r15589: While trying to understand the vuid code I found that security=share is broken

right now. r14112 broke it, in 3.0.22 register_vuid for security=share returns
UID_FIELD_INVALID which in current 3_0 is turned into an error condition. This
makes sure that we only call register_vuid if sec!=share and meanwhile also
fixes a little memleak.

Then I also found a crash in smbclient with sec=share and hostmsdfs=yes.

There's another crash with sec=share when coming from w2k3, but I need sleep
now.

Someone (jerry,jra?) please review the sesssetup.c change.

Thanks,

Volker

diff --git a/source/libsmb/cliconnect.c b/source/libsmb/cliconnect.c
index 6b5de6d1439b6d29f1341cd274f43926c28c9436..beabddc78213085bf6e7a61a6985f1972b0f194a 100644 (file)
--- a/source/libsmb/cliconnect.c
+++ b/source/libsmb/cliconnect.c
@@ -221,6 +221,7 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, const char *user,
        
        fstr_sprintf( lanman, "Samba %s", SAMBA_VERSION_STRING);
 
+       memset(cli->outbuf, '\0', smb_size);
        set_message(cli->outbuf,13,0,True);
        SCVAL(cli->outbuf,smb_com,SMBsesssetupX);
        cli_setup_packet(cli);
@@ -937,7 +938,8 @@ BOOL cli_send_tconX(struct cli_state *cli,
                pass = "";
        }
 
-       if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && *pass && passlen != 24) {
+       if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) &&
+           pass && *pass && passlen != 24) {
                if (!lp_client_lanman_auth()) {
                        DEBUG(1, ("Server requested LANMAN password (share-level security) but 'client use lanman auth'"
                                  " is disabled\n"));

diff --git a/source/smbd/password.c b/source/smbd/password.c
index 230d7f297f2886e53e39bf1086e3e5c39b4de72a..73b0ebb4b32f1b3e300bf69ac3287fbefa78d338 100644 (file)
--- a/source/smbd/password.c
+++ b/source/smbd/password.c
@@ -155,10 +155,9 @@ int register_vuid(auth_serversupplied_info *server_info,
 {
        user_struct *vuser = NULL;
 
-       /* Ensure no vuid gets registered in share level security. */
+       /* Paranoia check. */
        if(lp_security() == SEC_SHARE) {
-               data_blob_free(&session_key);
-               return UID_FIELD_INVALID;
+               smb_panic("Tried to register uid in security=share\n");
        }
 
        /* Limit allowed vuids to 16bits - VUID_OFFSET. */

diff --git a/source/smbd/sesssetup.c b/source/smbd/sesssetup.c
index 8fe01a19b345b42a17d8d36b7d9f6997f9443953..46acb20bdadce44dccf386cd357684e03bb5dec4 100644 (file)
--- a/source/smbd/sesssetup.c
+++ b/source/smbd/sesssetup.c
@@ -1127,20 +1127,30 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
        /* register the name and uid as being validated, so further connections
           to a uid can get through without a password, on the same VC */
 
-       /* register_vuid keeps the server info */
-       sess_vuid = register_vuid(server_info, session_key, nt_resp.data ? nt_resp : lm_resp, sub_user);
-       data_blob_free(&nt_resp);
-       data_blob_free(&lm_resp);
-
-       if (sess_vuid == UID_FIELD_INVALID) {
-               return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
-       }
+       if (lp_security() == SEC_SHARE) {
+               sess_vuid = UID_FIELD_INVALID;
+               data_blob_free(&session_key);
+               TALLOC_FREE(server_info);
+       } else {
+               /* register_vuid keeps the server info */
+               sess_vuid = register_vuid(server_info, session_key,
+                                         nt_resp.data ? nt_resp : lm_resp,
+                                         sub_user);
+               if (sess_vuid == UID_FIELD_INVALID) {
+                       data_blob_free(&nt_resp);
+                       data_blob_free(&lm_resp);
+                       return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE));
+               }
 
-       /* current_user_info is changed on new vuid */
-       reload_services( True );
+               /* current_user_info is changed on new vuid */
+               reload_services( True );
 
-       sessionsetup_start_signing_engine(server_info, inbuf);
+               sessionsetup_start_signing_engine(server_info, inbuf);
+       }
 
+       data_blob_free(&nt_resp);
+       data_blob_free(&lm_resp);
+       
        SSVAL(outbuf,smb_uid,sess_vuid);
        SSVAL(inbuf,smb_uid,sess_vuid);