debian/changelog

 samba (2:4.5.16+dfsg-1) UNRELEASED; urgency=medium
 
-  * New upstream release
-
- -- Mathieu Parent <sathieu@debian.org>  Sat, 29 Dec 2018 22:18:31 +0100
+  * New upstream release (latest 4.5.x)
+    - Drop merged patches
+  * Fix CVE-2018-14629 regression when there're more than 20 records on a non
+    CNAME record.
+  * Fix rmdir on non-empty samba directory (Closes: #915248)
+  * Ignore nmbd start errors when there is no non-loopback interface
+    (Closes: #893762)
+  * Ignore nmbd start errors when there is  no local IPv4 non-loopback interface
+    (Closes: #859526)
+  * s3:ntlm_auth: fix memory leak in manage_gensec_request() (Closes: #919611)
+
+ -- Mathieu Parent <sathieu@debian.org>  Fri, 18 Jan 2019 07:35:15 +0100
 
 samba (2:4.5.12+dfsg-2+deb9u4) stretch-security; urgency=high
 

debian/patches/CVE-2018-14629-v4-5.patch

@@ -191,3 +191,284 @@ index bef21f6bdaf..51a86198b54 100644
 -- 
 2.11.0
 
+From 6c73a2b3d77115d69f99baa2452d6539c697fc3b Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 28 Nov 2018 15:21:56 +0100
+Subject: [PATCH 1/2] CVE-2018-14629 dns: fix CNAME loop prevention using
+ counter regression
+
+The loop prevention should only be done for CNAME records!
+
+Otherwise we truncate the answer records for A, AAAA or
+SRV queries, which is a bad idea if you have more than 20 DCs.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/dns_server/dns_query.c | 29 ++++++++++++++++++++---------
+ 1 file changed, 20 insertions(+), 9 deletions(-)
+
+diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c
+index 0c26f9f8fb5..19c4dc32faa 100644
+--- a/source4/dns_server/dns_query.c
++++ b/source4/dns_server/dns_query.c
+@@ -439,7 +439,8 @@ static struct tevent_req *handle_authoritative_send(
+ 	TALLOC_CTX *mem_ctx, struct tevent_context *ev,
+ 	struct dns_server *dns, const char *forwarder,
+ 	struct dns_name_question *question,
+-	struct dns_res_rec **answers, struct dns_res_rec **nsrecs);
++	struct dns_res_rec **answers, struct dns_res_rec **nsrecs,
++	size_t cname_depth);
+ static WERROR handle_authoritative_recv(struct tevent_req *req);
+ 
+ struct handle_dnsrpcrec_state {
+@@ -455,7 +456,8 @@ static struct tevent_req *handle_dnsrpcrec_send(
+ 	struct dns_server *dns, const char *forwarder,
+ 	const struct dns_name_question *question,
+ 	struct dnsp_DnssrvRpcRecord *rec,
+-	struct dns_res_rec **answers, struct dns_res_rec **nsrecs)
++	struct dns_res_rec **answers, struct dns_res_rec **nsrecs,
++	size_t cname_depth)
+ {
+ 	struct tevent_req *req, *subreq;
+ 	struct handle_dnsrpcrec_state *state;
+@@ -471,7 +473,7 @@ static struct tevent_req *handle_dnsrpcrec_send(
+ 	state->answers = answers;
+ 	state->nsrecs = nsrecs;
+ 
+-	if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) {
++	if (cname_depth >= MAX_Q_RECURSION_DEPTH) {
+ 		tevent_req_done(req);
+ 		return tevent_req_post(req, ev);
+ 	}
+@@ -516,7 +518,8 @@ static struct tevent_req *handle_dnsrpcrec_send(
+ 	if (dns_authoritative_for_zone(dns, new_q->name)) {
+ 		subreq = handle_authoritative_send(
+ 			state, ev, dns, forwarder, new_q,
+-			state->answers, state->nsrecs);
++			state->answers, state->nsrecs,
++			cname_depth + 1);
+ 		if (tevent_req_nomem(subreq, req)) {
+ 			return tevent_req_post(req, ev);
+ 		}
+@@ -600,6 +603,8 @@ struct handle_authoritative_state {
+ 
+ 	struct dns_res_rec **answers;
+ 	struct dns_res_rec **nsrecs;
++
++	size_t cname_depth;
+ };
+ 
+ static void handle_authoritative_done(struct tevent_req *subreq);
+@@ -608,7 +613,8 @@ static struct tevent_req *handle_authoritative_send(
+ 	TALLOC_CTX *mem_ctx, struct tevent_context *ev,
+ 	struct dns_server *dns, const char *forwarder,
+ 	struct dns_name_question *question,
+-	struct dns_res_rec **answers, struct dns_res_rec **nsrecs)
++	struct dns_res_rec **answers, struct dns_res_rec **nsrecs,
++	size_t cname_depth)
+ {
+ 	struct tevent_req *req, *subreq;
+ 	struct handle_authoritative_state *state;
+@@ -626,6 +632,7 @@ static struct tevent_req *handle_authoritative_send(
+ 	state->forwarder = forwarder;
+ 	state->answers = answers;
+ 	state->nsrecs = nsrecs;
++	state->cname_depth = cname_depth;
+ 
+ 	werr = dns_name2dn(dns, state, question->name, &dn);
+ 	if (tevent_req_werror(req, werr)) {
+@@ -647,7 +654,8 @@ static struct tevent_req *handle_authoritative_send(
+ 	subreq = handle_dnsrpcrec_send(
+ 		state, state->ev, state->dns, state->forwarder,
+ 		state->question, &state->recs[state->recs_done],
+-		state->answers, state->nsrecs);
++		state->answers, state->nsrecs,
++		state->cname_depth);
+ 	if (tevent_req_nomem(subreq, req)) {
+ 		return tevent_req_post(req, ev);
+ 	}
+@@ -679,7 +687,8 @@ static void handle_authoritative_done(struct tevent_req *subreq)
+ 	subreq = handle_dnsrpcrec_send(
+ 		state, state->ev, state->dns, state->forwarder,
+ 		state->question, &state->recs[state->recs_done],
+-		state->answers, state->nsrecs);
++		state->answers, state->nsrecs,
++		state->cname_depth);
+ 	if (tevent_req_nomem(subreq, req)) {
+ 		return;
+ 	}
+@@ -1010,7 +1019,8 @@ struct tevent_req *dns_server_process_query_send(
+ 
+ 		subreq = handle_authoritative_send(
+ 			state, ev, dns, (forwarders == NULL ? NULL : forwarders[0]),
+-			&in->questions[0], &state->answers, &state->nsrecs);
++			&in->questions[0], &state->answers, &state->nsrecs,
++			0); /* cname_depth */
+ 		if (tevent_req_nomem(subreq, req)) {
+ 			return tevent_req_post(req, ev);
+ 		}
+@@ -1112,7 +1122,8 @@ static void dns_server_process_query_got_auth(struct tevent_req *subreq)
+ 		subreq = handle_authoritative_send(state, state->ev, state->dns,
+ 						   state->forwarders->forwarder,
+ 						   state->question, &state->answers,
+-						   &state->nsrecs);
++						   &state->nsrecs,
++						   0); /* cname_depth */
+ 
+ 		if (tevent_req_nomem(subreq, req)) {
+ 			return;
+-- 
+2.19.2
+
+
+From 77fac10d0171b731bce38e5596928b6d618ed4d8 Mon Sep 17 00:00:00 2001
+From: Aaron Haslett <aaronhaslett@catalyst.net.nz>
+Date: Fri, 30 Nov 2018 18:37:27 +1300
+Subject: [PATCH 2/2] CVE-2018-14629: Tests to expose regression from dns cname
+ loop fix
+
+These tests expose the regression described by Stefan Metzmacher in
+discussion on the bugzilla paged linked below.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600
+Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
+---
+ python/samba/tests/dns.py | 97 +++++++++++++++++++++++++++++++++++++++
+ selftest/knownfail.d/dns  | 14 +++++-
+ 2 files changed, 109 insertions(+), 2 deletions(-)
+
+diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py
+index 102269c7156..65e4a3b0b3f 100644
+--- a/python/samba/tests/dns.py
++++ b/python/samba/tests/dns.py
+@@ -918,6 +918,103 @@ class TestComplexQueries(DNSTest):
+         max_recursion_depth = 20
+         self.assertEquals(len(response.answers), max_recursion_depth)
+ 
++    # Make sure cname limit doesn't count other records.  This is a generic
++    # test called in tests below
++    def max_rec_test(self, rtype, rec_gen):
++        name = "limittestrec{0}.{1}".format(rtype, self.get_dns_domain())
++        limit = 20
++        num_recs_to_enter = limit + 5
++
++        for i in range(1, num_recs_to_enter+1):
++            ip = rec_gen(i)
++            self.make_dns_update(name, ip, rtype)
++
++        p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
++        questions = []
++
++        q = self.make_name_question(name,
++                                    rtype,
++                                    dns.DNS_QCLASS_IN)
++        questions.append(q)
++        self.finish_name_packet(p, questions)
++
++        response = self.dns_transaction_udp(p, host=self.server_ip)
++
++        self.assertEqual(len(response.answers), num_recs_to_enter)
++
++    def test_record_limit_A(self):
++        def ip4_gen(i):
++            return "127.0.0." + str(i)
++        self.max_rec_test(rtype=dns.DNS_QTYPE_A, rec_gen=ip4_gen)
++
++    def test_record_limit_AAAA(self):
++        def ip6_gen(i):
++            return "AAAA:0:0:0:0:0:0:" + str(i)
++        self.max_rec_test(rtype=dns.DNS_QTYPE_AAAA, rec_gen=ip6_gen)
++
++    def test_record_limit_SRV(self):
++        def srv_gen(i):
++            rec = dns.srv_record()
++            rec.priority = 1
++            rec.weight = 1
++            rec.port = 92
++            rec.target = "srvtestrec" + str(i)
++            return rec
++        self.max_rec_test(rtype=dns.DNS_QTYPE_SRV, rec_gen=srv_gen)
++
++    # Same as test_record_limit_A but with a preceding CNAME follow
++    def test_cname_limit(self):
++        cname1 = "cnamelimittestrec." + self.get_dns_domain()
++        cname2 = "cnamelimittestrec2." + self.get_dns_domain()
++        cname3 = "cnamelimittestrec3." + self.get_dns_domain()
++        ip_prefix = '127.0.0.'
++        limit = 20
++        num_recs_to_enter = limit + 5
++
++        self.make_dns_update(cname1, cname2, dnsp.DNS_TYPE_CNAME)
++        self.make_dns_update(cname2, cname3, dnsp.DNS_TYPE_CNAME)
++        num_arecs_to_enter = num_recs_to_enter - 2
++        for i in range(1, num_arecs_to_enter+1):
++            ip = ip_prefix + str(i)
++            self.make_dns_update(cname3, ip, dns.DNS_QTYPE_A)
++
++        p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
++        questions = []
++
++        q = self.make_name_question(cname1,
++                                    dns.DNS_QTYPE_A,
++                                    dns.DNS_QCLASS_IN)
++        questions.append(q)
++        self.finish_name_packet(p, questions)
++
++        response = self.dns_transaction_udp(p, host=self.server_ip)
++
++        self.assertEqual(len(response.answers), num_recs_to_enter)
++
++    # ANY query on cname record shouldn't follow the link
++    def test_cname_any_query(self):
++        cname1 = "cnameanytestrec." + self.get_dns_domain()
++        cname2 = "cnameanytestrec2." + self.get_dns_domain()
++        cname3 = "cnameanytestrec3." + self.get_dns_domain()
++
++        self.make_dns_update(cname1, cname2, dnsp.DNS_TYPE_CNAME)
++        self.make_dns_update(cname2, cname3, dnsp.DNS_TYPE_CNAME)
++
++        p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
++        questions = []
++
++        q = self.make_name_question(cname1,
++                                    dns.DNS_QTYPE_ALL,
++                                    dns.DNS_QCLASS_IN)
++        questions.append(q)
++        self.finish_name_packet(p, questions)
++
++        response = self.dns_transaction_udp(p, host=self.server_ip)
++
++        self.assertEqual(len(response.answers), 1)
++        self.assertEqual(response.answers[0].name, cname1)
++        self.assertEqual(response.answers[0].rdata, cname2)
++
+ 
+ class TestInvalidQueries(DNSTest):
+ 
+diff --git a/selftest/knownfail.d/dns b/selftest/knownfail.d/dns
+index 916afc1af85..a9b16eaac2a 100644
+--- a/selftest/knownfail.d/dns
++++ b/selftest/knownfail.d/dns
+@@ -1,5 +1,15 @@
+ #
+-# rodc and vampire_dc require signed dns updates, so the test setup
+-# fails, but the test does run on fl2003dc
++# rodc and vampire_dc require signed dns updates, so these tests' setups
++# fail, but they pass on fl2003dc
+ ^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(rodc:local\)
+ ^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(vampire_dc:local\)
++^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_A\(rodc:local\)
++^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_A\(vampire_dc:local\)
++^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_AAAA\(rodc:local\)
++^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_AAAA\(vampire_dc:local\)
++^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_SRV\(rodc:local\)
++^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_SRV\(vampire_dc:local\)
++^samba.tests.dns.__main__.TestComplexQueries.test_cname_limit\(vampire_dc:local\)
++^samba.tests.dns.__main__.TestComplexQueries.test_cname_limit\(rodc:local\)
++^samba.tests.dns.__main__.TestComplexQueries.test_cname_any_query\(vampire_dc:local\)
++^samba.tests.dns.__main__.TestComplexQueries.test_cname_any_query\(rodc:local\)
+-- 
+2.19.2
+

debian/patches/fix-rmdir.patch

+From: Anoop C S <anoopcs@redhat.com>
+Date: Thu, 9 Aug 2018 12:28:41 +0530
+Subject: s3/libsmb: Explicitly set delete_on_close token for rmdir
+
+The current implementation of `rmdir` hopes to get the directory deleted
+on closing last open handle when FILE_DELETE_ON_CLOSE is set on it. But
+for non-empty directories Windows doesn't error out during an open call.
+Following that we internally refuse to set initial delete_on_close while
+opening a non-empty directory. This prevents us from trying to delete
+the directory when last open handle is closed.
+
+Instead of relying on FILE_DELETE_ON_CLOSE during an open we explicitly
+set delete_on_close token on directory handle once it is available. This
+ensures that NT_STATUS_DIRECTORY_NOT_EMPTY is returned for `rmdir` on
+non-empty directories while closing open directory handle.
+
+Applied-Upstream: https://github.com/samba-team/samba/commit/6b68e3eca631c04d6d57c489daf60f64732fc86d
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13204
+Bug-Debian: https://bugs.debian.org/915248
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1795772
+
+diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
+index 237e6bb2b..d4ff8bd28 100644
+--- a/source3/libsmb/cli_smb2_fnum.c
++++ b/source3/libsmb/cli_smb2_fnum.c
+@@ -682,13 +682,20 @@ NTSTATUS cli_smb2_rmdir(struct cli_state *cli, const char *dname)
+ 			FILE_ATTRIBUTE_DIRECTORY, /* file attributes */
+ 			FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access */
+ 			FILE_OPEN,		/* create_disposition */
+-			FILE_DIRECTORY_FILE|FILE_DELETE_ON_CLOSE,	/* create_options */
++			FILE_DIRECTORY_FILE,	/* create_options */
+ 			&fnum,
+ 			NULL);
+ 
+ 	if (!NT_STATUS_IS_OK(status)) {
+ 		return status;
+ 	}
++
++	status = cli_smb2_delete_on_close(cli, fnum, true);
++	if (!NT_STATUS_IS_OK(status)) {
++		cli_smb2_close_fnum(cli, fnum);
++		return status;
++	}
++
+ 	return cli_smb2_close_fnum(cli, fnum);
+ }
+ 

debian/patches/s3-ntlm_auth-fix-memory-leak-in-manage_gensec_reques.patch

+From 1606ab1baf02c8d3797fdc6f347af2c8552996a0 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 4 Apr 2017 11:52:56 +0200
+Subject: [PATCH] s3:ntlm_auth: fix memory leak in manage_gensec_request()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12736
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit e999b798c6484de3cddad988406f97fc4cc7af79)
+
+Bug-Debian: https://bugs.debian.org/919611
+---
+ source3/utils/ntlm_auth.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
+index 84269a139a3..d35e8f050b6 100644
+--- a/source3/utils/ntlm_auth.c
++++ b/source3/utils/ntlm_auth.c
+@@ -1290,6 +1290,8 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
+ 
+ 	TALLOC_CTX *mem_ctx;
+ 
++	mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal mem_ctx");
++
+ 	if (*private1) {
+ 		state = (struct gensec_ntlm_state *)*private1;
+ 	} else {
+@@ -1307,6 +1309,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
+ 	if (strlen(buf) < 2) {
+ 		DEBUG(1, ("query [%s] invalid", buf));
+ 		x_fprintf(x_stdout, "BH Query invalid\n");
++		talloc_free(mem_ctx);
+ 		return;
+ 	}
+ 
+@@ -1316,9 +1319,10 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
+ 			talloc_free(want_feature_list);
+ 			want_feature_list = talloc_strndup(state, buf+3, strlen(buf)-3);
+ 			x_fprintf(x_stdout, "OK\n");
++			talloc_free(mem_ctx);
+ 			return;
+ 		}
+-		in = base64_decode_data_blob(buf + 3);
++		in = base64_decode_data_blob_talloc(mem_ctx, buf + 3);
+ 	} else {
+ 		in = data_blob(NULL, 0);
+ 	}
+@@ -1331,7 +1335,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
+ 	} else if ( (strncmp(buf, "OK", 2) == 0)) {
+ 		/* Just return BH, like ntlm_auth from Samba 3 does. */
+ 		x_fprintf(x_stdout, "BH Command expected\n");
+-		data_blob_free(&in);
++		talloc_free(mem_ctx);
+ 		return;
+ 	} else if ( (strncmp(buf, "TT ", 3) != 0) &&
+ 		    (strncmp(buf, "KK ", 3) != 0) &&
+@@ -1343,12 +1347,10 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
+ 		    (strncmp(buf, "GF", 2) != 0)) {
+ 		DEBUG(1, ("SPNEGO request [%s] invalid prefix\n", buf));
+ 		x_fprintf(x_stdout, "BH SPNEGO request invalid prefix\n");
+-		data_blob_free(&in);
++		talloc_free(mem_ctx);
+ 		return;
+ 	}
+ 
+-	mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal mem_ctx");
+-
+ 	/* setup gensec */
+ 	if (!(state->gensec_state)) {
+ 		switch (stdio_helper_mode) {
+@@ -1478,7 +1480,6 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
+ 					     state->set_password,
+ 					     CRED_SPECIFIED);
+ 		x_fprintf(x_stdout, "OK\n");
+-		data_blob_free(&in);
+ 		talloc_free(mem_ctx);
+ 		return;
+ 	}
+@@ -1510,10 +1511,12 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
+ 		neg_flags = gensec_ntlmssp_neg_flags(state->gensec_state);
+ 		if (neg_flags == 0) {
+ 			x_fprintf(x_stdout, "BH\n");
++			talloc_free(mem_ctx);
+ 			return;
+ 		}
+ 
+ 		x_fprintf(x_stdout, "GF 0x%08x\n", neg_flags);
++		talloc_free(mem_ctx);
+ 		return;
+ 	}
+ 
+-- 
+2.19.2
+

debian/patches/series

@@ -21,3 +21,5 @@ CVE-2018-10858-4.6.patch
 CVE-2018-14629-v4-5.patch
 CVE-2018-16841-master.patch
 CVE-2018-16851-master.patch
+fix-rmdir.patch
+s3-ntlm_auth-fix-memory-leak-in-manage_gensec_reques.patch

debian/rules

@@ -209,7 +209,7 @@ override_dh_installchangelogs:
 override_dh_installinit:
 ifneq (,$(filter samba, $(shell dh_listpackages)))
 	dh_installinit -psamba --name smbd
-	dh_installinit -psamba --name nmbd
+	dh_installinit -psamba --name nmbd --error-handler nmbd_error_handler
 	dh_installinit -psamba --name samba-ad-dc
 	dh_installinit -psamba --noscripts
 	dh_installinit -psamba --no-start --name reload-smbd

debian/samba.postinst

@@ -6,6 +6,23 @@
 
 set -e
 
+nmbd_error_handler() {
+    if [ -d /sys/class/net/lo ] && ls /sys/class/net | grep -qv ^lo$; then
+        # https://bugs.debian.org/893762
+        echo 'WARNING: nmbd failed to start as there is no non-loopback interfaces available.'
+        echo 'Either add an interface or set "disable netbios = yes" in smb.conf and run "systemctl mask nmbd"'
+        return 0
+    elif command -v ip > /dev/null && ip a show | grep '^[[:space:]]*inet ' | grep -vq ' lo$'; then
+        # https://bugs.debian.org/859526
+        echo 'WARNING: nmbd failed to start as there is no local IPv4 non-loopback interfaces available.'
+        echo 'Either add an IPv4 address or set "disable netbios = yes" in smb.conf and run "systemctl mask nmbd"'
+        return 0
+    else
+        echo 'ERROR: nmbd failed to start.'
+        return 1 # caught by set -e
+    fi
+}
+
 # We generate several files during the postinst, and we don't want
 #	them to be readable only by root.
 umask 022

python/samba/tests/dns.py

@@ -918,6 +918,103 @@ class TestComplexQueries(DNSTest):
         max_recursion_depth = 20
         self.assertEquals(len(response.answers), max_recursion_depth)
 
+    # Make sure cname limit doesn't count other records.  This is a generic
+    # test called in tests below
+    def max_rec_test(self, rtype, rec_gen):
+        name = "limittestrec{0}.{1}".format(rtype, self.get_dns_domain())
+        limit = 20
+        num_recs_to_enter = limit + 5
+
+        for i in range(1, num_recs_to_enter+1):
+            ip = rec_gen(i)
+            self.make_dns_update(name, ip, rtype)
+
+        p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
+        questions = []
+
+        q = self.make_name_question(name,
+                                    rtype,
+                                    dns.DNS_QCLASS_IN)
+        questions.append(q)
+        self.finish_name_packet(p, questions)
+
+        response = self.dns_transaction_udp(p, host=self.server_ip)
+
+        self.assertEqual(len(response.answers), num_recs_to_enter)
+
+    def test_record_limit_A(self):
+        def ip4_gen(i):
+            return "127.0.0." + str(i)
+        self.max_rec_test(rtype=dns.DNS_QTYPE_A, rec_gen=ip4_gen)
+
+    def test_record_limit_AAAA(self):
+        def ip6_gen(i):
+            return "AAAA:0:0:0:0:0:0:" + str(i)
+        self.max_rec_test(rtype=dns.DNS_QTYPE_AAAA, rec_gen=ip6_gen)
+
+    def test_record_limit_SRV(self):
+        def srv_gen(i):
+            rec = dns.srv_record()
+            rec.priority = 1
+            rec.weight = 1
+            rec.port = 92
+            rec.target = "srvtestrec" + str(i)
+            return rec
+        self.max_rec_test(rtype=dns.DNS_QTYPE_SRV, rec_gen=srv_gen)
+
+    # Same as test_record_limit_A but with a preceding CNAME follow
+    def test_cname_limit(self):
+        cname1 = "cnamelimittestrec." + self.get_dns_domain()
+        cname2 = "cnamelimittestrec2." + self.get_dns_domain()
+        cname3 = "cnamelimittestrec3." + self.get_dns_domain()
+        ip_prefix = '127.0.0.'
+        limit = 20
+        num_recs_to_enter = limit + 5
+
+        self.make_dns_update(cname1, cname2, dnsp.DNS_TYPE_CNAME)
+        self.make_dns_update(cname2, cname3, dnsp.DNS_TYPE_CNAME)
+        num_arecs_to_enter = num_recs_to_enter - 2
+        for i in range(1, num_arecs_to_enter+1):
+            ip = ip_prefix + str(i)
+            self.make_dns_update(cname3, ip, dns.DNS_QTYPE_A)
+
+        p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
+        questions = []
+
+        q = self.make_name_question(cname1,
+                                    dns.DNS_QTYPE_A,
+                                    dns.DNS_QCLASS_IN)
+        questions.append(q)
+        self.finish_name_packet(p, questions)
+
+        response = self.dns_transaction_udp(p, host=self.server_ip)
+
+        self.assertEqual(len(response.answers), num_recs_to_enter)
+
+    # ANY query on cname record shouldn't follow the link
+    def test_cname_any_query(self):
+        cname1 = "cnameanytestrec." + self.get_dns_domain()
+        cname2 = "cnameanytestrec2." + self.get_dns_domain()
+        cname3 = "cnameanytestrec3." + self.get_dns_domain()
+
+        self.make_dns_update(cname1, cname2, dnsp.DNS_TYPE_CNAME)
+        self.make_dns_update(cname2, cname3, dnsp.DNS_TYPE_CNAME)
+
+        p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
+        questions = []
+
+        q = self.make_name_question(cname1,
+                                    dns.DNS_QTYPE_ALL,
+                                    dns.DNS_QCLASS_IN)
+        questions.append(q)
+        self.finish_name_packet(p, questions)
+
+        response = self.dns_transaction_udp(p, host=self.server_ip)
+
+        self.assertEqual(len(response.answers), 1)
+        self.assertEqual(response.answers[0].name, cname1)
+        self.assertEqual(response.answers[0].rdata, cname2)
+
 
 class TestInvalidQueries(DNSTest):
 

selftest/knownfail.d/dns

 #
-# rodc and vampire_dc require signed dns updates, so the test setup
-# fails, but the test does run on fl2003dc
+# rodc and vampire_dc require signed dns updates, so these tests' setups
+# fail, but they pass on fl2003dc
 ^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(rodc:local\)
 ^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(vampire_dc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_A\(rodc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_A\(vampire_dc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_AAAA\(rodc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_AAAA\(vampire_dc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_SRV\(rodc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_SRV\(vampire_dc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_cname_limit\(vampire_dc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_cname_limit\(rodc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_cname_any_query\(vampire_dc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_cname_any_query\(rodc:local\)

source3/libsmb/cli_smb2_fnum.c

@@ -550,13 +550,20 @@ NTSTATUS cli_smb2_rmdir(struct cli_state *cli, const char *dname)
 			FILE_ATTRIBUTE_DIRECTORY, /* file attributes */
 			FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access */
 			FILE_OPEN,		/* create_disposition */
-			FILE_DIRECTORY_FILE|FILE_DELETE_ON_CLOSE,	/* create_options */
+			FILE_DIRECTORY_FILE,	/* create_options */
 			&fnum,
 			NULL);
 
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
+
+	status = cli_smb2_delete_on_close(cli, fnum, true);
+	if (!NT_STATUS_IS_OK(status)) {
+		cli_smb2_close_fnum(cli, fnum);
+		return status;
+	}
+
 	return cli_smb2_close_fnum(cli, fnum);
 }
 

source3/utils/ntlm_auth.c

@@ -1290,6 +1290,8 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
 
 	TALLOC_CTX *mem_ctx;
 
+	mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal mem_ctx");
+
 	if (*private1) {
 		state = (struct gensec_ntlm_state *)*private1;
 	} else {
@@ -1307,6 +1309,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
 	if (strlen(buf) < 2) {
 		DEBUG(1, ("query [%s] invalid", buf));
 		x_fprintf(x_stdout, "BH Query invalid\n");
+		talloc_free(mem_ctx);
 		return;
 	}
 
@@ -1316,9 +1319,10 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
 			talloc_free(want_feature_list);
 			want_feature_list = talloc_strndup(state, buf+3, strlen(buf)-3);
 			x_fprintf(x_stdout, "OK\n");
+			talloc_free(mem_ctx);
 			return;
 		}
-		in = base64_decode_data_blob(buf + 3);
+		in = base64_decode_data_blob_talloc(mem_ctx, buf + 3);
 	} else {
 		in = data_blob(NULL, 0);
 	}
@@ -1331,7 +1335,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
 	} else if ( (strncmp(buf, "OK", 2) == 0)) {
 		/* Just return BH, like ntlm_auth from Samba 3 does. */
 		x_fprintf(x_stdout, "BH Command expected\n");
-		data_blob_free(&in);
+		talloc_free(mem_ctx);
 		return;
 	} else if ( (strncmp(buf, "TT ", 3) != 0) &&
 		    (strncmp(buf, "KK ", 3) != 0) &&
@@ -1343,12 +1347,10 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
 		    (strncmp(buf, "GF", 2) != 0)) {
 		DEBUG(1, ("SPNEGO request [%s] invalid prefix\n", buf));
 		x_fprintf(x_stdout, "BH SPNEGO request invalid prefix\n");
-		data_blob_free(&in);
+		talloc_free(mem_ctx);
 		return;
 	}
 
-	mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal mem_ctx");
-
 	/* setup gensec */
 	if (!(state->gensec_state)) {
 		switch (stdio_helper_mode) {
@@ -1478,7 +1480,6 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
 					     state->set_password,
 					     CRED_SPECIFIED);
 		x_fprintf(x_stdout, "OK\n");
-		data_blob_free(&in);
 		talloc_free(mem_ctx);
 		return;
 	}
@@ -1510,10 +1511,12 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
 		neg_flags = gensec_ntlmssp_neg_flags(state->gensec_state);
 		if (neg_flags == 0) {
 			x_fprintf(x_stdout, "BH\n");
+			talloc_free(mem_ctx);
 			return;
 		}
 
 		x_fprintf(x_stdout, "GF 0x%08x\n", neg_flags);
+		talloc_free(mem_ctx);
 		return;
 	}
 

source4/dns_server/dns_query.c

@@ -439,7 +439,8 @@ static struct tevent_req *handle_authoritative_send(
 	TALLOC_CTX *mem_ctx, struct tevent_context *ev,
 	struct dns_server *dns, const char *forwarder,
 	struct dns_name_question *question,
-	struct dns_res_rec **answers, struct dns_res_rec **nsrecs);
+	struct dns_res_rec **answers, struct dns_res_rec **nsrecs,
+	size_t cname_depth);
 static WERROR handle_authoritative_recv(struct tevent_req *req);
 
 struct handle_dnsrpcrec_state {
@@ -455,7 +456,8 @@ static struct tevent_req *handle_dnsrpcrec_send(
 	struct dns_server *dns, const char *forwarder,
 	const struct dns_name_question *question,
 	struct dnsp_DnssrvRpcRecord *rec,
-	struct dns_res_rec **answers, struct dns_res_rec **nsrecs)
+	struct dns_res_rec **answers, struct dns_res_rec **nsrecs,
+	size_t cname_depth)
 {
 	struct tevent_req *req, *subreq;
 	struct handle_dnsrpcrec_state *state;
@@ -471,7 +473,7 @@ static struct tevent_req *handle_dnsrpcrec_send(
 	state->answers = answers;
 	state->nsrecs = nsrecs;
 
-	if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) {
+	if (cname_depth >= MAX_Q_RECURSION_DEPTH) {
 		tevent_req_done(req);
 		return tevent_req_post(req, ev);
 	}
@@ -516,7 +518,8 @@ static struct tevent_req *handle_dnsrpcrec_send(
 	if (dns_authoritative_for_zone(dns, new_q->name)) {
 		subreq = handle_authoritative_send(
 			state, ev, dns, forwarder, new_q,
-			state->answers, state->nsrecs);
+			state->answers, state->nsrecs,
+			cname_depth + 1);
 		if (tevent_req_nomem(subreq, req)) {
 			return tevent_req_post(req, ev);
 		}
@@ -600,6 +603,8 @@ struct handle_authoritative_state {
 
 	struct dns_res_rec **answers;
 	struct dns_res_rec **nsrecs;
+
+	size_t cname_depth;
 };
 
 static void handle_authoritative_done(struct tevent_req *subreq);
@@ -608,7 +613,8 @@ static struct tevent_req *handle_authoritative_send(
 	TALLOC_CTX *mem_ctx, struct tevent_context *ev,
 	struct dns_server *dns, const char *forwarder,
 	struct dns_name_question *question,
-	struct dns_res_rec **answers, struct dns_res_rec **nsrecs)
+	struct dns_res_rec **answers, struct dns_res_rec **nsrecs,
+	size_t cname_depth)
 {
 	struct tevent_req *req, *subreq;
 	struct handle_authoritative_state *state;
@@ -626,6 +632,7 @@ static struct tevent_req *handle_authoritative_send(
 	state->forwarder = forwarder;
 	state->answers = answers;
 	state->nsrecs = nsrecs;
+	state->cname_depth = cname_depth;
 
 	werr = dns_name2dn(dns, state, question->name, &dn);
 	if (tevent_req_werror(req, werr)) {
@@ -647,7 +654,8 @@ static struct tevent_req *handle_authoritative_send(
 	subreq = handle_dnsrpcrec_send(
 		state, state->ev, state->dns, state->forwarder,
 		state->question, &state->recs[state->recs_done],
-		state->answers, state->nsrecs);
+		state->answers, state->nsrecs,
+		state->cname_depth);
 	if (tevent_req_nomem(subreq, req)) {
 		return tevent_req_post(req, ev);
 	}
@@ -679,7 +687,8 @@ static void handle_authoritative_done(struct tevent_req *subreq)
 	subreq = handle_dnsrpcrec_send(
 		state, state->ev, state->dns, state->forwarder,
 		state->question, &state->recs[state->recs_done],
-		state->answers, state->nsrecs);
+		state->answers, state->nsrecs,
+		state->cname_depth);
 	if (tevent_req_nomem(subreq, req)) {
 		return;
 	}
@@ -1010,7 +1019,8 @@ struct tevent_req *dns_server_process_query_send(
 
 		subreq = handle_authoritative_send(
 			state, ev, dns, (forwarders == NULL ? NULL : forwarders[0]),
-			&in->questions[0], &state->answers, &state->nsrecs);
+			&in->questions[0], &state->answers, &state->nsrecs,
+			0); /* cname_depth */
 		if (tevent_req_nomem(subreq, req)) {
 			return tevent_req_post(req, ev);
 		}
@@ -1112,7 +1122,8 @@ static void dns_server_process_query_got_auth(struct tevent_req *subreq)
 		subreq = handle_authoritative_send(state, state->ev, state->dns,
 						   state->forwarders->forwarder,
 						   state->question, &state->answers,
-						   &state->nsrecs);
+						   &state->nsrecs,
+						   0); /* cname_depth */
 
 		if (tevent_req_nomem(subreq, req)) {
 			return;