| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
packets with no answer section in general.
The fix has 2 parts:
1) set ans_name to the name we queried if nmb->answers == NULL
2) check for nmb->answers == NULL in several other places where we
currently check for nmb->answers->data
While doing this, I noticed there are lots of places in our nmbd code
where we make assumptions about the packets being well formed. Someone
could easily implement a denial of service attack on nmbd by sending a
packet that causes a null pointer dereference. Does anyone feel like
going through the code and adding checks? Probably the best solution
is to have a single function that "validates" a packet, making sure
that all the required fields are there. This will be a bit tricky as
what fields are required varies a lot between packets. A first pass
would be a function that prints "SUSPECT PACKET" when it hits a packet
that it suspects does not have a required field (or the field is badly
formatted), then we could use this on a live system to find any cases
we've missed.
Any takers?
(This used to be commit e02c21b0b8e3ed6f2d294458160c4f632af67ed3)
|
|
(This used to be commit 4b7d51ffb8cf23662e0e58a785620a0652da5a7c)
|
|
id_info_1 has a pointer at the front of it. so does return credentials,
and so does the client credentials. these are all from the sam logon.
auth_level is 16 bytes not 32 and is actually called a switch_level.
smbparse.c :
smb_io_unihdr() - uni_max_len and uni_str_len are 16 bytes not 32.
this may have a knock-on effect on smb_in_unihdr2() but we'll see...
(This used to be commit ce36bfb3e4ad4b72a9f9759a3c49d2a73175d249)
|
|
deal_with_credentials() by moving important code to the beginning
of the function :-) :-) :-).
the new seed (old_cred + time + 1) was getting corrupted.
(This used to be commit dab35ce5d61d53bce6ede44e56d9393645c0d67e)
|
|
credentials for the calculation of the next credentials: i was storing
the auth 2 calculated credentials.
oops.
(This used to be commit eb81fae874383f77ad72c0f7686b8c49e645b0b8)
|
|
(This used to be commit 1cccd7c519b8a706567477629bee70f7b7267b5c)
|
|
This patch has been checked over. JHT
(This used to be commit c84a043f89ccba001597962cd03e2f2a634c4b08)
|
|
the server string option.
I fixed it by adding: trim_string(ret, "\"", "\"") to lp_string()
which means that it removes leading and trailing quotes from _all_
strings in smb.conf. I think this is what we want as I can't actually
think of any case where quoted strings are needed.
I suspect that this fix will actually fix browsing at quite a few
sites. It's not uncommon to see people putting "" marks around the
workgroup name or other essential strings.
The real reason it was causing browsing to fail is that the browse.dat
file uses " to delimit fields, which means that it wasn't being parsed
correctly. It would be nice to use a proper database format in
browse.dat sometime. In fact, we really need a generic database type
subsystem in Samba to replace the mish-mash we currrently use
(browse.dat, wins.dat, smbpasswd etc)
(This used to be commit ac50a88e1181bd4954f03e5450dedce87ed781ad)
|
|
and renamed it COPYING.LGPL. This is because the ubi_* files are under
LGPL, not regular GPL.
Removed the last few things from the ubiqx directory and deleted it.
(This used to be commit 31d50db98bbb3b64400d432e386056f7963b7d8d)
|
|
(This used to be commit 905b2b9562a8c82696d38024ec42aa38ca990277)
|
|
- They now use the ubi_dLinkList linked list code.
This is not a big gain, I suppose. It would be significant if there
were lots of doubly-linked lists in the code and I replaced them all.
The only other advantage is that the code is more modular, which
appeals to my own sense of order, if no one elses. :-}
- I allocate space for the entry structure and the strings in one go,
instead of using malloc() and separate strdup() calls. This should
be more efficient, and allows for a single call to free() to free the
whole thing.
These are very minor changes, but they do serve to make me more familiar
with the code overall.
(This used to be commit 1dafef88871338f06dbcbbb67ce3bbbb460d7bb6)
|
|
(This used to be commit a88ae60fc33e3598f46dfc38e930e261d5e06888)
|
|
so I've started to move them into the main directory.
(This used to be commit 4691a94d3c657321d29231f062aed714dfe4ac26)
|
|
locking.c: Adding Andrews become_root code to the main branch.
pipes.c: Fixing the close_file issue.
proto.h: The usual.
reply.c: Move smb_pass into NTDOMAIN defined code. Fixing the close_file issue.
server.c: Fixing the close_file issue.
trans2.c: Fixing the close_file issue.
uid.c: Adding Andrews become_root code to the main branch.
Jeremy (jallison@whistle.com)
(This used to be commit 16fd4337f79ce33f91050c96c4a566221c5d9126)
|
|
whoops, the SAM Logon structure was wrong. updated this, and
cifsntdomain.txt. more debug info in pipenetlog.c. the crash
is somewhere around deal_with_credentials().
byteorder.h :
put in uint8, uint16 and uint32 typecasts around debug info, because
sign extending was resulting in ffffffe8 being displayed instead of e8.
credentials.c :
some debugging info, because i'm tracking a coredump. without gdb.
nothing like making things difficult.
reply.c :
whoops, missed this (important) bit from paul's code, which tells
the NT workstation that the MACHINE$ entry doesn't already exist,
and we're going to create a default entry with a password "machine"
right now.
proto.h:
the usual.
(This used to be commit ed606bc7d4e6fb1091e527ea70a3e950d50a1db4)
|
|
(This used to be commit e55a3dc94a824b61a7123b080705be2271268ee4)
|
|
and NETSERVERGETINFO.
(This used to be commit 96b17b829fc787c15cd366eca604c09d68b5b900)
|
|
(This used to be commit bdf3155418be02e2fe4daa1d2538f236be414e98)
|
|
(This used to be commit 97d06dd05e952a134be26ec5998ec4b8d38991dd)
|
|
(This used to be commit eb76fea411c5c3aa96b7158d02b49ed42ec7ba70)
|
|
1) add a new parameter to queue_netbios_packet(), the "reply_id", this
is the id that should be used when sending a further response to the
packet (such as a response after we get back a reply to a name query
after senidnga WACK). reply_id is 0 (meaning unused) in most cases.
2) fix the id used in the reply in add_name_respond() from
response_name_query_register()
3) remember to remove the response record at the end of
response_name_query_register()
4) get the right IP address (it was 0.0.0.0) in
response_name_query_register()
5) add a new field reply_id to struct response_record
(This used to be commit e1e86c1a160c8302004ea58e4f0f5874dd179dae)
|
|
changed the order of arguments to smbhash() in credentials.c. Luke,
when you changed from E1() to smbhash() you didn't notice that the
arguments are in a different order. This is why your new code was
failing.
NT logon still fails, but now gets to SAMLOGON. It shouldn't take much
to get it working now.
(This used to be commit 708edc348f0fb81d9c918e4bf857f339a13a3781)
|
|
to crypt()
This might solve some password problems, particulary on HPUX
(This used to be commit 45f4ae4327a8836cad22bbf64f1effba6a6eb7f5)
|
|
Updated the linked list module, which has new and changed macros.
(This used to be commit 2181d929d1757aa523e7afaf0e8c232a51e68d30)
|
|
(This used to be commit df3bafd0c488760b1909329c899102d92a2fe16b)
|
|
modules.
(This used to be commit 781be1daac75092666c1753f21871f2923a6f775)
|
|
lsa close odd bug.
smbparse.c :
smb_io_dom_sid() _does_ need 4-byte alignment before it.
(This used to be commit 93879ac8a533ad8cc175275cf1fc9a8f152f4b5a)
|
|
(This used to be commit 28de393878872081bac3a0b3ca82d915eae56701)
|
|
created a RW_PIVAL macro which was missing.
smbparse.c:
smb_io_dom_sid() was storing its sub-authorities as uint16s instead
of uint32s. used the DBG_RW_PIVAL macro instead of DBG_RW_PSVAL.
pipentlsa.c:
not sure. something to do with the Query Info reply.
pipeutil.c:
make_rpc_reply() had the packed representation field set to 0x0100 0000
instead of 0x1000 0000, which had the interesting result of turning all
uint32 and uint16 field byte ordering the other way round!
(This used to be commit eafd6e9e797c5badb07059d7eddabd6a8947c830)
|
|
(This used to be commit 9b095887df204393090d7da9a47508685ddd5163)
|
|
(This used to be commit 0056b154435e9d2a3fd2be37f7c3afd9e3fbfd87)
|
|
Jeremy.
(This used to be commit 9fd056c91196746e09f220a15171f3c97791dcce)
|
|
Jeremy (jallison@whistle.com)
(This used to be commit 08afa51f5c80f3da983781774378bc1646c431d7)
|
|
there are going to be a few of these...
(This used to be commit 3db1fe79c300f17d087c85c7e768a8d11c0f7661)
|
|
strings.
(This used to be commit 717bcd6e3457f355583b4508d1f4edc9a52650df)
|
|
quit the whole pipe, either...
(This used to be commit 14f0c2ddb05a690e671efad8c47da9ff1e39c8ce)
|
|
(This used to be commit 9d1f45ca6bbdeeef448ccb55e1275c6f9ec59820)
|
|
(This used to be commit 8fe02c239d70497af449ed0cdf1a32de10021ba1)
|
|
(This used to be commit d7a9a02e0a9e1e791810c24bcfcbd39a6bd7dac5)
|
|
Luke, when you don't know what has been changed in the CVS tree I
highly recommend you point your browser at:
http://samba.anu.edu.au/cgi-bin/cvsweb/samba/source
If you click on a filename you can then see all the commits and
changes that have been made to it over time. You can also download any
version of the file or find the differences between any two versions.
All of this is not dependent on the state of your local CVS sandbox,
so it can be used to find out the "true" state of the tree at any
time.
If you suspect some sort of CVS problem (like a change getting
reverted) then please use the above URL to work out what has
happened. You should be able to see exactly who made what changes and
when.
(This used to be commit 3fc48246ee0d89ad2f10f050d2d68af53446129f)
|
|
(This used to be commit a3f96555b47265b8cd4d1f735af58375e2591d56)
|
|
(This used to be commit 28d96c7e6de19a28346d406ccc6fc8b00305903b)
|
|
debugging output wasn't (still isn't) perfect.
credentials.c lsaparse.c smbparse.c :
added DEBUG strings.
pipes.c :
lost some changes, to do with setup of RPC headers. arg.
(This used to be commit 9fdd697d17b68293bb95fd68f44c24f0f5b97f5f)
|
|
(This used to be commit 534b4c6d371eff6fdbcbcf5fafa3b79d3116b544)
|
|
(This used to be commit ba28678e3f673cd10d936f59ff0df6a852aca793)
|
|
ipc.c :
removed srvsvc pipe reference: have to do that.
pipes.c lsaparse.c smbparse.c :
more debugging info. looks a bit like netmon output.
(This used to be commit e02aa88e25ae6d4da7953aaff04ff2ae9a656d05)
|
|
still doesn't get rid of the netlogon trans2 request with zero data.
(This used to be commit 0cf67955f09d99c452bfc3fdde00dcea98e21db1)
|
|
debugging info. found that data = NULL because of short packet length
indicated from the ntlsaRPC pipe _royally_ stuffs NT's packet handling.
maybe this should go down as a service denial bug to the ntbugtraq list.
pipes.c lsaparse.c smbparse.c :
added more debug stuff. added length of header to data_len in MSRPC
fragment_length field (0x18 bytes short) which caused the above bug
from NT 4.0. oops.
(This used to be commit a6f8de6815e0b85bb23b302980730501ac0b87e5)
|
|
(This used to be commit 946d73cf838976b905550288cac3aea7c43959f6)
|
|
CIFS3 spec does not list them as illegal.
This allows things like the control panel icon to be placed on a Samba
drive.
(This used to be commit d2ac9e6fb6e76778154c58217237251d7bb0e98c)
|
