From owner-svn-ports-all@freebsd.org Sat Dec 19 22:51:13 2015 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1151CA4BB72; Sat, 19 Dec 2015 22:51:13 +0000 (UTC) (envelope-from timur@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9D7021DFC; Sat, 19 Dec 2015 22:51:12 +0000 (UTC) (envelope-from timur@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id tBJMpBnF083308; Sat, 19 Dec 2015 22:51:11 GMT (envelope-from timur@FreeBSD.org) Received: (from timur@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id tBJMpAa4083296; Sat, 19 Dec 2015 22:51:10 GMT (envelope-from timur@FreeBSD.org) Message-Id: <201512192251.tBJMpAa4083296@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: timur set sender to timur@FreeBSD.org using -f From: "Timur I. Bakeyev" Date: Sat, 19 Dec 2015 22:51:10 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r404031 - in head/net: samba41 samba42 samba42/files samba43 samba43/files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Dec 2015 22:51:13 -0000 Author: timur Date: Sat Dec 19 22:51:10 2015 New Revision: 404031 URL: https://svnweb.freebsd.org/changeset/ports/404031 Log: A security fix release of Samba 4.1, 4.2 and 4.3. Samba 4.1 is also marked as deprecated. Security: CVE-2015-3223 CVE-2015-5252 CVE-2015-5299 CVE-2015-5296 CVE-2015-8467 CVE-2015-5330 Added: head/net/samba42/files/extra-patch-security (contents, props changed) head/net/samba43/files/extra-patch-security (contents, props changed) Modified: head/net/samba41/Makefile head/net/samba41/distinfo head/net/samba42/Makefile head/net/samba42/distinfo head/net/samba42/files/pkg-message.in head/net/samba42/pkg-plist head/net/samba43/Makefile head/net/samba43/distinfo head/net/samba43/files/patch-source3__client__dnsbrowse.c head/net/samba43/files/pkg-message.in head/net/samba43/pkg-plist Modified: head/net/samba41/Makefile ============================================================================== --- head/net/samba41/Makefile Sat Dec 19 21:42:06 2015 (r404030) +++ head/net/samba41/Makefile Sat Dec 19 22:51:10 2015 (r404031) @@ -15,9 +15,12 @@ LICENSE= GPLv3 CONFLICTS?= *samba3[2-6]-3.* samba4-4.0.* +DEPRECATED= not supported by the upstream +EXPIRATION_DATE= 2016-03-01 + SAMBA4_BASENAME= samba SAMBA4_PORTNAME= ${SAMBA4_BASENAME}4 -SAMBA4_VERSION= 4.1.21 +SAMBA4_VERSION= 4.1.22 SAMBA4_DISTNAME= ${SAMBA4_BASENAME}-${SAMBA4_VERSION:S|.p|pre|:S|.r|rc|:S|.t|tp|:S|.a|alpha|} WRKSRC?= ${WRKDIR}/${DISTNAME} @@ -105,8 +108,8 @@ BUILD_DEPENDS+= tdb>=1.3.8:${PORTSDIR}/ RUN_DEPENDS+= tdb>=1.3.8:${PORTSDIR}/databases/tdb SAMBA4_BUNDLED_LIBS+= !tdb # ldb -BUILD_DEPENDS+= ldb>=1.1.23:${PORTSDIR}/databases/ldb -RUN_DEPENDS+= ldb>=1.1.23:${PORTSDIR}/databases/ldb +BUILD_DEPENDS+= ldb>=1.1.24:${PORTSDIR}/databases/ldb +RUN_DEPENDS+= ldb>=1.1.24:${PORTSDIR}/databases/ldb SAMBA4_BUNDLED_LIBS+= !ldb # Don't use external libcom_err SAMBA4_BUNDLED_LIBS+= com_err @@ -489,11 +492,11 @@ pre-build: source4/utils/man/ntlm_auth4.1 \ source4/utils/man/oLschema2ldif.1 -@${MKDIR} `dirname ${BUILD_WRKSRC}/bin/default/${man}` - @${INSTALL_MAN} ${FILESDIR}/man/`basename ${man}` ${BUILD_WRKSRC}/bin/default/${man} + ${INSTALL_MAN} ${FILESDIR}/man/`basename ${man}` ${BUILD_WRKSRC}/bin/default/${man} . endfor -@${MKDIR} ${BUILD_WRKSRC}/bin/default/docs-xml/manpages . for man in ${SAMBA_MAN1} ${SAMBA_MAN5} ${SAMBA_MAN7} ${SAMBA_MAN8} - -@${INSTALL_MAN} ${BUILD_WRKSRC}/docs/manpages/${man} ${BUILD_WRKSRC}/bin/default/docs-xml/manpages + -${INSTALL_MAN} ${BUILD_WRKSRC}/docs/manpages/${man} ${BUILD_WRKSRC}/bin/default/docs-xml/manpages . endfor .endif @@ -502,7 +505,7 @@ post-install: .if ${PORT_OPTIONS:MDOCS} @${MKDIR} ${STAGEDIR}${DOCSDIR} . for doc in ${PORTDOCS} - @${INSTALL_DATA} ${WRKDIR}/${doc} ${STAGEDIR}${DOCSDIR} + ${INSTALL_DATA} ${WRKDIR}/${doc} ${STAGEDIR}${DOCSDIR} . endfor .endif # Run post-install script Modified: head/net/samba41/distinfo ============================================================================== --- head/net/samba41/distinfo Sat Dec 19 21:42:06 2015 (r404030) +++ head/net/samba41/distinfo Sat Dec 19 22:51:10 2015 (r404031) @@ -1,2 +1,2 @@ -SHA256 (samba-4.1.21.tar.gz) = 00f1c26cd310811afb2fa1a3fb72a23bd2e5c2f6466e6efdcb530305d7c3ce2e -SIZE (samba-4.1.21.tar.gz) = 19561830 +SHA256 (samba-4.1.22.tar.gz) = 5563a1c94a2dac837ccffd1f0821bb25e097affaa7389fef186f9cfb3486cfe5 +SIZE (samba-4.1.22.tar.gz) = 19557688 Modified: head/net/samba42/Makefile ============================================================================== --- head/net/samba42/Makefile Sat Dec 19 21:42:06 2015 (r404030) +++ head/net/samba42/Makefile Sat Dec 19 22:51:10 2015 (r404031) @@ -15,9 +15,11 @@ LICENSE= GPLv3 CONFLICTS?= *samba3[2-6]-3.* samba4-4.0.* samba41-4.1.* samba43-4.3.* +EXTRA_PATCHES= ${PATCHDIR}/extra-patch-security:-p1 + SAMBA4_BASENAME= samba SAMBA4_PORTNAME= ${SAMBA4_BASENAME}4 -SAMBA4_VERSION= 4.2.5 +SAMBA4_VERSION= 4.2.7 SAMBA4_DISTNAME= ${SAMBA4_BASENAME}-${SAMBA4_VERSION:S|.p|pre|:S|.r|rc|:S|.t|tp|:S|.a|alpha|} WRKSRC?= ${WRKDIR}/${DISTNAME} @@ -107,8 +109,8 @@ BUILD_DEPENDS+= ntdb>=1.0:${PORTSDIR}/d RUN_DEPENDS+= ntdb>=1.0:${PORTSDIR}/databases/ntdb SAMBA4_BUNDLED_LIBS+= !ntdb # ldb -BUILD_DEPENDS+= ldb>=1.1.23:${PORTSDIR}/databases/ldb -RUN_DEPENDS+= ldb>=1.1.23:${PORTSDIR}/databases/ldb +BUILD_DEPENDS+= ldb>=1.1.24:${PORTSDIR}/databases/ldb +RUN_DEPENDS+= ldb>=1.1.24:${PORTSDIR}/databases/ldb SAMBA4_BUNDLED_LIBS+= !ldb # Don't use external libcom_err SAMBA4_BUNDLED_LIBS+= com_err @@ -174,6 +176,8 @@ SUB_LIST+= NSUPDATE="@comment " .elif ${PORT_OPTIONS:MNSUPDATE} RUN_DEPENDS+= samba-nsupdate:${PORTSDIR}/dns/samba-nsupdate SUB_LIST+= NSUPDATE="" +.else +SUB_LIST+= NSUPDATE="@comment " .endif .if ${PORT_OPTIONS:MDEBUG} @@ -239,8 +243,10 @@ CONFIGURE_ARGS+= --without-acl-support .if ! ${PORT_OPTIONS:MAD_DC} CONFIGURE_ARGS+= --without-ad-dc PLIST_SUB+= AD_DC="@comment " +SUB_LIST+= AD_DC="@comment " .else PLIST_SUB+= AD_DC="" +SUB_LIST+= AD_DC="" .endif .if ${PORT_OPTIONS:MADS} Modified: head/net/samba42/distinfo ============================================================================== --- head/net/samba42/distinfo Sat Dec 19 21:42:06 2015 (r404030) +++ head/net/samba42/distinfo Sat Dec 19 22:51:10 2015 (r404031) @@ -1,2 +1,2 @@ -SHA256 (samba-4.2.5.tar.gz) = 8191c4c0730daf7f9e9a3ea1cc6e680798d76bf855269807778adcccc8d706cf -SIZE (samba-4.2.5.tar.gz) = 20734836 +SHA256 (samba-4.2.7.tar.gz) = f586ab3166ce4c663360f15b1de24ef083816a5471856e3ad49bc26b35f0104a +SIZE (samba-4.2.7.tar.gz) = 20741971 Added: head/net/samba42/files/extra-patch-security ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/samba42/files/extra-patch-security Sat Dec 19 22:51:10 2015 (r404031) @@ -0,0 +1,647 @@ +From 6a25f2a8c651523a272c0019895e1d2b1e83b022 Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Sat, 18 Jul 2015 21:50:55 +0200 +Subject: [PATCH 1/5] dbwrap_rbt: Make "key" and "value" aligned to 16 byte +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reported by Uri Simchoni . Thanks! + +Signed-off-by: Volker Lendecke +Reviewed-by: Ralph Boehme + +Autobuild-User(master): Ralph Böhme +Autobuild-Date(master): Mon Jul 20 23:18:23 CEST 2015 on sn-devel-104 + +(cherry picked from commit 64a88f74ca5309dce1d3ec0755ceba4af5144dbd) +--- + lib/dbwrap/dbwrap_rbt.c | 51 +++++++++++++++++++++++++++++++++++++------------ + 1 file changed, 39 insertions(+), 12 deletions(-) + +diff --git a/lib/dbwrap/dbwrap_rbt.c b/lib/dbwrap/dbwrap_rbt.c +index 3f97086..03f2f57 100644 +--- a/lib/dbwrap/dbwrap_rbt.c ++++ b/lib/dbwrap/dbwrap_rbt.c +@@ -38,13 +38,6 @@ struct db_rbt_rec { + struct db_rbt_node { + struct rb_node rb_node; + size_t keysize, valuesize; +- +- /* +- * key and value are appended implicitly, "data" is only here as a +- * target for offsetof() +- */ +- +- char data[1]; + }; + + /* +@@ -83,12 +76,43 @@ static int db_rbt_compare(TDB_DATA a, TDB_DATA b) + static void db_rbt_parse_node(struct db_rbt_node *node, + TDB_DATA *key, TDB_DATA *value) + { +- key->dptr = ((uint8_t *)node) + offsetof(struct db_rbt_node, data); ++ size_t key_offset, value_offset; ++ ++ key_offset = DBWRAP_RBT_ALIGN(sizeof(struct db_rbt_node)); ++ key->dptr = ((uint8_t *)node) + key_offset; + key->dsize = node->keysize; +- value->dptr = key->dptr + node->keysize; ++ ++ value_offset = DBWRAP_RBT_ALIGN(node->keysize); ++ value->dptr = key->dptr + value_offset; + value->dsize = node->valuesize; + } + ++static ssize_t db_rbt_reclen(size_t keylen, size_t valuelen) ++{ ++ size_t len, tmp; ++ ++ len = DBWRAP_RBT_ALIGN(sizeof(struct db_rbt_node)); ++ ++ tmp = DBWRAP_RBT_ALIGN(keylen); ++ if (tmp < keylen) { ++ goto overflow; ++ } ++ ++ len += tmp; ++ if (len < tmp) { ++ goto overflow; ++ } ++ ++ len += valuelen; ++ if (len < valuelen) { ++ goto overflow; ++ } ++ ++ return len; ++overflow: ++ return -1; ++} ++ + static NTSTATUS db_rbt_store(struct db_record *rec, TDB_DATA data, int flag) + { + struct db_rbt_ctx *db_ctx = talloc_get_type_abort( +@@ -99,6 +123,7 @@ static NTSTATUS db_rbt_store(struct db_record *rec, TDB_DATA data, int flag) + struct rb_node ** p; + struct rb_node * parent; + ++ ssize_t reclen; + TDB_DATA this_key, this_val; + + if (rec_priv->node != NULL) { +@@ -123,10 +148,12 @@ static NTSTATUS db_rbt_store(struct db_record *rec, TDB_DATA data, int flag) + } + } + +- node = (struct db_rbt_node *)talloc_size(db_ctx, +- offsetof(struct db_rbt_node, data) + rec->key.dsize +- + data.dsize); ++ reclen = db_rbt_reclen(rec->key.dsize, data.dsize); ++ if (reclen == -1) { ++ return NT_STATUS_INSUFFICIENT_RESOURCES; ++ } + ++ node = talloc_size(db_ctx, reclen); + if (node == NULL) { + return NT_STATUS_NO_MEMORY; + } +-- +1.9.1 + + +From b4d52184a113851954b1b901f478db200e9fd7a8 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 25 Nov 2015 10:17:34 +0100 +Subject: [PATCH 2/5] dbwrap_rbt: use talloc_zero_size() instead of a partial + ZERO_STRUCT() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11375 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11394 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Volker Lendecke +(cherry picked from commit f3d1fc1d06822a951a2a3eeb5aa53748b9b5b299) +--- + lib/dbwrap/dbwrap_rbt.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/lib/dbwrap/dbwrap_rbt.c b/lib/dbwrap/dbwrap_rbt.c +index 03f2f57..2d65647 100644 +--- a/lib/dbwrap/dbwrap_rbt.c ++++ b/lib/dbwrap/dbwrap_rbt.c +@@ -153,7 +153,7 @@ static NTSTATUS db_rbt_store(struct db_record *rec, TDB_DATA data, int flag) + return NT_STATUS_INSUFFICIENT_RESOURCES; + } + +- node = talloc_size(db_ctx, reclen); ++ node = talloc_zero_size(db_ctx, reclen); + if (node == NULL) { + return NT_STATUS_NO_MEMORY; + } +@@ -172,8 +172,6 @@ static NTSTATUS db_rbt_store(struct db_record *rec, TDB_DATA data, int flag) + */ + } + +- ZERO_STRUCT(node->rb_node); +- + node->keysize = rec->key.dsize; + node->valuesize = data.dsize; + +-- +1.9.1 + + +From 10abdaf5c7f99eca742c84a7d55b7bb9c324aeab Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 25 Nov 2015 09:22:08 +0100 +Subject: [PATCH 3/5] dbwrap_rbt: add nested traverse protection + +Multiple dbwrap_traverse_read() calls are possible. + +store() and delete() on a fetch locked record +are rejected during dbwrap_traverse_read(). + +A dbwrap_traverse() within a dbwrap_traverse_read() +behaves like a dbwrap_traverse_read(). + +Nested dbwrap_traverse() calls are not possible. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11375 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11394 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Volker Lendecke +(cherry picked from commit 590507951fc514a679f44b8bfdd03c721189c3fa) +--- + lib/dbwrap/dbwrap_rbt.c | 71 ++++++++++++++++++++++++++++--------------------- + 1 file changed, 40 insertions(+), 31 deletions(-) + +diff --git a/lib/dbwrap/dbwrap_rbt.c b/lib/dbwrap/dbwrap_rbt.c +index 2d65647..d4cb40d 100644 +--- a/lib/dbwrap/dbwrap_rbt.c ++++ b/lib/dbwrap/dbwrap_rbt.c +@@ -27,6 +27,8 @@ + + struct db_rbt_ctx { + struct rb_root tree; ++ size_t traverse_read; ++ bool traverse_write; + }; + + struct db_rbt_rec { +@@ -126,6 +128,10 @@ static NTSTATUS db_rbt_store(struct db_record *rec, TDB_DATA data, int flag) + ssize_t reclen; + TDB_DATA this_key, this_val; + ++ if (db_ctx->traverse_read > 0) { ++ return NT_STATUS_MEDIA_WRITE_PROTECTED; ++ } ++ + if (rec_priv->node != NULL) { + + /* +@@ -222,6 +228,10 @@ static NTSTATUS db_rbt_delete(struct db_record *rec) + rec->db->private_data, struct db_rbt_ctx); + struct db_rbt_rec *rec_priv = (struct db_rbt_rec *)rec->private_data; + ++ if (db_ctx->traverse_read > 0) { ++ return NT_STATUS_MEDIA_WRITE_PROTECTED; ++ } ++ + if (rec_priv->node == NULL) { + return NT_STATUS_OK; + } +@@ -232,16 +242,6 @@ static NTSTATUS db_rbt_delete(struct db_record *rec) + return NT_STATUS_OK; + } + +-static NTSTATUS db_rbt_store_deny(struct db_record *rec, TDB_DATA data, int flag) +-{ +- return NT_STATUS_MEDIA_WRITE_PROTECTED; +-} +- +-static NTSTATUS db_rbt_delete_deny(struct db_record *rec) +-{ +- return NT_STATUS_MEDIA_WRITE_PROTECTED; +-} +- + struct db_rbt_search_result { + TDB_DATA key; + TDB_DATA val; +@@ -414,13 +414,8 @@ static int db_rbt_traverse_internal(struct db_context *db, + ZERO_STRUCT(rec); + rec.db = db; + rec.private_data = &rec_priv; +- if (rw) { +- rec.store = db_rbt_store; +- rec.delete_rec = db_rbt_delete; +- } else { +- rec.store = db_rbt_store_deny; +- rec.delete_rec = db_rbt_delete_deny; +- } ++ rec.store = db_rbt_store; ++ rec.delete_rec = db_rbt_delete; + db_rbt_parse_node(rec_priv.node, &rec.key, &rec.value); + + ret = f(&rec, private_data); +@@ -440,18 +435,21 @@ static int db_rbt_traverse_internal(struct db_context *db, + return db_rbt_traverse_internal(db, rb_right, f, private_data, count, rw); + } + +-static int db_rbt_traverse(struct db_context *db, +- int (*f)(struct db_record *db, +- void *private_data), +- void *private_data) ++static int db_rbt_traverse_read(struct db_context *db, ++ int (*f)(struct db_record *db, ++ void *private_data), ++ void *private_data) + { + struct db_rbt_ctx *ctx = talloc_get_type_abort( + db->private_data, struct db_rbt_ctx); + uint32_t count = 0; ++ int ret; + +- int ret = db_rbt_traverse_internal(db, ctx->tree.rb_node, +- f, private_data, &count, +- true /* rw */); ++ ctx->traverse_read++; ++ ret = db_rbt_traverse_internal(db, ctx->tree.rb_node, ++ f, private_data, &count, ++ false /* rw */); ++ ctx->traverse_read--; + if (ret != 0) { + return -1; + } +@@ -461,18 +459,29 @@ static int db_rbt_traverse(struct db_context *db, + return count; + } + +-static int db_rbt_traverse_read(struct db_context *db, +- int (*f)(struct db_record *db, +- void *private_data), +- void *private_data) ++static int db_rbt_traverse(struct db_context *db, ++ int (*f)(struct db_record *db, ++ void *private_data), ++ void *private_data) + { + struct db_rbt_ctx *ctx = talloc_get_type_abort( + db->private_data, struct db_rbt_ctx); + uint32_t count = 0; ++ int ret; ++ ++ if (ctx->traverse_write) { ++ return -1; ++ }; ++ ++ if (ctx->traverse_read > 0) { ++ return db_rbt_traverse_read(db, f, private_data); ++ } + +- int ret = db_rbt_traverse_internal(db, ctx->tree.rb_node, +- f, private_data, &count, +- false /* rw */); ++ ctx->traverse_write = true; ++ ret = db_rbt_traverse_internal(db, ctx->tree.rb_node, ++ f, private_data, &count, ++ true /* rw */); ++ ctx->traverse_write = false; + if (ret != 0) { + return -1; + } +-- +1.9.1 + + +From fd6bcd4cb3752554dd1041f0a41fd7e9edac602d Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 25 Nov 2015 09:22:08 +0100 +Subject: [PATCH 4/5] dbwrap_rbt: fix modifying the db during traverse + +We delete and add of records rebalace the tree, but our +traverse code doesn't handle that and skips records +randomly. + +We maintain records in a linked list for now +in addition to the rbtree and use that list during +traverse. + +This add a bit overhead, but at least it works reliable. +If someone finds a way to do reliable traverse with the +rebalanced tree, we can replace this commit. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11375 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11394 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Volker Lendecke +(cherry picked from commit 0f46da08e160e6712e5282af14e1ec4012614fc7) +--- + lib/dbwrap/dbwrap_rbt.c | 104 ++++++++++++++++++++++++++---------------------- + 1 file changed, 57 insertions(+), 47 deletions(-) + +diff --git a/lib/dbwrap/dbwrap_rbt.c b/lib/dbwrap/dbwrap_rbt.c +index d4cb40d..a9cc641 100644 +--- a/lib/dbwrap/dbwrap_rbt.c ++++ b/lib/dbwrap/dbwrap_rbt.c +@@ -22,13 +22,15 @@ + #include "dbwrap/dbwrap_private.h" + #include "dbwrap/dbwrap_rbt.h" + #include "../lib/util/rbtree.h" ++#include "../lib/util/dlinklist.h" + + #define DBWRAP_RBT_ALIGN(_size_) (((_size_)+15)&~15) + + struct db_rbt_ctx { + struct rb_root tree; ++ struct db_rbt_node *nodes; + size_t traverse_read; +- bool traverse_write; ++ struct db_rbt_node **traverse_nextp; + }; + + struct db_rbt_rec { +@@ -40,6 +42,7 @@ struct db_rbt_rec { + struct db_rbt_node { + struct rb_node rb_node; + size_t keysize, valuesize; ++ struct db_rbt_node *prev, *next; + }; + + /* +@@ -123,7 +126,8 @@ static NTSTATUS db_rbt_store(struct db_record *rec, TDB_DATA data, int flag) + struct db_rbt_node *node; + + struct rb_node ** p; +- struct rb_node * parent; ++ struct rb_node *parent = NULL; ++ struct db_rbt_node *parent_node = NULL; + + ssize_t reclen; + TDB_DATA this_key, this_val; +@@ -165,12 +169,19 @@ static NTSTATUS db_rbt_store(struct db_record *rec, TDB_DATA data, int flag) + } + + if (rec_priv->node != NULL) { ++ if (db_ctx->traverse_nextp != NULL) { ++ if (*db_ctx->traverse_nextp == rec_priv->node) { ++ *db_ctx->traverse_nextp = node; ++ } ++ } ++ + /* + * We need to delete the key from the tree and start fresh, + * there's not enough space in the existing record + */ + + rb_erase(&rec_priv->node->rb_node, &db_ctx->tree); ++ DLIST_REMOVE(db_ctx->nodes, rec_priv->node); + + /* + * Keep the existing node around for a while: If the record +@@ -197,10 +208,11 @@ static NTSTATUS db_rbt_store(struct db_record *rec, TDB_DATA data, int flag) + TDB_DATA search_key, search_val; + int res; + +- parent = (*p); +- + r = db_rbt2node(*p); + ++ parent = (*p); ++ parent_node = r; ++ + db_rbt_parse_node(r, &search_key, &search_val); + + res = db_rbt_compare(this_key, search_key); +@@ -217,6 +229,7 @@ static NTSTATUS db_rbt_store(struct db_record *rec, TDB_DATA data, int flag) + } + + rb_link_node(&node->rb_node, parent, p); ++ DLIST_ADD_AFTER(db_ctx->nodes, node, parent_node); + rb_insert_color(&node->rb_node, &db_ctx->tree); + + return NT_STATUS_OK; +@@ -236,7 +249,14 @@ static NTSTATUS db_rbt_delete(struct db_record *rec) + return NT_STATUS_OK; + } + ++ if (db_ctx->traverse_nextp != NULL) { ++ if (*db_ctx->traverse_nextp == rec_priv->node) { ++ *db_ctx->traverse_nextp = rec_priv->node->next; ++ } ++ } ++ + rb_erase(&rec_priv->node->rb_node, &db_ctx->tree); ++ DLIST_REMOVE(db_ctx->nodes, rec_priv->node); + TALLOC_FREE(rec_priv->node); + + return NT_STATUS_OK; +@@ -383,56 +403,48 @@ static NTSTATUS db_rbt_parse_record(struct db_context *db, TDB_DATA key, + } + + static int db_rbt_traverse_internal(struct db_context *db, +- struct rb_node *n, + int (*f)(struct db_record *db, + void *private_data), + void *private_data, uint32_t* count, + bool rw) + { +- struct rb_node *rb_right; +- struct rb_node *rb_left; +- struct db_record rec; +- struct db_rbt_rec rec_priv; ++ struct db_rbt_ctx *ctx = talloc_get_type_abort( ++ db->private_data, struct db_rbt_ctx); ++ struct db_rbt_node *cur = NULL; ++ struct db_rbt_node *next = NULL; + int ret; + +- if (n == NULL) { +- return 0; +- } +- +- rb_left = n->rb_left; +- rb_right = n->rb_right; ++ for (cur = ctx->nodes; cur != NULL; cur = next) { ++ struct db_record rec; ++ struct db_rbt_rec rec_priv; + +- ret = db_rbt_traverse_internal(db, rb_left, f, private_data, count, rw); +- if (ret != 0) { +- return ret; +- } ++ rec_priv.node = cur; ++ next = rec_priv.node->next; + +- rec_priv.node = db_rbt2node(n); +- /* n might be altered by the callback function */ +- n = NULL; ++ ZERO_STRUCT(rec); ++ rec.db = db; ++ rec.private_data = &rec_priv; ++ rec.store = db_rbt_store; ++ rec.delete_rec = db_rbt_delete; ++ db_rbt_parse_node(rec_priv.node, &rec.key, &rec.value); + +- ZERO_STRUCT(rec); +- rec.db = db; +- rec.private_data = &rec_priv; +- rec.store = db_rbt_store; +- rec.delete_rec = db_rbt_delete; +- db_rbt_parse_node(rec_priv.node, &rec.key, &rec.value); +- +- ret = f(&rec, private_data); +- (*count) ++; +- if (ret != 0) { +- return ret; +- } +- +- if (rec_priv.node != NULL) { +- /* +- * If the current record is still there +- * we should take the current rb_right. +- */ +- rb_right = rec_priv.node->rb_node.rb_right; ++ if (rw) { ++ ctx->traverse_nextp = &next; ++ } ++ ret = f(&rec, private_data); ++ (*count) ++; ++ if (rw) { ++ ctx->traverse_nextp = NULL; ++ } ++ if (ret != 0) { ++ return ret; ++ } ++ if (rec_priv.node != NULL) { ++ next = rec_priv.node->next; ++ } + } + +- return db_rbt_traverse_internal(db, rb_right, f, private_data, count, rw); ++ return 0; + } + + static int db_rbt_traverse_read(struct db_context *db, +@@ -446,7 +458,7 @@ static int db_rbt_traverse_read(struct db_context *db, + int ret; + + ctx->traverse_read++; +- ret = db_rbt_traverse_internal(db, ctx->tree.rb_node, ++ ret = db_rbt_traverse_internal(db, + f, private_data, &count, + false /* rw */); + ctx->traverse_read--; +@@ -469,7 +481,7 @@ static int db_rbt_traverse(struct db_context *db, + uint32_t count = 0; + int ret; + +- if (ctx->traverse_write) { ++ if (ctx->traverse_nextp != NULL) { + return -1; + }; + +@@ -477,11 +489,9 @@ static int db_rbt_traverse(struct db_context *db, + return db_rbt_traverse_read(db, f, private_data); + } + +- ctx->traverse_write = true; +- ret = db_rbt_traverse_internal(db, ctx->tree.rb_node, ++ ret = db_rbt_traverse_internal(db, + f, private_data, &count, + true /* rw */); +- ctx->traverse_write = false; + if (ret != 0) { + return -1; + } +-- +1.9.1 + + +From 5b555ac802ce714c26411b48a375d1cc6699b22c Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 25 Nov 2015 00:13:17 +0100 +Subject: [PATCH 5/5] s3:torture: add traverse testing to LOCAL-RBTREE + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11375 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11394 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Volker Lendecke + +Autobuild-User(master): Stefan Metzmacher +Autobuild-Date(master): Fri Nov 27 13:16:59 CET 2015 on sn-devel-104 + +(cherry picked from commit bb9f13ab4165f150e01a88ddcc51605a7c176f5d) +--- + source3/torture/torture.c | 39 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/source3/torture/torture.c b/source3/torture/torture.c +index 594d28f..0b37e5c 100644 +--- a/source3/torture/torture.c ++++ b/source3/torture/torture.c +@@ -8352,11 +8352,29 @@ static bool rbt_testval(struct db_context *db, const char *key, + return ret; + } + ++static int local_rbtree_traverse_read(struct db_record *rec, void *private_data) ++{ ++ int *count2 = (int *)private_data; ++ (*count2)++; ++ return 0; ++} ++ ++static int local_rbtree_traverse_delete(struct db_record *rec, void *private_data) ++{ ++ int *count2 = (int *)private_data; ++ (*count2)++; ++ dbwrap_record_delete(rec); ++ return 0; ++} ++ + static bool run_local_rbtree(int dummy) + { + struct db_context *db; + bool ret = false; + int i; ++ NTSTATUS status; ++ int count = 0; ++ int count2 = 0; + + db = db_open_rbt(NULL); + +@@ -8399,6 +8417,27 @@ static bool run_local_rbtree(int dummy) + } + + ret = true; ++ count = 0; count2 = 0; ++ status = dbwrap_traverse_read(db, local_rbtree_traverse_read, ++ &count2, &count); ++ printf("%s: read1: %d %d, %s\n", __func__, count, count2, nt_errstr(status)); ++ if ((count != count2) || (count != 1000)) { ++ ret = false; ++ } ++ count = 0; count2 = 0; ++ status = dbwrap_traverse(db, local_rbtree_traverse_delete, ++ &count2, &count); ++ printf("%s: delete: %d %d, %s\n", __func__, count, count2, nt_errstr(status)); ++ if ((count != count2) || (count != 1000)) { ++ ret = false; ++ } ++ count = 0; count2 = 0; ++ status = dbwrap_traverse_read(db, local_rbtree_traverse_read, ++ &count2, &count); ++ printf("%s: read2: %d %d, %s\n", __func__, count, count2, nt_errstr(status)); ++ if ((count != count2) || (count != 0)) { ++ ret = false; ++ } + + done: + TALLOC_FREE(db); +-- +1.9.1 + Modified: head/net/samba42/files/pkg-message.in ============================================================================== --- head/net/samba42/files/pkg-message.in Sat Dec 19 21:42:06 2015 (r404030) +++ head/net/samba42/files/pkg-message.in Sat Dec 19 22:51:10 2015 (r404031) @@ -8,8 +8,8 @@ How to start: http://wiki.samba.org/inde * All the logs are under: %%SAMBA4_LOGDIR%% -* Provisioning script is: %%PREFIX%%/bin/samba-tool - +%%AD_DC%%* Provisioning script is: %%PREFIX%%/bin/samba-tool +%%AD_DC%% %%NSUPDATE%%You will need to specify location of the 'nsupdate' command in the %%NSUPDATE%%%%SAMBA4_CONFIG%% file: %%NSUPDATE%% Modified: head/net/samba42/pkg-plist ============================================================================== --- head/net/samba42/pkg-plist Sat Dec 19 21:42:06 2015 (r404030) +++ head/net/samba42/pkg-plist Sat Dec 19 22:51:10 2015 (r404031) @@ -1,3 +1,4 @@ +bin/async_connect_send_test bin/cifsdd bin/dbwrap_tool bin/eventlogadm @@ -306,7 +307,7 @@ lib/samba/libsmb-transport-samba4.so lib/samba/libsmbd-base-samba4.so lib/samba/libsmbd-conn-samba4.so lib/samba/libsmbd-shim-samba4.so -lib/samba/libsmbldaphelper-samba4.so +%%LDAP%%lib/samba/libsmbldaphelper-samba4.so lib/samba/libsmbpasswdparser-samba4.so lib/samba/libsmbregistry-samba4.so lib/samba/libsocket-blocking-samba4.so Modified: head/net/samba43/Makefile ============================================================================== --- head/net/samba43/Makefile Sat Dec 19 21:42:06 2015 (r404030) +++ head/net/samba43/Makefile Sat Dec 19 22:51:10 2015 (r404031) @@ -15,9 +15,11 @@ LICENSE= GPLv3 CONFLICTS?= *samba3[2-6]-3.* samba4-4.0.* samba41-4.1.* samba42-4.2.* +EXTRA_PATCHES= ${PATCHDIR}/extra-patch-security:-p1 + SAMBA4_BASENAME= samba SAMBA4_PORTNAME= ${SAMBA4_BASENAME}4 -SAMBA4_VERSION= 4.3.1 +SAMBA4_VERSION= 4.3.3 SAMBA4_DISTNAME= ${SAMBA4_BASENAME}-${SAMBA4_VERSION:S|.p|pre|:S|.r|rc|:S|.t|tp|:S|.a|alpha|} WRKSRC?= ${WRKDIR}/${DISTNAME} @@ -86,7 +88,7 @@ RUN_DEPENDS+= libarchive>=3.1.2:${PORTS # External Samba dependencies # IDL compiler BUILD_DEPENDS+= p5-Parse-Pidl>=4.3.1:${PORTSDIR}/devel/p5-Parse-Pidl -# +# BUILD_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}dnspython>=1.9.4:${PORTSDIR}/dns/py-dnspython RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}dnspython>=1.9.4:${PORTSDIR}/dns/py-dnspython PLIST_SUB+= PY_DNSPYTHON="@comment " @@ -103,8 +105,8 @@ BUILD_DEPENDS+= tdb>=1.3.8:${PORTSDIR}/ RUN_DEPENDS+= tdb>=1.3.8:${PORTSDIR}/databases/tdb SAMBA4_BUNDLED_LIBS+= !tdb # ldb -BUILD_DEPENDS+= ldb>=1.1.23:${PORTSDIR}/databases/ldb -RUN_DEPENDS+= ldb>=1.1.23:${PORTSDIR}/databases/ldb +BUILD_DEPENDS+= ldb>=1.1.24:${PORTSDIR}/databases/ldb +RUN_DEPENDS+= ldb>=1.1.24:${PORTSDIR}/databases/ldb SAMBA4_BUNDLED_LIBS+= !ldb # Don't use external libcom_err SAMBA4_BUNDLED_LIBS+= com_err @@ -170,6 +172,8 @@ SUB_LIST+= NSUPDATE="@comment " .elif ${PORT_OPTIONS:MNSUPDATE} RUN_DEPENDS+= samba-nsupdate:${PORTSDIR}/dns/samba-nsupdate SUB_LIST+= NSUPDATE="" +.else +SUB_LIST+= NSUPDATE="@comment " .endif .if ${PORT_OPTIONS:MDEBUG} @@ -235,8 +239,10 @@ CONFIGURE_ARGS+= --without-acl-support .if ! ${PORT_OPTIONS:MAD_DC} CONFIGURE_ARGS+= --without-ad-dc PLIST_SUB+= AD_DC="@comment " +SUB_LIST+= AD_DC="@comment " .else PLIST_SUB+= AD_DC="" +SUB_LIST+= AD_DC="" .endif .if ${PORT_OPTIONS:MADS} @@ -278,16 +284,16 @@ CONFIGURE_ARGS+= --disable-cups --disabl .if ${PORT_OPTIONS:MDNSUPDATE} SAMBA_WANT_ADS= yes CONFIGURE_ARGS+= --with-dnsupdate +PLIST_SUB+= DNSUPDATE="" .else CONFIGURE_ARGS+= --without-dnsupdate +PLIST_SUB+= DNSUPDATE="@comment " .endif # https://bugzilla.samba.org/show_bug.cgi?id=9545 .if ${PORT_OPTIONS:MFAM} USES+= fam CONFIGURE_ARGS+= --with-fam -WANT_EXP_MODULES+= vfs_notify_fam -SAMBA4_MODULES+= vfs_notify_fam .else CONFIGURE_ARGS+= --without-fam .endif @@ -368,7 +374,7 @@ CONFIGURE_ARGS+= --with-shared-modules=" gpext_security idmap_ad idmap_ldap idmap_nss idmap_passdb idmap_tdb \ nss_info_template pdb_ldap pdb_samba_dsdb pdb_smbpasswd pdb_tdbsam \ pdb_test pdb_wbc_sam perfcount_test vfs_aio_posix vfs_aio_pthread \ - vfs_cacheprime vfs_dfs_samba4 vfs_fake_acls vfs_notify_fam \ + vfs_cacheprime vfs_dfs_samba4 vfs_fake_acls \ vfs_shadow_copy_test vfs_skel_opaque vfs_skel_transparent . if !empty(SAMBA4_MODULES) && ${SAMBA4_MODULES:M${module}} PLIST_SUB+= MODULE_${module:tu}="" @@ -399,7 +405,6 @@ USE_RC_SUBR= samba_server SUB_FILES= pkg-message README.FreeBSD # Make sure that the right version of Python is used by the tools # https://bugzilla.samba.org/show_bug.cgi?id=7305 -python_OLD_CMD= /usr/bin/env python SHEBANG_FILES= ${PATCH_WRKSRC}/source4/scripting/bin/* # No fancy color error messages .if ${COMPILER_TYPE} == "clang" @@ -432,7 +437,7 @@ SAMBA_MAN8+= eventlogadm.8 idmap_ad.8 i vfs_commit.8 vfs_crossrename.8 vfs_default_quota.8 \ vfs_dirsort.8 vfs_extd_audit.8 vfs_fake_perms.8 vfs_fileid.8 \ vfs_fruit.8 vfs_full_audit.8 vfs_glusterfs.8 vfs_gpfs.8 vfs_media_harmony.8 \ - vfs_netatalk.8 vfs_notify_fam.8 vfs_prealloc.8 \ + vfs_netatalk.8 vfs_prealloc.8 \ vfs_preopen.8 vfs_readahead.8 vfs_readonly.8 \ vfs_recycle.8 vfs_scannedonly.8 vfs_shadow_copy.8 \ vfs_shadow_copy2.8 vfs_snapper.8 vfs_smb_traffic_analyzer.8 \ @@ -489,11 +494,11 @@ pre-build: source4/utils/man/ntlm_auth4.1 \ source4/utils/man/oLschema2ldif.1 -@${MKDIR} `dirname ${BUILD_WRKSRC}/bin/default/${man}` - @${INSTALL_MAN} ${FILESDIR}/man/`basename ${man}` ${BUILD_WRKSRC}/bin/default/${man} + ${INSTALL_MAN} ${FILESDIR}/man/`basename ${man}` ${BUILD_WRKSRC}/bin/default/${man} . endfor -@${MKDIR} ${BUILD_WRKSRC}/bin/default/docs-xml/manpages . for man in ${SAMBA_MAN1} ${SAMBA_MAN5} ${SAMBA_MAN7} ${SAMBA_MAN8} - -@${INSTALL_MAN} ${BUILD_WRKSRC}/docs/manpages/${man} ${BUILD_WRKSRC}/bin/default/docs-xml/manpages + -${INSTALL_MAN} ${BUILD_WRKSRC}/docs/manpages/${man} ${BUILD_WRKSRC}/bin/default/docs-xml/manpages . endfor .endif @@ -502,7 +507,7 @@ post-install: .if ${PORT_OPTIONS:MDOCS} @${MKDIR} ${STAGEDIR}${DOCSDIR} . for doc in ${PORTDOCS} - @${INSTALL_DATA} ${WRKDIR}/${doc} ${STAGEDIR}${DOCSDIR} + ${INSTALL_DATA} ${WRKDIR}/${doc} ${STAGEDIR}${DOCSDIR} . endfor .endif # Run post-install script Modified: head/net/samba43/distinfo ============================================================================== --- head/net/samba43/distinfo Sat Dec 19 21:42:06 2015 (r404030) +++ head/net/samba43/distinfo Sat Dec 19 22:51:10 2015 (r404031) @@ -1,2 +1,2 @@ -SHA256 (samba-4.3.1.tar.gz) = 9908a80d95b9e2583906ed4347a8c80b769539a2788158992fb48ea9fb4d2c82 -SIZE (samba-4.3.1.tar.gz) = 20424516 +SHA256 (samba-4.3.3.tar.gz) = e62d21313acbb29e24b0b80aaf2b63fdd1ccce4cfb741f333deca95a1a3a70df +SIZE (samba-4.3.3.tar.gz) = 20427281 Added: head/net/samba43/files/extra-patch-security ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/samba43/files/extra-patch-security Sat Dec 19 22:51:10 2015 (r404031) @@ -0,0 +1,534 @@ +From a4e75bba5d2b799c11aac9eb1c345b8e58563089 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 25 Nov 2015 10:17:34 +0100 +Subject: [PATCH 1/4] dbwrap_rbt: use talloc_zero_size() instead of a partial + ZERO_STRUCT() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11375 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11394 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Volker Lendecke +(cherry picked from commit f3d1fc1d06822a951a2a3eeb5aa53748b9b5b299) +--- + lib/dbwrap/dbwrap_rbt.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/lib/dbwrap/dbwrap_rbt.c b/lib/dbwrap/dbwrap_rbt.c +index 03f2f57..2d65647 100644 +--- a/lib/dbwrap/dbwrap_rbt.c ++++ b/lib/dbwrap/dbwrap_rbt.c +@@ -153,7 +153,7 @@ static NTSTATUS db_rbt_store(struct db_record *rec, TDB_DATA data, int flag) + return NT_STATUS_INSUFFICIENT_RESOURCES; + } + +- node = talloc_size(db_ctx, reclen); ++ node = talloc_zero_size(db_ctx, reclen); + if (node == NULL) { + return NT_STATUS_NO_MEMORY; + } +@@ -172,8 +172,6 @@ static NTSTATUS db_rbt_store(struct db_record *rec, TDB_DATA data, int flag) + */ + } + +- ZERO_STRUCT(node->rb_node); +- + node->keysize = rec->key.dsize; + node->valuesize = data.dsize; + +-- +1.9.1 + + +From 3f448c47a8567b0e4794e787399202f050002819 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 25 Nov 2015 09:22:08 +0100 +Subject: [PATCH 2/4] dbwrap_rbt: add nested traverse protection + +Multiple dbwrap_traverse_read() calls are possible. + +store() and delete() on a fetch locked record +are rejected during dbwrap_traverse_read(). + +A dbwrap_traverse() within a dbwrap_traverse_read() +behaves like a dbwrap_traverse_read(). + +Nested dbwrap_traverse() calls are not possible. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11375 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11394 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Volker Lendecke +(cherry picked from commit 590507951fc514a679f44b8bfdd03c721189c3fa) +--- + lib/dbwrap/dbwrap_rbt.c | 71 ++++++++++++++++++++++++++++--------------------- + 1 file changed, 40 insertions(+), 31 deletions(-) + +diff --git a/lib/dbwrap/dbwrap_rbt.c b/lib/dbwrap/dbwrap_rbt.c +index 2d65647..d4cb40d 100644 +--- a/lib/dbwrap/dbwrap_rbt.c ++++ b/lib/dbwrap/dbwrap_rbt.c +@@ -27,6 +27,8 @@ + + struct db_rbt_ctx { + struct rb_root tree; ++ size_t traverse_read; ++ bool traverse_write; + }; *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***