The Samba-Bugzilla – Attachment 17522 Details for
Bug 15169
GETPWSID in memory cache grows indefinetly with each NTLM auth
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.17.next, 4.16.next.
0001-s3-auth-Flush-the-GETPWSID-in-memory-cache-for-NTLM-.patch (text/plain), 3.78 KB, created by
Jeremy Allison
on 2022-09-16 22:16:07 UTC
(
hide
)
Description:
git-am fix for 4.17.next, 4.16.next.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2022-09-16 22:16:07 UTC
Size:
3.78 KB
patch
obsolete
>From 5d82b695ac8c04868702c459ae0430c014e1ac04 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Mon, 12 Sep 2022 16:31:05 +0200 >Subject: [PATCH] s3:auth: Flush the GETPWSID in memory cache for NTLM auth > >Example valgrind output: > >==22502== 22,747,002 bytes in 21,049 blocks are possibly lost in loss record 1,075 of 1,075 >==22502== at 0x4C29F73: malloc (vg_replace_malloc.c:309) >==22502== by 0x11D7089C: _talloc_pooled_object (in /usr/lib64/libtalloc.so.2.1.16) >==22502== by 0x9027834: tcopy_passwd (in /usr/lib64/libsmbconf.so.0) >==22502== by 0x6A1E1A3: pdb_copy_sam_account (in /usr/lib64/libsamba-passdb.so.0.27.2) >==22502== by 0x6A28AB7: pdb_getsampwnam (in /usr/lib64/libsamba-passdb.so.0.27.2) >==22502== by 0x65D0BC4: check_sam_security (in /usr/lib64/samba/libauth-samba4.so) >==22502== by 0x65C70F0: ??? (in /usr/lib64/samba/libauth-samba4.so) >==22502== by 0x65C781A: auth_check_ntlm_password (in /usr/lib64/samba/libauth-samba4.so) >==22502== by 0x14E464: ??? (in /usr/sbin/winbindd) >==22502== by 0x151CED: winbind_dual_SamLogon (in /usr/sbin/winbindd) >==22502== by 0x152072: winbindd_dual_pam_auth_crap (in /usr/sbin/winbindd) >==22502== by 0x167DE0: ??? (in /usr/sbin/winbindd) >==22502== by 0x12F29B12: tevent_common_invoke_fd_handler (in /usr/lib64/libtevent.so.0.9.39) >==22502== by 0x12F30086: ??? (in /usr/lib64/libtevent.so.0.9.39) >==22502== by 0x12F2E056: ??? (in /usr/lib64/libtevent.so.0.9.39) >==22502== by 0x12F2925C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.39) >==22502== by 0x16A243: ??? (in /usr/sbin/winbindd) >==22502== by 0x16AA04: ??? (in /usr/sbin/winbindd) >==22502== by 0x12F29F68: tevent_common_invoke_immediate_handler (in /usr/lib64/libtevent.so.0.9.39) >==22502== by 0x12F29F8F: tevent_common_loop_immediate (in /usr/lib64/libtevent.so.0.9.39) >==22502== by 0x12F2FE3C: ??? (in /usr/lib64/libtevent.so.0.9.39) >==22502== by 0x12F2E056: ??? (in /usr/lib64/libtevent.so.0.9.39) >==22502== by 0x12F2925C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.39) >==22502== by 0x12F4C7: main (in /usr/sbin/winbindd) > >You can find one for each string in pdb_copy_sam_account(), in total >this already has 67 MB in total for this valgrind run. > >pdb_getsampwnam() -> memcache_add_talloc(NULL, PDB_GETPWSID_CACHE, ...) > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15169 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Fri Sep 16 20:30:31 UTC 2022 on sn-devel-184 > >(cherry picked from commit 9ef2f7345f0d387567fca598cc7008af95598903) >--- > source3/auth/check_samsec.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > >diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c >index b9563c958a9..6a1567e92c5 100644 >--- a/source3/auth/check_samsec.c >+++ b/source3/auth/check_samsec.c >@@ -24,6 +24,7 @@ > #include "auth.h" > #include "../libcli/auth/libcli_auth.h" > #include "passdb.h" >+#include "lib/util/memcache.h" > > #undef DBGC_CLASS > #define DBGC_CLASS DBGC_AUTH >@@ -487,8 +488,6 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge, > nt_status = make_server_info_sam(mem_ctx, sampass, server_info); > unbecome_root(); > >- TALLOC_FREE(sampass); >- > if (!NT_STATUS_IS_OK(nt_status)) { > DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status))); > goto done; >@@ -507,6 +506,11 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge, > (*server_info)->nss_token |= user_info->was_mapped; > > done: >+ /* >+ * Always flush the getpwsid cache or this will grow indefinetly for >+ * each NTLM auththentication. >+ */ >+ memcache_flush(NULL, PDB_GETPWSID_CACHE); > TALLOC_FREE(sampass); > data_blob_free(&user_sess_key); > data_blob_free(&lm_sess_key); >-- >2.34.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
asn
:
review+
Actions:
View
Attachments on
bug 15169
: 17522