mem_ctx, &result);
+                       }
                }
-               return nt_status;
+               goto out;
        }
 
-       result = make_server_info(NULL);
+       result = make_server_info(tmp_ctx);
        if (result == NULL) {
                DEBUG(4, ("make_server_info failed!\n"));
-               return NT_STATUS_NO_MEMORY;
+               nt_status = NT_STATUS_NO_MEMORY;
+               goto out;
        }
 
        result->unix_name = talloc_strdup(result, found_username);
@@ -1422,8 +1429,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
        /* copy in the info3 */
        result->info3 = copy_netr_SamInfo3(result, info3);
        if (result->info3 == NULL) {
-               TALLOC_FREE(result);
-               return NT_STATUS_NO_MEMORY;
+               nt_status = NT_STATUS_NO_MEMORY;
+               goto out;
        }
 
        /* Fill in the unix info we found on the way */
@@ -1453,9 +1460,13 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 
        result->guest = (info3->base.user_flags & NETLOGON_GUEST);
 
-       *server_info = result;
+       *server_info = talloc_move(mem_ctx, &result);
 
-       return NT_STATUS_OK;
+       nt_status = NT_STATUS_OK;
+out:
+       talloc_free(tmp_ctx);
+
+       return nt_status;
 }
 
 /*****************************************************************************
-- 
2.5.0

1	vip-ire	1.1	From 4438a33e0e3621e9b178620ba0e543069bf85012 Mon Sep 17 00:00:00 2001
2			From: Andreas Schneider <asn@samba.org>
3			Date: Wed, 19 Aug 2015 16:11:47 +0200
4			Subject: [PATCH 1/3] s3-auth: Fix 'map to guest = Bad Uid' support
5
6			BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862
7
8			Signed-off-by: Andreas Schneider <asn@samba.org>
9			Reviewed-by: Guenther Deschner <gd@samba.org>
10			(cherry picked from commit 34965d4d98d172e848e2b96fad8a9e0b99288ba7)
11			---
12			source3/auth/auth_util.c \| 8 ++++++++
13			1 file changed, 8 insertions(+)
14
15			diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
16			index 1c2cf80..dcf173d 100644
17			--- a/source3/auth/auth_util.c
18			+++ b/source3/auth/auth_util.c
19			@@ -1397,6 +1397,14 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
20			&username_was_mapped);
21
22			if (!NT_STATUS_IS_OK(nt_status)) {
23			+ /* Handle 'map to guest = Bad Uid */
24			+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) &&
25			+ (lp_security() == SEC_ADS \|\| lp_security() == SEC_DOMAIN) &&
26			+ lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) {
27			+ DEBUG(2, ("Try to map %s to guest account",
28			+ nt_username));
29			+ return make_server_info_guest(mem_ctx, server_info);
30			+ }
31			return nt_status;
32			}
33
34			--
35			2.5.0
36
37
38			From e0cfca754ed1c540f3b8a5adcea3bd85aac74930 Mon Sep 17 00:00:00 2001
39			From: Andreas Schneider <asn@samba.org>
40			Date: Wed, 19 Aug 2015 16:24:08 +0200
41			Subject: [PATCH 2/3] s3-auth: Pass nt_username to check_account()
42
43			We set nt_username above but do not use it in this function.
44
45			BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862
46
47			Signed-off-by: Andreas Schneider <asn@samba.org>
48			Reviewed-by: Guenther Deschner <gd@samba.org>
49			(cherry picked from commit e8c76932e4ac192a00afa3b9731f5921c4b37da6)
50			---
51			source3/auth/auth_util.c \| 9 ++++++---
52			1 file changed, 6 insertions(+), 3 deletions(-)
53
54			diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
55			index dcf173d..688072e 100644
56			--- a/source3/auth/auth_util.c
57			+++ b/source3/auth/auth_util.c
58			@@ -1392,9 +1392,12 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
59
60			/* this call will try to create the user if necessary */
61
62			- nt_status = check_account(mem_ctx, nt_domain, sent_nt_username,
63			- &found_username, &pwd,
64			- &username_was_mapped);
65			+ nt_status = check_account(mem_ctx,
66			+ nt_domain,
67			+ nt_username,
68			+ &found_username,
69			+ &pwd,
70			+ &username_was_mapped);
71
72			if (!NT_STATUS_IS_OK(nt_status)) {
73			/* Handle 'map to guest = Bad Uid */
74			--
75			2.5.0
76
77
78			From 2b31b935a824d340876af24568c84bab6d4462cc Mon Sep 17 00:00:00 2001
79			From: Andreas Schneider <asn@samba.org>
80			Date: Wed, 19 Aug 2015 16:19:30 +0200
81			Subject: [PATCH 3/3] s3-auth: Fix a memory leak in make_server_info_info3()
82
83			We call make_server_info(NULL) and it is possible that we do not free
84			it, because server_info is not allocated on the memory context we pass
85			to the function.
86
87			BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862
88
89			Signed-off-by: Andreas Schneider <asn@samba.org>
90			Reviewed-by: Guenther Deschner <gd@samba.org>
91			(cherry picked from commit 6363c0232c2238e1a782e9c22ef762e3ff9b7563)
92			---
93			source3/auth/auth_util.c \| 35 +++++++++++++++++++++++------------
94			1 file changed, 23 insertions(+), 12 deletions(-)
95
96			diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
97			index 688072e..2b355e4 100644
98			--- a/source3/auth/auth_util.c
99			+++ b/source3/auth/auth_util.c
100			@@ -1349,6 +1349,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
101			bool username_was_mapped;
102			struct passwd *pwd;
103			struct auth_serversupplied_info *result;
104			+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
105
106			/*
107			Here is where we should check the list of
108			@@ -1357,15 +1358,17 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
109			*/
110
111			if (!sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid)) {
112			- return NT_STATUS_INVALID_PARAMETER;
113			+ nt_status = NT_STATUS_INVALID_PARAMETER;
114			+ goto out;
115			}
116
117			if (!sid_compose(&group_sid, info3->base.domain_sid,
118			info3->base.primary_gid)) {
119			- return NT_STATUS_INVALID_PARAMETER;
120			+ nt_status = NT_STATUS_INVALID_PARAMETER;
121			+ goto out;
122			}
123
124			- nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
125			+ nt_username = talloc_strdup(tmp_ctx, info3->base.account_name.string);
126			if (!nt_username) {
127			/* If the server didn't give us one, just use the one we sent
128			* them */
129			@@ -1392,7 +1395,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
130
131			/* this call will try to create the user if necessary */
132
133			- nt_status = check_account(mem_ctx,
134			+ nt_status = check_account(tmp_ctx,
135			nt_domain,
136			nt_username,
137			&found_username,
138			@@ -1406,15 +1409,19 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
139			lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) {
140			DEBUG(2, ("Try to map %s to guest account",
141			nt_username));
142			- return make_server_info_guest(mem_ctx, server_info);
143			+ nt_status = make_server_info_guest(tmp_ctx, &result);
144			+ if (NT_STATUS_IS_OK(nt_status)) {
145			+ *server_info = talloc_move(mem_ctx, &result);
146			+ }
147			}
148			- return nt_status;
149			+ goto out;
150			}
151
152			- result = make_server_info(NULL);
153			+ result = make_server_info(tmp_ctx);
154			if (result == NULL) {
155			DEBUG(4, ("make_server_info failed!\n"));
156			- return NT_STATUS_NO_MEMORY;
157			+ nt_status = NT_STATUS_NO_MEMORY;
158			+ goto out;
159			}
160
161			result->unix_name = talloc_strdup(result, found_username);
162			@@ -1422,8 +1429,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
163			/* copy in the info3 */
164			result->info3 = copy_netr_SamInfo3(result, info3);
165			if (result->info3 == NULL) {
166			- TALLOC_FREE(result);
167			- return NT_STATUS_NO_MEMORY;
168			+ nt_status = NT_STATUS_NO_MEMORY;
169			+ goto out;
170			}
171
172			/* Fill in the unix info we found on the way */
173			@@ -1453,9 +1460,13 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
174
175			result->guest = (info3->base.user_flags & NETLOGON_GUEST);
176
177			- *server_info = result;
178			+ *server_info = talloc_move(mem_ctx, &result);
179
180			- return NT_STATUS_OK;
181			+ nt_status = NT_STATUS_OK;
182			+out:
183			+ talloc_free(tmp_ctx);
184			+
185			+ return nt_status;
186			}
187
188			/*****************************************************************************
189			--
190			2.5.0
191