From 70b3d66f94539c6f4ca93b1359b2d8a10cea470a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 11 Nov 2016 10:21:10 -0800 Subject: [PATCH 1/9] s3: lib - Fix formatting of unix_wild_match() sub-function to README.Coding standards. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419 Signed-off-by: Jeremy Allison --- source3/lib/util.c | 61 ++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 41 insertions(+), 20 deletions(-) diff --git a/source3/lib/util.c b/source3/lib/util.c index bab3998..1af05cd 100644 --- a/source3/lib/util.c +++ b/source3/lib/util.c @@ -1804,28 +1804,35 @@ static bool unix_do_match(const char *regexp, const char *str) case '*': /* - * Look for a character matching + * Look for a character matching * the one after the '*'. */ p++; - if(!*p) + if(!*p) { return true; /* Automatic match */ + } while(*str) { - while(*str && (*p != *str)) + while(*str && (*p != *str)) { str++; + } /* - * Patch from weidel@multichart.de. In the case of the regexp - * '*XX*' we want to ensure there are at least 2 'X' characters - * in the string after the '*' for a match to be made. + * Patch from weidel@multichart.de. + * In the case of the regexp + * '*XX*' we want to ensure there are + * at least 2 'X' characters in the + * string after the '*' for a match to + * be made. */ { int matchcount=0; /* - * Eat all the characters that match, but count how many there were. + * Eat all the characters that + * match, but count how many + * there were. */ while(*str && (*p == *str)) { @@ -1834,54 +1841,68 @@ static bool unix_do_match(const char *regexp, const char *str) } /* - * Now check that if the regexp had n identical characters that - * matchcount had at least that many matches. + * Now check that if the regexp + * had n identical characters + * that matchcount had at least + * that many matches. */ - while ( *(p+1) && (*(p+1) == *p)) { + while (*(p+1) && (*(p+1)==*p)) { p++; matchcount--; } - if ( matchcount <= 0 ) + if ( matchcount <= 0 ) { return false; + } } - str--; /* We've eaten the match char after the '*' */ + /* + * We've eaten the match char + * after the '*' + */ + str--; - if(unix_do_match(p, str)) + if(unix_do_match(p, str)) { return true; + } - if(!*str) + if(!*str) { return false; - else + } else { str++; + } } return false; default: - if(*str != *p) + if(*str != *p) { return false; + } str++; p++; break; } } - if(!*p && !*str) + if(!*p && !*str) { return true; + } - if (!*p && str[0] == '.' && str[1] == 0) + if (!*p && str[0] == '.' && str[1] == 0) { return true; + } if (!*str && *p == '?') { - while (*p == '?') + while (*p == '?') { p++; + } return(!*p); } - if(!*str && (*p == '*' && p[1] == '\0')) + if(!*str && (*p == '*' && p[1] == '\0')) { return true; + } return false; } -- 2.8.0.rc3.226.g39d4020 From d0aaaa623ed8d5375a5cd3ff923a7f14bc0ea913 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 11 Nov 2016 10:22:52 -0800 Subject: [PATCH 2/9] s3: util: Remove unneeded strequal() call. Convert to simple character check. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419 Signed-off-by: Jeremy Allison --- source3/lib/util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/lib/util.c b/source3/lib/util.c index 1af05cd..7e3f455 100644 --- a/source3/lib/util.c +++ b/source3/lib/util.c @@ -1942,7 +1942,7 @@ bool unix_wild_match(const char *pattern, const char *string) } } - if (strequal(p2,"*")) { + if (p2[0] == '*' && p2[1] == '\0') { TALLOC_FREE(ctx); return true; } -- 2.8.0.rc3.226.g39d4020 From 43e04e592c04bf90b1cce3ebb07411200f510745 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 11 Nov 2016 10:24:40 -0800 Subject: [PATCH 3/9] s3: lib: Move from talloc_strdup then lower to strlower_talloc() Do things in one go. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419 Signed-off-by: Jeremy Allison --- source3/lib/util.c | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/source3/lib/util.c b/source3/lib/util.c index 7e3f455..6142b1d 100644 --- a/source3/lib/util.c +++ b/source3/lib/util.c @@ -1920,20 +1920,12 @@ bool unix_wild_match(const char *pattern, const char *string) char *p; bool ret = false; - p2 = talloc_strdup(ctx,pattern); - s2 = talloc_strdup(ctx,string); + p2 = strlower_talloc(ctx,pattern); + s2 = strlower_talloc(ctx,string); if (!p2 || !s2) { TALLOC_FREE(ctx); return false; } - if (!strlower_m(p2)) { - TALLOC_FREE(ctx); - return false; - } - if (!strlower_m(s2)) { - TALLOC_FREE(ctx); - return false; - } /* Remove any *? and ** from the pattern as they are meaningless */ for(p = p2; *p; p++) { -- 2.8.0.rc3.226.g39d4020 From 34490508eac617a1b02d6b286fc69718dd80786f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 11 Nov 2016 10:35:01 -0800 Subject: [PATCH 4/9] lib/util: Move unix_wild_match() from source3/lib/util to lib/util/ Use top-level functions instead of source3 specific ones. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419 Signed-off-by: Jeremy Allison --- lib/util/unix_match.c | 183 ++++++++++++++++++++++++++++++++++++++++++++++++ lib/util/unix_match.h | 25 +++++++ lib/util/wscript_build | 2 +- source3/include/proto.h | 2 +- source3/lib/util.c | 159 ----------------------------------------- 5 files changed, 210 insertions(+), 161 deletions(-) create mode 100644 lib/util/unix_match.c create mode 100644 lib/util/unix_match.h diff --git a/lib/util/unix_match.c b/lib/util/unix_match.c new file mode 100644 index 0000000..43112b7 --- /dev/null +++ b/lib/util/unix_match.c @@ -0,0 +1,183 @@ +/* + Unix SMB/CIFS implementation. + Samba utility functions + Copyright (C) Jeremy Allison 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "replace.h" +#include +#include "lib/util/talloc_stack.h" +#include "lib/util/charset/charset.h" +#include "lib/util/unix_match.h" + +/********************************************************* + Recursive routine that is called by unix_wild_match. +*********************************************************/ + +static bool unix_do_match(const char *regexp, const char *str) +{ + const char *p; + + for( p = regexp; *p && *str; ) { + + switch(*p) { + case '?': + str++; + p++; + break; + + case '*': + + /* + * Look for a character matching + * the one after the '*'. + */ + p++; + if(!*p) { + return true; /* Automatic match */ + } + while(*str) { + + while(*str && (*p != *str)) { + str++; + } + + /* + * Patch from weidel@multichart.de. + * In the case of the regexp + * '*XX*' we want to ensure there are + * at least 2 'X' characters in the + * string after the '*' for a match to + * be made. + */ + + { + int matchcount=0; + + /* + * Eat all the characters that + * match, but count how many + * there were. + */ + + while(*str && (*p == *str)) { + str++; + matchcount++; + } + + /* + * Now check that if the regexp + * had n identical characters + * that matchcount had at least + * that many matches. + */ + + while (*(p+1) && (*(p+1)==*p)) { + p++; + matchcount--; + } + + if ( matchcount <= 0 ) { + return false; + } + } + + /* + * We've eaten the match char + * after the '*' + */ + str--; + + if(unix_do_match(p, str)) { + return true; + } + + if(!*str) { + return false; + } else { + str++; + } + } + return false; + + default: + if(*str != *p) { + return false; + } + str++; + p++; + break; + } + } + + if(!*p && !*str) { + return true; + } + + if (!*p && str[0] == '.' && str[1] == 0) { + return true; + } + + if (!*str && *p == '?') { + while (*p == '?') { + p++; + } + return(!*p); + } + + if(!*str && (*p == '*' && p[1] == '\0')) { + return true; + } + + return false; +} + +/******************************************************************* + Simple case insensitive interface to a UNIX wildcard matcher. + Returns True if match, False if not. +*******************************************************************/ + +bool unix_wild_match(const char *pattern, const char *string) +{ + TALLOC_CTX *ctx = talloc_stackframe(); + char *p2; + char *s2; + char *p; + bool ret = false; + + p2 = strlower_talloc(ctx,pattern); + s2 = strlower_talloc(ctx,string); + if (!p2 || !s2) { + TALLOC_FREE(ctx); + return false; + } + + /* Remove any *? and ** from the pattern as they are meaningless */ + for(p = p2; *p; p++) { + while( *p == '*' && (p[1] == '?' ||p[1] == '*')) { + memmove(&p[1], &p[2], strlen(&p[2])+1); + } + } + + if (p2[0] == '*' && p2[1] == '\0') { + TALLOC_FREE(ctx); + return true; + } + + ret = unix_do_match(p2, s2); + TALLOC_FREE(ctx); + return ret; +} diff --git a/lib/util/unix_match.h b/lib/util/unix_match.h new file mode 100644 index 0000000..a7b6935 --- /dev/null +++ b/lib/util/unix_match.h @@ -0,0 +1,25 @@ +/* + Unix SMB/CIFS implementation. + Utility functions for Samba + Copyright (C) Jeremy Allison 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _UNIX_MASK_H_ +#define _UNIX_MASK_H_ + +bool unix_wild_match(const char *pattern, const char *string); + +#endif diff --git a/lib/util/wscript_build b/lib/util/wscript_build index 6d2ab4a..e2ae411 100755 --- a/lib/util/wscript_build +++ b/lib/util/wscript_build @@ -120,7 +120,7 @@ else: idtree_random.c base64.c util_str.c util_str_common.c ms_fnmatch.c server_id.c dprintf.c bitmap.c pidfile.c - tevent_debug.c memcache.c''', + tevent_debug.c memcache.c unix_match.c''', deps='samba-util-core DYNCONFIG close-low-fd tini tiniparser genrand', public_deps='talloc tevent execinfo pthread LIBCRYPTO charset util_setid systemd systemd-daemon', public_headers='debug.h attr.h byteorder.h data_blob.h memory.h safe_string.h time.h talloc_stack.h xfile.h string_wrappers.h idtree.h idtree_random.h blocking.h signal.h substitute.h fault.h genrand.h', diff --git a/source3/include/proto.h b/source3/include/proto.h index 0b0a2b5..2758dc5 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -411,7 +411,7 @@ bool ms_has_wild_w(const smb_ucs2_t *s); bool mask_match(const char *string, const char *pattern, bool is_case_sensitive); bool mask_match_search(const char *string, const char *pattern, bool is_case_sensitive); bool mask_match_list(const char *string, char **list, int listLen, bool is_case_sensitive); -bool unix_wild_match(const char *pattern, const char *string); +#include "lib/util/unix_match.h" bool name_to_fqdn(fstring fqdn, const char *name); uint32_t map_share_mode_to_deny_mode(uint32_t share_access, uint32_t private_options); diff --git a/source3/lib/util.c b/source3/lib/util.c index 6142b1d..85cb9b3 100644 --- a/source3/lib/util.c +++ b/source3/lib/util.c @@ -1785,165 +1785,6 @@ bool mask_match_list(const char *string, char **list, int listLen, bool is_case_ return False; } -/********************************************************* - Recursive routine that is called by unix_wild_match. -*********************************************************/ - -static bool unix_do_match(const char *regexp, const char *str) -{ - const char *p; - - for( p = regexp; *p && *str; ) { - - switch(*p) { - case '?': - str++; - p++; - break; - - case '*': - - /* - * Look for a character matching - * the one after the '*'. - */ - p++; - if(!*p) { - return true; /* Automatic match */ - } - while(*str) { - - while(*str && (*p != *str)) { - str++; - } - - /* - * Patch from weidel@multichart.de. - * In the case of the regexp - * '*XX*' we want to ensure there are - * at least 2 'X' characters in the - * string after the '*' for a match to - * be made. - */ - - { - int matchcount=0; - - /* - * Eat all the characters that - * match, but count how many - * there were. - */ - - while(*str && (*p == *str)) { - str++; - matchcount++; - } - - /* - * Now check that if the regexp - * had n identical characters - * that matchcount had at least - * that many matches. - */ - - while (*(p+1) && (*(p+1)==*p)) { - p++; - matchcount--; - } - - if ( matchcount <= 0 ) { - return false; - } - } - - /* - * We've eaten the match char - * after the '*' - */ - str--; - - if(unix_do_match(p, str)) { - return true; - } - - if(!*str) { - return false; - } else { - str++; - } - } - return false; - - default: - if(*str != *p) { - return false; - } - str++; - p++; - break; - } - } - - if(!*p && !*str) { - return true; - } - - if (!*p && str[0] == '.' && str[1] == 0) { - return true; - } - - if (!*str && *p == '?') { - while (*p == '?') { - p++; - } - return(!*p); - } - - if(!*str && (*p == '*' && p[1] == '\0')) { - return true; - } - - return false; -} - -/******************************************************************* - Simple case insensitive interface to a UNIX wildcard matcher. - Returns True if match, False if not. -*******************************************************************/ - -bool unix_wild_match(const char *pattern, const char *string) -{ - TALLOC_CTX *ctx = talloc_stackframe(); - char *p2; - char *s2; - char *p; - bool ret = false; - - p2 = strlower_talloc(ctx,pattern); - s2 = strlower_talloc(ctx,string); - if (!p2 || !s2) { - TALLOC_FREE(ctx); - return false; - } - - /* Remove any *? and ** from the pattern as they are meaningless */ - for(p = p2; *p; p++) { - while( *p == '*' && (p[1] == '?' ||p[1] == '*')) { - memmove(&p[1], &p[2], strlen(&p[2])+1); - } - } - - if (p2[0] == '*' && p2[1] == '\0') { - TALLOC_FREE(ctx); - return true; - } - - ret = unix_do_match(p2, s2); - TALLOC_FREE(ctx); - return ret; -} - /********************************************************************** Converts a name to a fully qualified domain name. Returns true if lookup succeeded, false if not (then fqdn is set to name) -- 2.8.0.rc3.226.g39d4020 From 40ac3140bc9f350735b5c66942706d4eb2139169 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 10 Nov 2016 17:02:08 -0800 Subject: [PATCH 5/9] s3: lib: Change masked_match() from SMB_STRDUP macro to underlying smb_xstrdup function. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419 Signed-off-by: Jeremy Allison --- source3/lib/access.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/source3/lib/access.c b/source3/lib/access.c index ad868fa..49c4f8e 100644 --- a/source3/lib/access.c +++ b/source3/lib/access.c @@ -13,6 +13,7 @@ #include "includes.h" #include "../lib/util/memcache.h" #include "lib/socket/interfaces.h" +#include "lib/util/samba_util.h" #define NAME_INDEX 0 #define ADDR_INDEX 1 @@ -31,14 +32,14 @@ static bool masked_match(const char *tok, const char *slash, const char *s) if (*tok == '[') { /* IPv6 address - remove braces. */ - tok_copy = SMB_STRDUP(tok+1); + tok_copy = smb_xstrdup(tok+1); if (!tok_copy) { return false; } /* Remove the terminating ']' */ tok_copy[PTR_DIFF(slash,tok)-1] = '\0'; } else { - tok_copy = SMB_STRDUP(tok); + tok_copy = smb_xstrdup(tok); if (!tok_copy) { return false; } @@ -128,7 +129,7 @@ static bool string_match(const char *tok,const char *s) DEBUG(0,("Unable to get default yp domain. " "Try without it.\n")); } - if (!(hostname = SMB_STRDUP(s))) { + if (!(hostname = smb_xstrdup(s))) { DEBUG(1,("out of memory for strdup!\n")); return false; } -- 2.8.0.rc3.226.g39d4020 From c165c31414f88d8fe04fe615a0ce4a31ade30019 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 10 Nov 2016 17:07:11 -0800 Subject: [PATCH 6/9] s3: lib: Use top level function strequal_m not the s3 strequal BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419 Signed-off-by: Jeremy Allison --- source3/lib/access.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/source3/lib/access.c b/source3/lib/access.c index 49c4f8e..2875b03 100644 --- a/source3/lib/access.c +++ b/source3/lib/access.c @@ -97,7 +97,7 @@ static bool string_match(const char *tok,const char *s) if (tok[0] == '.') { /* domain: match last fields */ if ((str_len = strlen(s)) > (tok_len = strlen(tok)) - && strequal(tok, s + str_len - tok_len)) { + && strequal_m(tok, s + str_len - tok_len)) { return true; } } else if (tok[0] == '@') { /* netgroup: look it up */ @@ -150,15 +150,15 @@ static bool string_match(const char *tok,const char *s) DEBUG(0,("access: netgroup support is not configured\n")); return false; #endif - } else if (strequal(tok, "ALL")) { /* all: match any */ + } else if (strequal_m(tok, "ALL")) { /* all: match any */ return true; - } else if (strequal(tok, "FAIL")) { /* fail: match any */ + } else if (strequal_m(tok, "FAIL")) { /* fail: match any */ return true; - } else if (strequal(tok, "LOCAL")) { /* local: no dots */ - if (strchr_m(s, '.') == 0 && !strequal(s, "unknown")) { + } else if (strequal_m(tok, "LOCAL")) { /* local: no dots */ + if (strchr_m(s, '.') == 0 && !strequal_m(s, "unknown")) { return true; } - } else if (strequal(tok, s)) { /* match host name or address */ + } else if (strequal_m(tok, s)) { /* match host name or address */ return true; } else if (tok[(tok_len = strlen(tok)) - 1] == '.') { /* network */ if (strncmp(tok, s, tok_len) == 0) { @@ -236,7 +236,7 @@ bool list_match(const char **list,const void *item, */ for (; *list ; list++) { - if (strequal(*list, "EXCEPT")) { + if (strequal_m(*list, "EXCEPT")) { /* EXCEPT: give up */ break; } @@ -248,7 +248,7 @@ bool list_match(const char **list,const void *item, /* Process exceptions to true or FAIL matches. */ if (match != false) { - while (*list && !strequal(*list, "EXCEPT")) { + while (*list && !strequal_m(*list, "EXCEPT")) { list++; } -- 2.8.0.rc3.226.g39d4020 From 353682a4795cb2ec4a20f3ba6c69c1718eaefdd6 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 10 Nov 2016 17:09:33 -0800 Subject: [PATCH 7/9] s3: lib: Replace s3 strnequal with top level strncasecmp_m. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419 Signed-off-by: Jeremy Allison --- source3/lib/access.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source3/lib/access.c b/source3/lib/access.c index 2875b03..5e5f43f 100644 --- a/source3/lib/access.c +++ b/source3/lib/access.c @@ -192,11 +192,11 @@ bool client_match(const char *tok, const void *item) * Bug #5311 and #7383. */ - if (strnequal(tok_addr, "::ffff:",7)) { + if (strncasecmp_m(tok_addr, "::ffff:",7) == 0) { tok_addr += 7; } - if (strnequal(cli_addr,"::ffff:",7)) { + if (strncasecmp_m(cli_addr,"::ffff:",7) == 0) { cli_addr += 7; } -- 2.8.0.rc3.226.g39d4020 From 0f7efe3ad52dde59ef56c769b7d8aa4207581130 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 10 Nov 2016 17:15:20 -0800 Subject: [PATCH 8/9] Move source3/lib/access.c to toplevel lib/util/access.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419 Signed-off-by: Jeremy Allison --- {source3/lib => lib/util}/access.c | 5 +++++ lib/util/access.h | 24 ++++++++++++++++++++++++ lib/util/wscript_build | 5 +++++ source3/include/proto.h | 10 +--------- source3/wscript_build | 3 ++- 5 files changed, 37 insertions(+), 10 deletions(-) rename {source3/lib => lib/util}/access.c (98%) create mode 100644 lib/util/access.h diff --git a/source3/lib/access.c b/lib/util/access.c similarity index 98% rename from source3/lib/access.c rename to lib/util/access.c index 5e5f43f..e73f1b7 100644 --- a/source3/lib/access.c +++ b/lib/util/access.c @@ -14,6 +14,11 @@ #include "../lib/util/memcache.h" #include "lib/socket/interfaces.h" #include "lib/util/samba_util.h" +#include "lib/util/util_net.h" +#include "lib/util/samba_util.h" +#include "lib/util/memory.h" +#include "lib/util/access.h" +#include "lib/util/unix_match.h" #define NAME_INDEX 0 #define ADDR_INDEX 1 diff --git a/lib/util/access.h b/lib/util/access.h new file mode 100644 index 0000000..b4dce15 --- /dev/null +++ b/lib/util/access.h @@ -0,0 +1,24 @@ +/* + This module is an adaption of code from the tcpd-1.4 package written + by Wietse Venema, Eindhoven University of Technology, The Netherlands. + + The code is used here with permission. + + The code has been considerably changed from the original. Bug reports + should be sent to samba-technical@lists.samba.org + + Updated for IPv6 by Jeremy Allison (C) 2007. +*/ + +#ifndef _UTIL_ACCESS_H_ +#define _UTIL_ACCESS_H_ + +bool client_match(const char *tok, const void *item); +bool list_match(const char **list,const void *item, + bool (*match_fn)(const char *, const void *)); +bool allow_access(const char **deny_list, + const char **allow_list, + const char *cname, + const char *caddr); + +#endif diff --git a/lib/util/wscript_build b/lib/util/wscript_build index e2ae411..41201a5 100755 --- a/lib/util/wscript_build +++ b/lib/util/wscript_build @@ -29,6 +29,11 @@ bld.SAMBA_SUBSYSTEM('close-low-fd', deps='replace', local_include=False) +bld.SAMBA_SUBSYSTEM('access', + source='access.c', + deps='interfaces samba-util', + local_include=False) + samba_debug_add_deps = '' samba_debug_add_inc = '' diff --git a/source3/include/proto.h b/source3/include/proto.h index 2758dc5..33e3f6c 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -26,15 +26,7 @@ #include #include -/* The following definitions come from lib/access.c */ - -bool client_match(const char *tok, const void *item); -bool list_match(const char **list,const void *item, - bool (*match_fn)(const char *, const void *)); -bool allow_access(const char **deny_list, - const char **allow_list, - const char *cname, - const char *caddr); +#include "lib/util/access.h" /* The following definitions come from lib/adt_tree.c */ diff --git a/source3/wscript_build b/source3/wscript_build index 22e1a62..d6d2be2 100755 --- a/source3/wscript_build +++ b/source3/wscript_build @@ -334,7 +334,7 @@ bld.SAMBA3_SUBSYSTEM('samba3core', lib/dumpcore.c lib/interface.c lib/username.c - lib/access.c lib/smbrun.c + lib/smbrun.c lib/wins_srv.c lib/substitute.c lib/substitute_generic.c @@ -374,6 +374,7 @@ bld.SAMBA3_SUBSYSTEM('samba3core', messages_util messages_dgm talloc_report + access TDB_LIB''') bld.SAMBA3_LIBRARY('smbd_shim', -- 2.8.0.rc3.226.g39d4020 From 8cea2086e5a45b00e97a51629e32e932f93947d9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 10 Nov 2016 20:33:17 -0800 Subject: [PATCH 9/9] source4: Change to use lib/util/access functions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419 Signed-off-by: Jeremy Allison --- source4/dsdb/common/util.c | 3 +- source4/lib/socket/access.c | 237 +-------------------------------------- source4/lib/socket/socket.h | 3 - source4/lib/socket/wscript_build | 2 +- 4 files changed, 5 insertions(+), 240 deletions(-) diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index d1396e4..fffccbe 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -46,6 +46,7 @@ #include "librpc/gen_ndr/irpc.h" #include "libds/common/flag_mapping.h" #include "../lib/util/util_runcmd.h" +#include "lib/util/access.h" /* search the sam for the specified attributes in a specific domain, filter on @@ -1869,7 +1870,7 @@ const char *samdb_client_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, allow_list[0] = l_subnet_name; - if (socket_allow_access(mem_ctx, NULL, allow_list, "", ip_address)) { + if (allow_access(NULL, allow_list, "", ip_address)) { sites_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[i], "siteObject"); diff --git a/source4/lib/socket/access.c b/source4/lib/socket/access.c index adc8105..c019fd6 100644 --- a/source4/lib/socket/access.c +++ b/source4/lib/socket/access.c @@ -33,241 +33,8 @@ #include "includes.h" #include "system/network.h" #include "lib/socket/socket.h" -#include "system/locale.h" #include "lib/util/util_net.h" - -#define FAIL (-1) -#define ALLONES ((uint32_t)0xFFFFFFFF) - -/* masked_match - match address against netnumber/netmask */ -static bool masked_match(TALLOC_CTX *mem_ctx, const char *tok, const char *slash, const char *s) -{ - uint32_t net; - uint32_t mask; - uint32_t addr; - char *tok_cpy; - - if ((addr = interpret_addr(s)) == INADDR_NONE) - return false; - - tok_cpy = talloc_strdup(mem_ctx, tok); - tok_cpy[PTR_DIFF(slash,tok)] = '\0'; - net = interpret_addr(tok_cpy); - talloc_free(tok_cpy); - - if (strlen(slash + 1) > 2) { - mask = interpret_addr(slash + 1); - } else { - mask = (uint32_t)((ALLONES >> atoi(slash + 1)) ^ ALLONES); - /* convert to network byte order */ - mask = htonl(mask); - } - - if (net == INADDR_NONE || mask == INADDR_NONE) { - DEBUG(0,("access: bad net/mask access control: %s\n", tok)); - return false; - } - - return (addr & mask) == (net & mask); -} - -/* string_match - match string against token */ -static bool string_match(TALLOC_CTX *mem_ctx, const char *tok,const char *s, char *invalid_char) -{ - size_t tok_len; - size_t str_len; - const char *cut; - - *invalid_char = '\0'; - - /* Return true if a token has the magic value "ALL". Return - * FAIL if the token is "FAIL". If the token starts with a "." - * (domain name), return true if it matches the last fields of - * the string. If the token has the magic value "LOCAL", - * return true if the string does not contain a "." - * character. If the token ends on a "." (network number), - * return true if it matches the first fields of the - * string. If the token begins with a "@" (netgroup name), - * return true if the string is a (host) member of the - * netgroup. Return true if the token fully matches the - * string. If the token is a netnumber/netmask pair, return - * true if the address is a member of the specified subnet. - */ - - if (tok[0] == '.') { /* domain: match last fields */ - if ((str_len = strlen(s)) > (tok_len = strlen(tok)) - && strcasecmp(tok, s + str_len - tok_len)==0) { - return true; - } - } else if (tok[0] == '@') { /* netgroup: look it up */ - DEBUG(0,("access: netgroup support is not available\n")); - return false; - } else if (strcmp(tok, "ALL")==0) { /* all: match any */ - return true; - } else if (strcmp(tok, "FAIL")==0) { /* fail: match any */ - return FAIL; - } else if (strcmp(tok, "LOCAL")==0) { /* local: no dots */ - if (strchr(s, '.') == 0 && strcasecmp(s, "unknown") != 0) { - return true; - } - } else if (strcasecmp(tok, s)==0) { /* match host name or address */ - return true; - } else if (tok[(tok_len = strlen(tok)) - 1] == '.') { /* network */ - if (strncmp(tok, s, tok_len) == 0) - return true; - } else if ((cut = strchr(tok, '/')) != 0) { /* netnumber/netmask */ - if (isdigit((int)s[0]) && masked_match(mem_ctx, tok, cut, s)) - return true; - } else if (strchr(tok, '*') != 0) { - *invalid_char = '*'; - } else if (strchr(tok, '?') != 0) { - *invalid_char = '?'; - } - return false; -} - -struct client_addr { - const char *cname; - const char *caddr; -}; - -/* client_match - match host name and address against token */ -static bool client_match(TALLOC_CTX *mem_ctx, const char *tok, struct client_addr *client) -{ - bool match; - char invalid_char = '\0'; - - /* - * Try to match the address first. If that fails, try to match the host - * name if available. - */ - - if ((match = string_match(mem_ctx, tok, client->caddr, &invalid_char)) == 0) { - if(invalid_char) - DEBUG(0,("client_match: address match failing due to invalid character '%c' found in \ -token '%s' in an allow/deny hosts line.\n", invalid_char, tok )); - - if (client->cname[0] != 0) - match = string_match(mem_ctx, tok, client->cname, &invalid_char); - - if(invalid_char) - DEBUG(0,("client_match: address match failing due to invalid character '%c' found in \ -token '%s' in an allow/deny hosts line.\n", invalid_char, tok )); - } - - return (match); -} - -/* list_match - match an item against a list of tokens with exceptions */ -static bool list_match(TALLOC_CTX *mem_ctx, const char **list, struct client_addr *client) -{ - bool match = false; - - if (!list) - return false; - - /* - * Process tokens one at a time. We have exhausted all possible matches - * when we reach an "EXCEPT" token or the end of the list. If we do find - * a match, look for an "EXCEPT" list and recurse to determine whether - * the match is affected by any exceptions. - */ - - for (; *list ; list++) { - if (strcmp(*list, "EXCEPT")==0) /* EXCEPT: give up */ - break; - if ((match = client_match(mem_ctx, *list, client))) /* true or FAIL */ - break; - } - - /* Process exceptions to true or FAIL matches. */ - if (match != false) { - while (*list && strcmp(*list, "EXCEPT")!=0) - list++; - - for (; *list; list++) { - if (client_match(mem_ctx, *list, client)) /* Exception Found */ - return false; - } - } - - return match; -} - -/* return true if access should be allowed */ -static bool allow_access_internal(TALLOC_CTX *mem_ctx, - const char **deny_list,const char **allow_list, - const char *cname, const char *caddr) -{ - struct client_addr client; - - client.cname = cname; - client.caddr = caddr; - - /* if it is loopback then always allow unless specifically denied */ - if (strcmp(caddr, "127.0.0.1") == 0) { - /* - * If 127.0.0.1 matches both allow and deny then allow. - * Patch from Steve Langasek vorlon@netexpress.net. - */ - if (deny_list && - list_match(mem_ctx, deny_list, &client) && - (!allow_list || - !list_match(mem_ctx, allow_list, &client))) { - return false; - } - return true; - } - - /* if theres no deny list and no allow list then allow access */ - if ((!deny_list || *deny_list == 0) && - (!allow_list || *allow_list == 0)) { - return true; - } - - /* if there is an allow list but no deny list then allow only hosts - on the allow list */ - if (!deny_list || *deny_list == 0) - return list_match(mem_ctx, allow_list, &client); - - /* if theres a deny list but no allow list then allow - all hosts not on the deny list */ - if (!allow_list || *allow_list == 0) - return !list_match(mem_ctx, deny_list, &client); - - /* if there are both types of list then allow all hosts on the - allow list */ - if (list_match(mem_ctx, allow_list, &client)) - return true; - - /* if there are both types of list and it's not on the allow then - allow it if its not on the deny */ - if (list_match(mem_ctx, deny_list, &client)) - return false; - - return true; -} - -/* return true if access should be allowed */ -bool socket_allow_access(TALLOC_CTX *mem_ctx, - const char **deny_list, const char **allow_list, - const char *cname, const char *caddr) -{ - bool ret; - char *nc_cname = talloc_strdup(mem_ctx, cname); - char *nc_caddr = talloc_strdup(mem_ctx, caddr); - - if (!nc_cname || !nc_caddr) { - return false; - } - - ret = allow_access_internal(mem_ctx, deny_list, allow_list, nc_cname, nc_caddr); - - talloc_free(nc_cname); - talloc_free(nc_caddr); - - return ret; -} +#include "lib/util/access.h" /* return true if the char* contains ip addrs only. Used to avoid gethostbyaddr() calls */ @@ -346,7 +113,7 @@ bool socket_check_access(struct socket_context *sock, return false; } - ret = socket_allow_access(mem_ctx, deny_list, allow_list, name, addr->addr); + ret = allow_access(deny_list, allow_list, name, addr->addr); if (ret) { DEBUG(2,("socket_check_access: Allowed connection to '%s' from %s (%s)\n", diff --git a/source4/lib/socket/socket.h b/source4/lib/socket/socket.h index 403a723..50a20d9 100644 --- a/source4/lib/socket/socket.h +++ b/source4/lib/socket/socket.h @@ -183,9 +183,6 @@ _PUBLIC_ void socket_address_set_port(struct socket_address *a, struct socket_address *socket_address_copy(TALLOC_CTX *mem_ctx, const struct socket_address *oaddr); const struct socket_ops *socket_getops_byname(const char *name, enum socket_type type); -bool socket_allow_access(TALLOC_CTX *mem_ctx, - const char **deny_list, const char **allow_list, - const char *cname, const char *caddr); bool socket_check_access(struct socket_context *sock, const char *service_name, const char **allow_list, const char **deny_list); diff --git a/source4/lib/socket/wscript_build b/source4/lib/socket/wscript_build index 1cb89c6..e243824 100644 --- a/source4/lib/socket/wscript_build +++ b/source4/lib/socket/wscript_build @@ -24,6 +24,6 @@ bld.SAMBA_MODULE('socket_unix', bld.SAMBA_SUBSYSTEM('samba_socket', source='socket.c access.c connect_multi.c connect.c', public_deps='talloc LIBTSOCKET', - deps='cli_composite LIBCLI_RESOLVE socket_ip socket_unix' + deps='cli_composite LIBCLI_RESOLVE socket_ip socket_unix access' ) -- 2.8.0.rc3.226.g39d4020