From 32c52ed476e3a7178640bbf5703d6a3a18c2bd9a Mon Sep 17 00:00:00 2001 From: Michael Tokarev Date: Tue, 24 May 2022 16:25:41 +0300 Subject: [PATCH] s3/util/py_net.c: fix samba-tool domain join&leave segfault We process python args using PyArg_ParseTupleAndKeywords(), and use "p" type modifier there. According to documentation, this type modifier, while works for a boolean type, expects an argument of type int. But in py_net_join_member() and py_net_leave() we use argument of type uint8_t (keep_account, r->in.debug). So when PyArg_ParseTupleAndKeywords() tries to assign a value to &r->in.debug, it updates subsequent, unrelated bytes too, - which ones depends on the stack and structure layout used by the compiler. Fix this by using an int proxy variable "debug" (of the same type) for r->in.debug. While at it, also ensure all variables have sensible default values. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15078 Signed-off-by: Michael Tokarev Reviewed-by: Alexander Bokovoy Reviewed-by: Andreas Schneider Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Wed May 25 06:19:32 UTC 2022 on sn-devel-184 Backported-by: Douglas Bagnall (backported from commit 976326fa2b6423ac5866af682605cf7584e4991a, with changes because 4.15 doesn't have no_dns_update, along with other changes that foil the patch. Also the BUG: line was added above). --- source3/utils/py_net.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/source3/utils/py_net.c b/source3/utils/py_net.c index 8a8a756ea21..ef2c0a0599a 100644 --- a/source3/utils/py_net.c +++ b/source3/utils/py_net.c @@ -67,6 +67,7 @@ static PyObject *py_net_join_member(py_net_Object *self, PyObject *args, PyObjec WERROR werr; PyObject *result; TALLOC_CTX *mem_ctx; + int debug = false; bool modify_config = lp_config_backend_is_registry(); const char *kwnames[] = { "dnshostname", "createupn", "createcomputer", "osName", "osVer", "osServicePack", @@ -93,7 +94,7 @@ static PyObject *py_net_join_member(py_net_Object *self, PyObject *args, PyObjec &r->in.os_version, &r->in.os_servicepack, &r->in.machine_password, - &r->in.debug)) { + &debug)) { talloc_free(mem_ctx); PyErr_FromString(_("Invalid arguments\n")); return NULL; @@ -121,6 +122,7 @@ static PyObject *py_net_join_member(py_net_Object *self, PyObject *args, PyObjec WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE | WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED; r->in.msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE()); + r->in.debug = debug; werr = libnet_Join(mem_ctx, r); if (W_ERROR_EQUAL(werr, WERR_NERR_DCNOTFOUND)) { @@ -166,7 +168,7 @@ static PyObject *py_net_leave(py_net_Object *self, PyObject *args, PyObject *kwa struct libnet_UnjoinCtx *r = NULL; WERROR werr; TALLOC_CTX *mem_ctx; - bool keep_account = false; + int keep_account = false, debug = false; const char *kwnames[] = { "keepAccount", "debug", NULL }; mem_ctx = talloc_new(self->mem_ctx); @@ -189,7 +191,7 @@ static PyObject *py_net_leave(py_net_Object *self, PyObject *args, PyObject *kwa if (!PyArg_ParseTupleAndKeywords(args, kwargs, "|pp:Leave", discard_const_p(char *, kwnames), - &keep_account, &r->in.debug)) { + &keep_account, &debug)) { talloc_free(mem_ctx); PyErr_FromString(_("Invalid arguments\n")); return NULL; @@ -201,6 +203,7 @@ static PyObject *py_net_leave(py_net_Object *self, PyObject *args, PyObject *kwa r->in.admin_account = cli_credentials_get_username(self->creds); r->in.admin_password = cli_credentials_get_password(self->creds); r->in.modify_config = lp_config_backend_is_registry(); + r->in.debug = debug; /* * Try to delete it, but if that fails, disable it. The -- 2.25.1