The Samba-Bugzilla – Attachment 12656 Details for
Bug 12419
AD access check function isn't IPv6-aware.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for master.
bug-12419 (text/plain), 35.04 KB, created by
Jeremy Allison
on 2016-11-11 18:50:06 UTC
(
hide
)
Description:
git-am fix for master.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2016-11-11 18:50:06 UTC
Size:
35.04 KB
patch
obsolete
>From 70b3d66f94539c6f4ca93b1359b2d8a10cea470a Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 11 Nov 2016 10:21:10 -0800 >Subject: [PATCH 1/9] s3: lib - Fix formatting of unix_wild_match() > sub-function to README.Coding standards. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/lib/util.c | 61 ++++++++++++++++++++++++++++++++++++------------------ > 1 file changed, 41 insertions(+), 20 deletions(-) > >diff --git a/source3/lib/util.c b/source3/lib/util.c >index bab3998..1af05cd 100644 >--- a/source3/lib/util.c >+++ b/source3/lib/util.c >@@ -1804,28 +1804,35 @@ static bool unix_do_match(const char *regexp, const char *str) > case '*': > > /* >- * Look for a character matching >+ * Look for a character matching > * the one after the '*'. > */ > p++; >- if(!*p) >+ if(!*p) { > return true; /* Automatic match */ >+ } > while(*str) { > >- while(*str && (*p != *str)) >+ while(*str && (*p != *str)) { > str++; >+ } > > /* >- * Patch from weidel@multichart.de. In the case of the regexp >- * '*XX*' we want to ensure there are at least 2 'X' characters >- * in the string after the '*' for a match to be made. >+ * Patch from weidel@multichart.de. >+ * In the case of the regexp >+ * '*XX*' we want to ensure there are >+ * at least 2 'X' characters in the >+ * string after the '*' for a match to >+ * be made. > */ > > { > int matchcount=0; > > /* >- * Eat all the characters that match, but count how many there were. >+ * Eat all the characters that >+ * match, but count how many >+ * there were. > */ > > while(*str && (*p == *str)) { >@@ -1834,54 +1841,68 @@ static bool unix_do_match(const char *regexp, const char *str) > } > > /* >- * Now check that if the regexp had n identical characters that >- * matchcount had at least that many matches. >+ * Now check that if the regexp >+ * had n identical characters >+ * that matchcount had at least >+ * that many matches. > */ > >- while ( *(p+1) && (*(p+1) == *p)) { >+ while (*(p+1) && (*(p+1)==*p)) { > p++; > matchcount--; > } > >- if ( matchcount <= 0 ) >+ if ( matchcount <= 0 ) { > return false; >+ } > } > >- str--; /* We've eaten the match char after the '*' */ >+ /* >+ * We've eaten the match char >+ * after the '*' >+ */ >+ str--; > >- if(unix_do_match(p, str)) >+ if(unix_do_match(p, str)) { > return true; >+ } > >- if(!*str) >+ if(!*str) { > return false; >- else >+ } else { > str++; >+ } > } > return false; > > default: >- if(*str != *p) >+ if(*str != *p) { > return false; >+ } > str++; > p++; > break; > } > } > >- if(!*p && !*str) >+ if(!*p && !*str) { > return true; >+ } > >- if (!*p && str[0] == '.' && str[1] == 0) >+ if (!*p && str[0] == '.' && str[1] == 0) { > return true; >+ } > > if (!*str && *p == '?') { >- while (*p == '?') >+ while (*p == '?') { > p++; >+ } > return(!*p); > } > >- if(!*str && (*p == '*' && p[1] == '\0')) >+ if(!*str && (*p == '*' && p[1] == '\0')) { > return true; >+ } > > return false; > } >-- >2.8.0.rc3.226.g39d4020 > > >From d0aaaa623ed8d5375a5cd3ff923a7f14bc0ea913 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 11 Nov 2016 10:22:52 -0800 >Subject: [PATCH 2/9] s3: util: Remove unneeded strequal() call. Convert to > simple character check. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/lib/util.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/lib/util.c b/source3/lib/util.c >index 1af05cd..7e3f455 100644 >--- a/source3/lib/util.c >+++ b/source3/lib/util.c >@@ -1942,7 +1942,7 @@ bool unix_wild_match(const char *pattern, const char *string) > } > } > >- if (strequal(p2,"*")) { >+ if (p2[0] == '*' && p2[1] == '\0') { > TALLOC_FREE(ctx); > return true; > } >-- >2.8.0.rc3.226.g39d4020 > > >From 43e04e592c04bf90b1cce3ebb07411200f510745 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 11 Nov 2016 10:24:40 -0800 >Subject: [PATCH 3/9] s3: lib: Move from talloc_strdup then lower to > strlower_talloc() > >Do things in one go. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/lib/util.c | 12 ++---------- > 1 file changed, 2 insertions(+), 10 deletions(-) > >diff --git a/source3/lib/util.c b/source3/lib/util.c >index 7e3f455..6142b1d 100644 >--- a/source3/lib/util.c >+++ b/source3/lib/util.c >@@ -1920,20 +1920,12 @@ bool unix_wild_match(const char *pattern, const char *string) > char *p; > bool ret = false; > >- p2 = talloc_strdup(ctx,pattern); >- s2 = talloc_strdup(ctx,string); >+ p2 = strlower_talloc(ctx,pattern); >+ s2 = strlower_talloc(ctx,string); > if (!p2 || !s2) { > TALLOC_FREE(ctx); > return false; > } >- if (!strlower_m(p2)) { >- TALLOC_FREE(ctx); >- return false; >- } >- if (!strlower_m(s2)) { >- TALLOC_FREE(ctx); >- return false; >- } > > /* Remove any *? and ** from the pattern as they are meaningless */ > for(p = p2; *p; p++) { >-- >2.8.0.rc3.226.g39d4020 > > >From 34490508eac617a1b02d6b286fc69718dd80786f Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 11 Nov 2016 10:35:01 -0800 >Subject: [PATCH 4/9] lib/util: Move unix_wild_match() from source3/lib/util to > lib/util/ > >Use top-level functions instead of source3 specific ones. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > lib/util/unix_match.c | 183 ++++++++++++++++++++++++++++++++++++++++++++++++ > lib/util/unix_match.h | 25 +++++++ > lib/util/wscript_build | 2 +- > source3/include/proto.h | 2 +- > source3/lib/util.c | 159 ----------------------------------------- > 5 files changed, 210 insertions(+), 161 deletions(-) > create mode 100644 lib/util/unix_match.c > create mode 100644 lib/util/unix_match.h > >diff --git a/lib/util/unix_match.c b/lib/util/unix_match.c >new file mode 100644 >index 0000000..43112b7 >--- /dev/null >+++ b/lib/util/unix_match.c >@@ -0,0 +1,183 @@ >+/* >+ Unix SMB/CIFS implementation. >+ Samba utility functions >+ Copyright (C) Jeremy Allison 2001 >+ >+ This program is free software; you can redistribute it and/or modify >+ it under the terms of the GNU General Public License as published by >+ the Free Software Foundation; either version 3 of the License, or >+ (at your option) any later version. >+ >+ This program is distributed in the hope that it will be useful, >+ but WITHOUT ANY WARRANTY; without even the implied warranty of >+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+ GNU General Public License for more details. >+ >+ You should have received a copy of the GNU General Public License >+ along with this program. If not, see <http://www.gnu.org/licenses/>. >+*/ >+ >+#include "replace.h" >+#include <talloc.h> >+#include "lib/util/talloc_stack.h" >+#include "lib/util/charset/charset.h" >+#include "lib/util/unix_match.h" >+ >+/********************************************************* >+ Recursive routine that is called by unix_wild_match. >+*********************************************************/ >+ >+static bool unix_do_match(const char *regexp, const char *str) >+{ >+ const char *p; >+ >+ for( p = regexp; *p && *str; ) { >+ >+ switch(*p) { >+ case '?': >+ str++; >+ p++; >+ break; >+ >+ case '*': >+ >+ /* >+ * Look for a character matching >+ * the one after the '*'. >+ */ >+ p++; >+ if(!*p) { >+ return true; /* Automatic match */ >+ } >+ while(*str) { >+ >+ while(*str && (*p != *str)) { >+ str++; >+ } >+ >+ /* >+ * Patch from weidel@multichart.de. >+ * In the case of the regexp >+ * '*XX*' we want to ensure there are >+ * at least 2 'X' characters in the >+ * string after the '*' for a match to >+ * be made. >+ */ >+ >+ { >+ int matchcount=0; >+ >+ /* >+ * Eat all the characters that >+ * match, but count how many >+ * there were. >+ */ >+ >+ while(*str && (*p == *str)) { >+ str++; >+ matchcount++; >+ } >+ >+ /* >+ * Now check that if the regexp >+ * had n identical characters >+ * that matchcount had at least >+ * that many matches. >+ */ >+ >+ while (*(p+1) && (*(p+1)==*p)) { >+ p++; >+ matchcount--; >+ } >+ >+ if ( matchcount <= 0 ) { >+ return false; >+ } >+ } >+ >+ /* >+ * We've eaten the match char >+ * after the '*' >+ */ >+ str--; >+ >+ if(unix_do_match(p, str)) { >+ return true; >+ } >+ >+ if(!*str) { >+ return false; >+ } else { >+ str++; >+ } >+ } >+ return false; >+ >+ default: >+ if(*str != *p) { >+ return false; >+ } >+ str++; >+ p++; >+ break; >+ } >+ } >+ >+ if(!*p && !*str) { >+ return true; >+ } >+ >+ if (!*p && str[0] == '.' && str[1] == 0) { >+ return true; >+ } >+ >+ if (!*str && *p == '?') { >+ while (*p == '?') { >+ p++; >+ } >+ return(!*p); >+ } >+ >+ if(!*str && (*p == '*' && p[1] == '\0')) { >+ return true; >+ } >+ >+ return false; >+} >+ >+/******************************************************************* >+ Simple case insensitive interface to a UNIX wildcard matcher. >+ Returns True if match, False if not. >+*******************************************************************/ >+ >+bool unix_wild_match(const char *pattern, const char *string) >+{ >+ TALLOC_CTX *ctx = talloc_stackframe(); >+ char *p2; >+ char *s2; >+ char *p; >+ bool ret = false; >+ >+ p2 = strlower_talloc(ctx,pattern); >+ s2 = strlower_talloc(ctx,string); >+ if (!p2 || !s2) { >+ TALLOC_FREE(ctx); >+ return false; >+ } >+ >+ /* Remove any *? and ** from the pattern as they are meaningless */ >+ for(p = p2; *p; p++) { >+ while( *p == '*' && (p[1] == '?' ||p[1] == '*')) { >+ memmove(&p[1], &p[2], strlen(&p[2])+1); >+ } >+ } >+ >+ if (p2[0] == '*' && p2[1] == '\0') { >+ TALLOC_FREE(ctx); >+ return true; >+ } >+ >+ ret = unix_do_match(p2, s2); >+ TALLOC_FREE(ctx); >+ return ret; >+} >diff --git a/lib/util/unix_match.h b/lib/util/unix_match.h >new file mode 100644 >index 0000000..a7b6935 >--- /dev/null >+++ b/lib/util/unix_match.h >@@ -0,0 +1,25 @@ >+/* >+ Unix SMB/CIFS implementation. >+ Utility functions for Samba >+ Copyright (C) Jeremy Allison 2001 >+ >+ This program is free software; you can redistribute it and/or modify >+ it under the terms of the GNU General Public License as published by >+ the Free Software Foundation; either version 3 of the License, or >+ (at your option) any later version. >+ >+ This program is distributed in the hope that it will be useful, >+ but WITHOUT ANY WARRANTY; without even the implied warranty of >+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+ GNU General Public License for more details. >+ >+ You should have received a copy of the GNU General Public License >+ along with this program. If not, see <http://www.gnu.org/licenses/>. >+*/ >+ >+#ifndef _UNIX_MASK_H_ >+#define _UNIX_MASK_H_ >+ >+bool unix_wild_match(const char *pattern, const char *string); >+ >+#endif >diff --git a/lib/util/wscript_build b/lib/util/wscript_build >index 6d2ab4a..e2ae411 100755 >--- a/lib/util/wscript_build >+++ b/lib/util/wscript_build >@@ -120,7 +120,7 @@ else: > idtree_random.c base64.c > util_str.c util_str_common.c ms_fnmatch.c > server_id.c dprintf.c bitmap.c pidfile.c >- tevent_debug.c memcache.c''', >+ tevent_debug.c memcache.c unix_match.c''', > deps='samba-util-core DYNCONFIG close-low-fd tini tiniparser genrand', > public_deps='talloc tevent execinfo pthread LIBCRYPTO charset util_setid systemd systemd-daemon', > public_headers='debug.h attr.h byteorder.h data_blob.h memory.h safe_string.h time.h talloc_stack.h xfile.h string_wrappers.h idtree.h idtree_random.h blocking.h signal.h substitute.h fault.h genrand.h', >diff --git a/source3/include/proto.h b/source3/include/proto.h >index 0b0a2b5..2758dc5 100644 >--- a/source3/include/proto.h >+++ b/source3/include/proto.h >@@ -411,7 +411,7 @@ bool ms_has_wild_w(const smb_ucs2_t *s); > bool mask_match(const char *string, const char *pattern, bool is_case_sensitive); > bool mask_match_search(const char *string, const char *pattern, bool is_case_sensitive); > bool mask_match_list(const char *string, char **list, int listLen, bool is_case_sensitive); >-bool unix_wild_match(const char *pattern, const char *string); >+#include "lib/util/unix_match.h" > bool name_to_fqdn(fstring fqdn, const char *name); > uint32_t map_share_mode_to_deny_mode(uint32_t share_access, uint32_t private_options); > >diff --git a/source3/lib/util.c b/source3/lib/util.c >index 6142b1d..85cb9b3 100644 >--- a/source3/lib/util.c >+++ b/source3/lib/util.c >@@ -1785,165 +1785,6 @@ bool mask_match_list(const char *string, char **list, int listLen, bool is_case_ > return False; > } > >-/********************************************************* >- Recursive routine that is called by unix_wild_match. >-*********************************************************/ >- >-static bool unix_do_match(const char *regexp, const char *str) >-{ >- const char *p; >- >- for( p = regexp; *p && *str; ) { >- >- switch(*p) { >- case '?': >- str++; >- p++; >- break; >- >- case '*': >- >- /* >- * Look for a character matching >- * the one after the '*'. >- */ >- p++; >- if(!*p) { >- return true; /* Automatic match */ >- } >- while(*str) { >- >- while(*str && (*p != *str)) { >- str++; >- } >- >- /* >- * Patch from weidel@multichart.de. >- * In the case of the regexp >- * '*XX*' we want to ensure there are >- * at least 2 'X' characters in the >- * string after the '*' for a match to >- * be made. >- */ >- >- { >- int matchcount=0; >- >- /* >- * Eat all the characters that >- * match, but count how many >- * there were. >- */ >- >- while(*str && (*p == *str)) { >- str++; >- matchcount++; >- } >- >- /* >- * Now check that if the regexp >- * had n identical characters >- * that matchcount had at least >- * that many matches. >- */ >- >- while (*(p+1) && (*(p+1)==*p)) { >- p++; >- matchcount--; >- } >- >- if ( matchcount <= 0 ) { >- return false; >- } >- } >- >- /* >- * We've eaten the match char >- * after the '*' >- */ >- str--; >- >- if(unix_do_match(p, str)) { >- return true; >- } >- >- if(!*str) { >- return false; >- } else { >- str++; >- } >- } >- return false; >- >- default: >- if(*str != *p) { >- return false; >- } >- str++; >- p++; >- break; >- } >- } >- >- if(!*p && !*str) { >- return true; >- } >- >- if (!*p && str[0] == '.' && str[1] == 0) { >- return true; >- } >- >- if (!*str && *p == '?') { >- while (*p == '?') { >- p++; >- } >- return(!*p); >- } >- >- if(!*str && (*p == '*' && p[1] == '\0')) { >- return true; >- } >- >- return false; >-} >- >-/******************************************************************* >- Simple case insensitive interface to a UNIX wildcard matcher. >- Returns True if match, False if not. >-*******************************************************************/ >- >-bool unix_wild_match(const char *pattern, const char *string) >-{ >- TALLOC_CTX *ctx = talloc_stackframe(); >- char *p2; >- char *s2; >- char *p; >- bool ret = false; >- >- p2 = strlower_talloc(ctx,pattern); >- s2 = strlower_talloc(ctx,string); >- if (!p2 || !s2) { >- TALLOC_FREE(ctx); >- return false; >- } >- >- /* Remove any *? and ** from the pattern as they are meaningless */ >- for(p = p2; *p; p++) { >- while( *p == '*' && (p[1] == '?' ||p[1] == '*')) { >- memmove(&p[1], &p[2], strlen(&p[2])+1); >- } >- } >- >- if (p2[0] == '*' && p2[1] == '\0') { >- TALLOC_FREE(ctx); >- return true; >- } >- >- ret = unix_do_match(p2, s2); >- TALLOC_FREE(ctx); >- return ret; >-} >- > /********************************************************************** > Converts a name to a fully qualified domain name. > Returns true if lookup succeeded, false if not (then fqdn is set to name) >-- >2.8.0.rc3.226.g39d4020 > > >From 40ac3140bc9f350735b5c66942706d4eb2139169 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 10 Nov 2016 17:02:08 -0800 >Subject: [PATCH 5/9] s3: lib: Change masked_match() from SMB_STRDUP macro to > underlying smb_xstrdup function. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/lib/access.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > >diff --git a/source3/lib/access.c b/source3/lib/access.c >index ad868fa..49c4f8e 100644 >--- a/source3/lib/access.c >+++ b/source3/lib/access.c >@@ -13,6 +13,7 @@ > #include "includes.h" > #include "../lib/util/memcache.h" > #include "lib/socket/interfaces.h" >+#include "lib/util/samba_util.h" > > #define NAME_INDEX 0 > #define ADDR_INDEX 1 >@@ -31,14 +32,14 @@ static bool masked_match(const char *tok, const char *slash, const char *s) > > if (*tok == '[') { > /* IPv6 address - remove braces. */ >- tok_copy = SMB_STRDUP(tok+1); >+ tok_copy = smb_xstrdup(tok+1); > if (!tok_copy) { > return false; > } > /* Remove the terminating ']' */ > tok_copy[PTR_DIFF(slash,tok)-1] = '\0'; > } else { >- tok_copy = SMB_STRDUP(tok); >+ tok_copy = smb_xstrdup(tok); > if (!tok_copy) { > return false; > } >@@ -128,7 +129,7 @@ static bool string_match(const char *tok,const char *s) > DEBUG(0,("Unable to get default yp domain. " > "Try without it.\n")); > } >- if (!(hostname = SMB_STRDUP(s))) { >+ if (!(hostname = smb_xstrdup(s))) { > DEBUG(1,("out of memory for strdup!\n")); > return false; > } >-- >2.8.0.rc3.226.g39d4020 > > >From c165c31414f88d8fe04fe615a0ce4a31ade30019 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 10 Nov 2016 17:07:11 -0800 >Subject: [PATCH 6/9] s3: lib: Use top level function strequal_m not the s3 > strequal > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/lib/access.c | 16 ++++++++-------- > 1 file changed, 8 insertions(+), 8 deletions(-) > >diff --git a/source3/lib/access.c b/source3/lib/access.c >index 49c4f8e..2875b03 100644 >--- a/source3/lib/access.c >+++ b/source3/lib/access.c >@@ -97,7 +97,7 @@ static bool string_match(const char *tok,const char *s) > > if (tok[0] == '.') { /* domain: match last fields */ > if ((str_len = strlen(s)) > (tok_len = strlen(tok)) >- && strequal(tok, s + str_len - tok_len)) { >+ && strequal_m(tok, s + str_len - tok_len)) { > return true; > } > } else if (tok[0] == '@') { /* netgroup: look it up */ >@@ -150,15 +150,15 @@ static bool string_match(const char *tok,const char *s) > DEBUG(0,("access: netgroup support is not configured\n")); > return false; > #endif >- } else if (strequal(tok, "ALL")) { /* all: match any */ >+ } else if (strequal_m(tok, "ALL")) { /* all: match any */ > return true; >- } else if (strequal(tok, "FAIL")) { /* fail: match any */ >+ } else if (strequal_m(tok, "FAIL")) { /* fail: match any */ > return true; >- } else if (strequal(tok, "LOCAL")) { /* local: no dots */ >- if (strchr_m(s, '.') == 0 && !strequal(s, "unknown")) { >+ } else if (strequal_m(tok, "LOCAL")) { /* local: no dots */ >+ if (strchr_m(s, '.') == 0 && !strequal_m(s, "unknown")) { > return true; > } >- } else if (strequal(tok, s)) { /* match host name or address */ >+ } else if (strequal_m(tok, s)) { /* match host name or address */ > return true; > } else if (tok[(tok_len = strlen(tok)) - 1] == '.') { /* network */ > if (strncmp(tok, s, tok_len) == 0) { >@@ -236,7 +236,7 @@ bool list_match(const char **list,const void *item, > */ > > for (; *list ; list++) { >- if (strequal(*list, "EXCEPT")) { >+ if (strequal_m(*list, "EXCEPT")) { > /* EXCEPT: give up */ > break; > } >@@ -248,7 +248,7 @@ bool list_match(const char **list,const void *item, > /* Process exceptions to true or FAIL matches. */ > > if (match != false) { >- while (*list && !strequal(*list, "EXCEPT")) { >+ while (*list && !strequal_m(*list, "EXCEPT")) { > list++; > } > >-- >2.8.0.rc3.226.g39d4020 > > >From 353682a4795cb2ec4a20f3ba6c69c1718eaefdd6 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 10 Nov 2016 17:09:33 -0800 >Subject: [PATCH 7/9] s3: lib: Replace s3 strnequal with top level > strncasecmp_m. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/lib/access.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/source3/lib/access.c b/source3/lib/access.c >index 2875b03..5e5f43f 100644 >--- a/source3/lib/access.c >+++ b/source3/lib/access.c >@@ -192,11 +192,11 @@ bool client_match(const char *tok, const void *item) > * Bug #5311 and #7383. > */ > >- if (strnequal(tok_addr, "::ffff:",7)) { >+ if (strncasecmp_m(tok_addr, "::ffff:",7) == 0) { > tok_addr += 7; > } > >- if (strnequal(cli_addr,"::ffff:",7)) { >+ if (strncasecmp_m(cli_addr,"::ffff:",7) == 0) { > cli_addr += 7; > } > >-- >2.8.0.rc3.226.g39d4020 > > >From 0f7efe3ad52dde59ef56c769b7d8aa4207581130 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 10 Nov 2016 17:15:20 -0800 >Subject: [PATCH 8/9] Move source3/lib/access.c to toplevel lib/util/access.c > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > {source3/lib => lib/util}/access.c | 5 +++++ > lib/util/access.h | 24 ++++++++++++++++++++++++ > lib/util/wscript_build | 5 +++++ > source3/include/proto.h | 10 +--------- > source3/wscript_build | 3 ++- > 5 files changed, 37 insertions(+), 10 deletions(-) > rename {source3/lib => lib/util}/access.c (98%) > create mode 100644 lib/util/access.h > >diff --git a/source3/lib/access.c b/lib/util/access.c >similarity index 98% >rename from source3/lib/access.c >rename to lib/util/access.c >index 5e5f43f..e73f1b7 100644 >--- a/source3/lib/access.c >+++ b/lib/util/access.c >@@ -14,6 +14,11 @@ > #include "../lib/util/memcache.h" > #include "lib/socket/interfaces.h" > #include "lib/util/samba_util.h" >+#include "lib/util/util_net.h" >+#include "lib/util/samba_util.h" >+#include "lib/util/memory.h" >+#include "lib/util/access.h" >+#include "lib/util/unix_match.h" > > #define NAME_INDEX 0 > #define ADDR_INDEX 1 >diff --git a/lib/util/access.h b/lib/util/access.h >new file mode 100644 >index 0000000..b4dce15 >--- /dev/null >+++ b/lib/util/access.h >@@ -0,0 +1,24 @@ >+/* >+ This module is an adaption of code from the tcpd-1.4 package written >+ by Wietse Venema, Eindhoven University of Technology, The Netherlands. >+ >+ The code is used here with permission. >+ >+ The code has been considerably changed from the original. Bug reports >+ should be sent to samba-technical@lists.samba.org >+ >+ Updated for IPv6 by Jeremy Allison (C) 2007. >+*/ >+ >+#ifndef _UTIL_ACCESS_H_ >+#define _UTIL_ACCESS_H_ >+ >+bool client_match(const char *tok, const void *item); >+bool list_match(const char **list,const void *item, >+ bool (*match_fn)(const char *, const void *)); >+bool allow_access(const char **deny_list, >+ const char **allow_list, >+ const char *cname, >+ const char *caddr); >+ >+#endif >diff --git a/lib/util/wscript_build b/lib/util/wscript_build >index e2ae411..41201a5 100755 >--- a/lib/util/wscript_build >+++ b/lib/util/wscript_build >@@ -29,6 +29,11 @@ bld.SAMBA_SUBSYSTEM('close-low-fd', > deps='replace', > local_include=False) > >+bld.SAMBA_SUBSYSTEM('access', >+ source='access.c', >+ deps='interfaces samba-util', >+ local_include=False) >+ > samba_debug_add_deps = '' > samba_debug_add_inc = '' > >diff --git a/source3/include/proto.h b/source3/include/proto.h >index 2758dc5..33e3f6c 100644 >--- a/source3/include/proto.h >+++ b/source3/include/proto.h >@@ -26,15 +26,7 @@ > #include <sys/types.h> > #include <regex.h> > >-/* The following definitions come from lib/access.c */ >- >-bool client_match(const char *tok, const void *item); >-bool list_match(const char **list,const void *item, >- bool (*match_fn)(const char *, const void *)); >-bool allow_access(const char **deny_list, >- const char **allow_list, >- const char *cname, >- const char *caddr); >+#include "lib/util/access.h" > > /* The following definitions come from lib/adt_tree.c */ > >diff --git a/source3/wscript_build b/source3/wscript_build >index 22e1a62..d6d2be2 100755 >--- a/source3/wscript_build >+++ b/source3/wscript_build >@@ -334,7 +334,7 @@ bld.SAMBA3_SUBSYSTEM('samba3core', > lib/dumpcore.c > lib/interface.c > lib/username.c >- lib/access.c lib/smbrun.c >+ lib/smbrun.c > lib/wins_srv.c > lib/substitute.c > lib/substitute_generic.c >@@ -374,6 +374,7 @@ bld.SAMBA3_SUBSYSTEM('samba3core', > messages_util > messages_dgm > talloc_report >+ access > TDB_LIB''') > > bld.SAMBA3_LIBRARY('smbd_shim', >-- >2.8.0.rc3.226.g39d4020 > > >From 8cea2086e5a45b00e97a51629e32e932f93947d9 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 10 Nov 2016 20:33:17 -0800 >Subject: [PATCH 9/9] source4: Change to use lib/util/access functions. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source4/dsdb/common/util.c | 3 +- > source4/lib/socket/access.c | 237 +-------------------------------------- > source4/lib/socket/socket.h | 3 - > source4/lib/socket/wscript_build | 2 +- > 4 files changed, 5 insertions(+), 240 deletions(-) > >diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c >index d1396e4..fffccbe 100644 >--- a/source4/dsdb/common/util.c >+++ b/source4/dsdb/common/util.c >@@ -46,6 +46,7 @@ > #include "librpc/gen_ndr/irpc.h" > #include "libds/common/flag_mapping.h" > #include "../lib/util/util_runcmd.h" >+#include "lib/util/access.h" > > /* > search the sam for the specified attributes in a specific domain, filter on >@@ -1869,7 +1870,7 @@ const char *samdb_client_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, > > allow_list[0] = l_subnet_name; > >- if (socket_allow_access(mem_ctx, NULL, allow_list, "", ip_address)) { >+ if (allow_access(NULL, allow_list, "", ip_address)) { > sites_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, > res->msgs[i], > "siteObject"); >diff --git a/source4/lib/socket/access.c b/source4/lib/socket/access.c >index adc8105..c019fd6 100644 >--- a/source4/lib/socket/access.c >+++ b/source4/lib/socket/access.c >@@ -33,241 +33,8 @@ > #include "includes.h" > #include "system/network.h" > #include "lib/socket/socket.h" >-#include "system/locale.h" > #include "lib/util/util_net.h" >- >-#define FAIL (-1) >-#define ALLONES ((uint32_t)0xFFFFFFFF) >- >-/* masked_match - match address against netnumber/netmask */ >-static bool masked_match(TALLOC_CTX *mem_ctx, const char *tok, const char *slash, const char *s) >-{ >- uint32_t net; >- uint32_t mask; >- uint32_t addr; >- char *tok_cpy; >- >- if ((addr = interpret_addr(s)) == INADDR_NONE) >- return false; >- >- tok_cpy = talloc_strdup(mem_ctx, tok); >- tok_cpy[PTR_DIFF(slash,tok)] = '\0'; >- net = interpret_addr(tok_cpy); >- talloc_free(tok_cpy); >- >- if (strlen(slash + 1) > 2) { >- mask = interpret_addr(slash + 1); >- } else { >- mask = (uint32_t)((ALLONES >> atoi(slash + 1)) ^ ALLONES); >- /* convert to network byte order */ >- mask = htonl(mask); >- } >- >- if (net == INADDR_NONE || mask == INADDR_NONE) { >- DEBUG(0,("access: bad net/mask access control: %s\n", tok)); >- return false; >- } >- >- return (addr & mask) == (net & mask); >-} >- >-/* string_match - match string against token */ >-static bool string_match(TALLOC_CTX *mem_ctx, const char *tok,const char *s, char *invalid_char) >-{ >- size_t tok_len; >- size_t str_len; >- const char *cut; >- >- *invalid_char = '\0'; >- >- /* Return true if a token has the magic value "ALL". Return >- * FAIL if the token is "FAIL". If the token starts with a "." >- * (domain name), return true if it matches the last fields of >- * the string. If the token has the magic value "LOCAL", >- * return true if the string does not contain a "." >- * character. If the token ends on a "." (network number), >- * return true if it matches the first fields of the >- * string. If the token begins with a "@" (netgroup name), >- * return true if the string is a (host) member of the >- * netgroup. Return true if the token fully matches the >- * string. If the token is a netnumber/netmask pair, return >- * true if the address is a member of the specified subnet. >- */ >- >- if (tok[0] == '.') { /* domain: match last fields */ >- if ((str_len = strlen(s)) > (tok_len = strlen(tok)) >- && strcasecmp(tok, s + str_len - tok_len)==0) { >- return true; >- } >- } else if (tok[0] == '@') { /* netgroup: look it up */ >- DEBUG(0,("access: netgroup support is not available\n")); >- return false; >- } else if (strcmp(tok, "ALL")==0) { /* all: match any */ >- return true; >- } else if (strcmp(tok, "FAIL")==0) { /* fail: match any */ >- return FAIL; >- } else if (strcmp(tok, "LOCAL")==0) { /* local: no dots */ >- if (strchr(s, '.') == 0 && strcasecmp(s, "unknown") != 0) { >- return true; >- } >- } else if (strcasecmp(tok, s)==0) { /* match host name or address */ >- return true; >- } else if (tok[(tok_len = strlen(tok)) - 1] == '.') { /* network */ >- if (strncmp(tok, s, tok_len) == 0) >- return true; >- } else if ((cut = strchr(tok, '/')) != 0) { /* netnumber/netmask */ >- if (isdigit((int)s[0]) && masked_match(mem_ctx, tok, cut, s)) >- return true; >- } else if (strchr(tok, '*') != 0) { >- *invalid_char = '*'; >- } else if (strchr(tok, '?') != 0) { >- *invalid_char = '?'; >- } >- return false; >-} >- >-struct client_addr { >- const char *cname; >- const char *caddr; >-}; >- >-/* client_match - match host name and address against token */ >-static bool client_match(TALLOC_CTX *mem_ctx, const char *tok, struct client_addr *client) >-{ >- bool match; >- char invalid_char = '\0'; >- >- /* >- * Try to match the address first. If that fails, try to match the host >- * name if available. >- */ >- >- if ((match = string_match(mem_ctx, tok, client->caddr, &invalid_char)) == 0) { >- if(invalid_char) >- DEBUG(0,("client_match: address match failing due to invalid character '%c' found in \ >-token '%s' in an allow/deny hosts line.\n", invalid_char, tok )); >- >- if (client->cname[0] != 0) >- match = string_match(mem_ctx, tok, client->cname, &invalid_char); >- >- if(invalid_char) >- DEBUG(0,("client_match: address match failing due to invalid character '%c' found in \ >-token '%s' in an allow/deny hosts line.\n", invalid_char, tok )); >- } >- >- return (match); >-} >- >-/* list_match - match an item against a list of tokens with exceptions */ >-static bool list_match(TALLOC_CTX *mem_ctx, const char **list, struct client_addr *client) >-{ >- bool match = false; >- >- if (!list) >- return false; >- >- /* >- * Process tokens one at a time. We have exhausted all possible matches >- * when we reach an "EXCEPT" token or the end of the list. If we do find >- * a match, look for an "EXCEPT" list and recurse to determine whether >- * the match is affected by any exceptions. >- */ >- >- for (; *list ; list++) { >- if (strcmp(*list, "EXCEPT")==0) /* EXCEPT: give up */ >- break; >- if ((match = client_match(mem_ctx, *list, client))) /* true or FAIL */ >- break; >- } >- >- /* Process exceptions to true or FAIL matches. */ >- if (match != false) { >- while (*list && strcmp(*list, "EXCEPT")!=0) >- list++; >- >- for (; *list; list++) { >- if (client_match(mem_ctx, *list, client)) /* Exception Found */ >- return false; >- } >- } >- >- return match; >-} >- >-/* return true if access should be allowed */ >-static bool allow_access_internal(TALLOC_CTX *mem_ctx, >- const char **deny_list,const char **allow_list, >- const char *cname, const char *caddr) >-{ >- struct client_addr client; >- >- client.cname = cname; >- client.caddr = caddr; >- >- /* if it is loopback then always allow unless specifically denied */ >- if (strcmp(caddr, "127.0.0.1") == 0) { >- /* >- * If 127.0.0.1 matches both allow and deny then allow. >- * Patch from Steve Langasek vorlon@netexpress.net. >- */ >- if (deny_list && >- list_match(mem_ctx, deny_list, &client) && >- (!allow_list || >- !list_match(mem_ctx, allow_list, &client))) { >- return false; >- } >- return true; >- } >- >- /* if theres no deny list and no allow list then allow access */ >- if ((!deny_list || *deny_list == 0) && >- (!allow_list || *allow_list == 0)) { >- return true; >- } >- >- /* if there is an allow list but no deny list then allow only hosts >- on the allow list */ >- if (!deny_list || *deny_list == 0) >- return list_match(mem_ctx, allow_list, &client); >- >- /* if theres a deny list but no allow list then allow >- all hosts not on the deny list */ >- if (!allow_list || *allow_list == 0) >- return !list_match(mem_ctx, deny_list, &client); >- >- /* if there are both types of list then allow all hosts on the >- allow list */ >- if (list_match(mem_ctx, allow_list, &client)) >- return true; >- >- /* if there are both types of list and it's not on the allow then >- allow it if its not on the deny */ >- if (list_match(mem_ctx, deny_list, &client)) >- return false; >- >- return true; >-} >- >-/* return true if access should be allowed */ >-bool socket_allow_access(TALLOC_CTX *mem_ctx, >- const char **deny_list, const char **allow_list, >- const char *cname, const char *caddr) >-{ >- bool ret; >- char *nc_cname = talloc_strdup(mem_ctx, cname); >- char *nc_caddr = talloc_strdup(mem_ctx, caddr); >- >- if (!nc_cname || !nc_caddr) { >- return false; >- } >- >- ret = allow_access_internal(mem_ctx, deny_list, allow_list, nc_cname, nc_caddr); >- >- talloc_free(nc_cname); >- talloc_free(nc_caddr); >- >- return ret; >-} >+#include "lib/util/access.h" > > /* return true if the char* contains ip addrs only. Used to avoid > gethostbyaddr() calls */ >@@ -346,7 +113,7 @@ bool socket_check_access(struct socket_context *sock, > return false; > } > >- ret = socket_allow_access(mem_ctx, deny_list, allow_list, name, addr->addr); >+ ret = allow_access(deny_list, allow_list, name, addr->addr); > > if (ret) { > DEBUG(2,("socket_check_access: Allowed connection to '%s' from %s (%s)\n", >diff --git a/source4/lib/socket/socket.h b/source4/lib/socket/socket.h >index 403a723..50a20d9 100644 >--- a/source4/lib/socket/socket.h >+++ b/source4/lib/socket/socket.h >@@ -183,9 +183,6 @@ _PUBLIC_ void socket_address_set_port(struct socket_address *a, > struct socket_address *socket_address_copy(TALLOC_CTX *mem_ctx, > const struct socket_address *oaddr); > const struct socket_ops *socket_getops_byname(const char *name, enum socket_type type); >-bool socket_allow_access(TALLOC_CTX *mem_ctx, >- const char **deny_list, const char **allow_list, >- const char *cname, const char *caddr); > bool socket_check_access(struct socket_context *sock, > const char *service_name, > const char **allow_list, const char **deny_list); >diff --git a/source4/lib/socket/wscript_build b/source4/lib/socket/wscript_build >index 1cb89c6..e243824 100644 >--- a/source4/lib/socket/wscript_build >+++ b/source4/lib/socket/wscript_build >@@ -24,6 +24,6 @@ bld.SAMBA_MODULE('socket_unix', > bld.SAMBA_SUBSYSTEM('samba_socket', > source='socket.c access.c connect_multi.c connect.c', > public_deps='talloc LIBTSOCKET', >- deps='cli_composite LIBCLI_RESOLVE socket_ip socket_unix' >+ deps='cli_composite LIBCLI_RESOLVE socket_ip socket_unix access' > ) > >-- >2.8.0.rc3.226.g39d4020 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=12656">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 12419
: 12656