Attachment 17522 Details for Bug 15169 – git-am fix for 4.17.next, 4.16.next.

[patch] git-am fix for 4.17.next, 4.16.next.

0001-s3-auth-Flush-the-GETPWSID-in-memory-cache-for-NTLM-.patch (text/plain), 3.78 KB, created by Jeremy Allison on 2022-09-16 22:16:07 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jeremy Allison

Created: 2022-09-16 22:16:07 UTC

Size: 3.78 KB

patch

obsolete

>From 5d82b695ac8c04868702c459ae0430c014e1ac04 Mon Sep 17 00:00:00 2001
>From: Andreas Schneider <asn@samba.org>
>Date: Mon, 12 Sep 2022 16:31:05 +0200
>Subject: [PATCH] s3:auth: Flush the GETPWSID in memory cache for NTLM auth
>
>Example valgrind output:
>
>==22502== 22,747,002 bytes in 21,049 blocks are possibly lost in loss record 1,075 of 1,075
>==22502==    at 0x4C29F73: malloc (vg_replace_malloc.c:309)
>==22502==    by 0x11D7089C: _talloc_pooled_object (in /usr/lib64/libtalloc.so.2.1.16)
>==22502==    by 0x9027834: tcopy_passwd (in /usr/lib64/libsmbconf.so.0)
>==22502==    by 0x6A1E1A3: pdb_copy_sam_account (in /usr/lib64/libsamba-passdb.so.0.27.2)
>==22502==    by 0x6A28AB7: pdb_getsampwnam (in /usr/lib64/libsamba-passdb.so.0.27.2)
>==22502==    by 0x65D0BC4: check_sam_security (in /usr/lib64/samba/libauth-samba4.so)
>==22502==    by 0x65C70F0: ??? (in /usr/lib64/samba/libauth-samba4.so)
>==22502==    by 0x65C781A: auth_check_ntlm_password (in /usr/lib64/samba/libauth-samba4.so)
>==22502==    by 0x14E464: ??? (in /usr/sbin/winbindd)
>==22502==    by 0x151CED: winbind_dual_SamLogon (in /usr/sbin/winbindd)
>==22502==    by 0x152072: winbindd_dual_pam_auth_crap (in /usr/sbin/winbindd)
>==22502==    by 0x167DE0: ??? (in /usr/sbin/winbindd)
>==22502==    by 0x12F29B12: tevent_common_invoke_fd_handler (in /usr/lib64/libtevent.so.0.9.39)
>==22502==    by 0x12F30086: ??? (in /usr/lib64/libtevent.so.0.9.39)
>==22502==    by 0x12F2E056: ??? (in /usr/lib64/libtevent.so.0.9.39)
>==22502==    by 0x12F2925C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.39)
>==22502==    by 0x16A243: ??? (in /usr/sbin/winbindd)
>==22502==    by 0x16AA04: ??? (in /usr/sbin/winbindd)
>==22502==    by 0x12F29F68: tevent_common_invoke_immediate_handler (in /usr/lib64/libtevent.so.0.9.39)
>==22502==    by 0x12F29F8F: tevent_common_loop_immediate (in /usr/lib64/libtevent.so.0.9.39)
>==22502==    by 0x12F2FE3C: ??? (in /usr/lib64/libtevent.so.0.9.39)
>==22502==    by 0x12F2E056: ??? (in /usr/lib64/libtevent.so.0.9.39)
>==22502==    by 0x12F2925C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.39)
>==22502==    by 0x12F4C7: main (in /usr/sbin/winbindd)
>
>You can find one for each string in pdb_copy_sam_account(), in total
>this already has 67 MB in total for this valgrind run.
>
>pdb_getsampwnam() -> memcache_add_talloc(NULL, PDB_GETPWSID_CACHE, ...)
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=15169
>
>Signed-off-by: Andreas Schneider <asn@samba.org>
>Reviewed-by: Jeremy Allison <jra@samba.org>
>
>Autobuild-User(master): Jeremy Allison <jra@samba.org>
>Autobuild-Date(master): Fri Sep 16 20:30:31 UTC 2022 on sn-devel-184
>
>(cherry picked from commit 9ef2f7345f0d387567fca598cc7008af95598903)
>---
> source3/auth/check_samsec.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
>diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
>index b9563c958a9..6a1567e92c5 100644
>--- a/source3/auth/check_samsec.c
>+++ b/source3/auth/check_samsec.c
>@@ -24,6 +24,7 @@
> #include "auth.h"
> #include "../libcli/auth/libcli_auth.h"
> #include "passdb.h"
>+#include "lib/util/memcache.h"
> 
> #undef DBGC_CLASS
> #define DBGC_CLASS DBGC_AUTH
>@@ -487,8 +488,6 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
> 	nt_status = make_server_info_sam(mem_ctx, sampass, server_info);
> 	unbecome_root();
> 
>-	TALLOC_FREE(sampass);
>-
> 	if (!NT_STATUS_IS_OK(nt_status)) {
> 		DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status)));
> 		goto done;
>@@ -507,6 +506,11 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
> 	(*server_info)->nss_token |= user_info->was_mapped;
> 
> done:
>+	/*
>+	 * Always flush the getpwsid cache or this will grow indefinetly for
>+	 * each NTLM auththentication.
>+	 */
>+	memcache_flush(NULL, PDB_GETPWSID_CACHE);
> 	TALLOC_FREE(sampass);
> 	data_blob_free(&user_sess_key);
> 	data_blob_free(&lm_sess_key);
>-- 
>2.34.1
>

Flags:

asn: review+

Actions: View

Attachments on bug 15169: 17522