[PATCH] net ads gpo list doesn't cope with missing attributes.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[PATCH] net ads gpo list doesn't cope with missing attributes.

Samba - samba-technical mailing list
Patch for bug:

https://bugzilla.samba.org/show_bug.cgi?id=12695

which was discovered by customers and reproduced
here at Google.

When parsing an LDAP GPO object we insist on the following attributes existing:

displayName
flags
gPCFileSysPath
name
ntSecurityDescriptor
versionNumber

If any are not present we fail listing all GPO objects with an
"Out of memory" error (which is obviously incorrect).

This patch fixes the problem by causing any missing attributes in
ads_parse_gpo() to return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE).

The interfaces to ads_pull_string() and ads_pull_sd() are broken
in that they return NULL for both a talloc fail (out of memory)
and also for a missing attribute in the LDAPMessage * pointer,
so there's no way to tell the difference between these error
cases. This patch causes ads_parse_gpo() to follow the same
convention as other uses of ads_pull_string(), ads_pull_sd(),
which is to assume a NULL return means missing attribute,
not out of memory. Fixing this is a patch for another day :-).

Please review and push if happy !

Jeremy.

0001-s3-libgpo-Allow-skipping-GPO-objects-that-don-t-have.patch (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] net ads gpo list doesn't cope with missing attributes.

Samba - samba-technical mailing list
On Wednesday, 15 March 2017 23:59:14 CET Jeremy Allison via samba-technical
wrote:

> Patch for bug:
>
> https://bugzilla.samba.org/show_bug.cgi?id=12695
>
> which was discovered by customers and reproduced
> here at Google.
>
> When parsing an LDAP GPO object we insist on the following attributes
> existing:
>
> displayName
> flags
> gPCFileSysPath
> name
> ntSecurityDescriptor
> versionNumber
>
> If any are not present we fail listing all GPO objects with an
> "Out of memory" error (which is obviously incorrect).
>
> This patch fixes the problem by causing any missing attributes in
> ads_parse_gpo() to return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE).
>
> The interfaces to ads_pull_string() and ads_pull_sd() are broken
> in that they return NULL for both a talloc fail (out of memory)
> and also for a missing attribute in the LDAPMessage * pointer,
> so there's no way to tell the difference between these error
> cases. This patch causes ads_parse_gpo() to follow the same
> convention as other uses of ads_pull_string(), ads_pull_sd(),
> which is to assume a NULL return means missing attribute,
> not out of memory. Fixing this is a patch for another day :-).
>
> Please review and push if happy !

Pushed by gd

--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

Loading...