Import OL

SOURCES/102-orabug36566309-s3-winbindd-winbindd_pam-fix-leak-in-extract_pac_vrfy_sigs.patch

@@ -0,0 +1,80 @@
+From 48493735e2d2091740fe784cf07a4258dfc0b512 Mon Sep 17 00:00:00 2001
+From: Shaleen Bathla <shaleen.bathla@oracle.com>
+Date: Wed, 10 Apr 2024 18:31:39 +0530
+Subject: [PATCH] s3: winbindd: winbindd_pam: fix leak in extract_pac_vrfy_sigs
+
+Add missing free for entry variable and its members : key and principal
+Found definite memory leaks via valgrind as shown below.
+
+Leak 1 :
+==1686== 76,800 bytes in 2,400 blocks are definitely lost in loss record 432 of 433
+==1686==    at 0x4C38185: malloc (vg_replace_malloc.c:431)
+==1686==    by 0x79CBFED: krb5int_c_copy_keyblock_contents (keyblocks.c:101)
+==1686==    by 0x621CFA3: krb5_mkt_get_next (kt_memory.c:500)
+==1686==    by 0x141186: extract_pac_vrfy_sigs (winbindd_pam.c:3384)
+==1686==    by 0x141186: winbindd_pam_auth_pac_verify (winbindd_pam.c:3434)
+==1686==    by 0x17ED21: winbindd_pam_auth_crap_send (winbindd_pam_auth_crap.c:68)
+==1686==    by 0x127F45: process_request_send (winbindd.c:502)
+==1686==    by 0x127F45: winbind_client_request_read (winbindd.c:749)
+==1686==    by 0x124AAF: wb_req_read_done (wb_reqtrans.c:126)
+==1686==    by 0x66D4706: tevent_common_invoke_fd_handler (tevent_fd.c:142)
+==1686==    by 0x66DAF4E: epoll_event_loop (tevent_epoll.c:737)
+==1686==    by 0x66DAF4E: epoll_event_loop_once (tevent_epoll.c:938)
+==1686==    by 0x66D8F5A: std_event_loop_once (tevent_standard.c:110)
+==1686==    by 0x66D39B4: _tevent_loop_once (tevent.c:823)
+==1686==    by 0x1232F3: main (winbindd.c:1718)
+
+Leak 2 :
+==1686==    at 0x4C38185: malloc (vg_replace_malloc.c:431)
+==1686==    by 0x62255E4: krb5_copy_principal (copy_princ.c:38)
+==1686==    by 0x621D003: krb5_mkt_get_next (kt_memory.c:503)
+==1686==    by 0x141186: extract_pac_vrfy_sigs (winbindd_pam.c:3384)
+==1686==    by 0x141186: winbindd_pam_auth_pac_verify (winbindd_pam.c:3434)
+==1686==    by 0x17ED21: winbindd_pam_auth_crap_send (winbindd_pam_auth_crap.c:68)
+==1686==    by 0x127F45: process_request_send (winbindd.c:502)
+==1686==    by 0x127F45: winbind_client_request_read (winbindd.c:749)
+==1686==    by 0x124AAF: wb_req_read_done (wb_reqtrans.c:126)
+==1686==    by 0x66D4706: tevent_common_invoke_fd_handler (tevent_fd.c:142)
+==1686==    by 0x66DAF4E: epoll_event_loop (tevent_epoll.c:737)
+==1686==    by 0x66DAF4E: epoll_event_loop_once (tevent_epoll.c:938)
+==1686==    by 0x66D8F5A: std_event_loop_once (tevent_standard.c:110)
+==1686==    by 0x66D39B4: _tevent_loop_once (tevent.c:823)
+==1686==    by 0x1232F3: main (winbindd.c:1718)
+
+Signed-off-by: Shaleen Bathla <shaleen.bathla@oracle.com>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Tue Apr 16 10:22:51 UTC 2024 on atb-devel-224
+
+Orabug: 36566309
+Signed-off-by: Shaleen Bathla <shaleen.bathla@oracle.com>
+Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
+---
+ source3/winbindd/winbindd_pam.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
+index 6c890c8acd5..e7d64189b7e 100644
+--- a/source3/winbindd/winbindd_pam.c
++++ b/source3/winbindd/winbindd_pam.c
+@@ -3433,12 +3433,17 @@ static NTSTATUS extract_pac_vrfy_sigs(TALLOC_CTX *mem_ctx, DATA_BLOB pac_blob,
+ 					     NULL, /* client_principal */
+ 					     0, /* tgs_authtime */
+ 					     p_pac_data);
++		(void)smb_krb5_kt_free_entry(krbctx, &entry);
+ 		if (NT_STATUS_IS_OK(status)) {
+ 			break;
+ 		}
+-		k5ret = smb_krb5_kt_free_entry(krbctx, &entry);
+ 		k5ret = krb5_kt_next_entry(krbctx, keytab, &entry, &cursor);
+ 	}
++	if (k5ret != 0 && k5ret != KRB5_KT_END) {
++		DEBUG(1, ("Failed to get next entry: %s\n",
++			  error_message(k5ret)));
++		(void)smb_krb5_kt_free_entry(krbctx, &entry);
++	}
+ 
+ 	k5ret = krb5_kt_end_seq_get(krbctx, keytab, &cursor);
+ 	if (k5ret) {

SOURCES/redhat-4.20.2.patch

@@ -1,7 +1,7 @@
 From dddbbec2cb10b05a6ec3b4f1fcc877d60a44080a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
 Date: Thu, 4 Jul 2024 11:08:03 +0200
-Subject: [PATCH 1/2] .gitlab-ci-main.yml: Add safe.directory '*'
+Subject: [PATCH 1/5] .gitlab-ci-main.yml: Add safe.directory '*'
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -48,13 +48,13 @@ index face2103327..08865ca2c42 100644
      - mount
      - df -h
 -- 
-2.45.2
+2.49.0
 
 
 From 1c69964d34d2cf66532b23ffde76a839a65b0db2 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Fri, 12 Jul 2024 14:18:26 +0200
-Subject: [PATCH 2/2] s3:printing: Allow to run samba-bgqd as a standalone
+Subject: [PATCH 2/5] s3:printing: Allow to run samba-bgqd as a standalone
  systemd service
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15683
@@ -98,5 +98,830 @@ index 59ed0cc40db..9560fcf9e35 100644
  		pid_t pid = getpid();
  		ssize_t written;
 -- 
-2.45.2
+2.49.0
+
+
+From 2e7ffc196aa9f241622a32ea002d96ad00799e4d Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 22 Jul 2024 12:26:55 +0200
+Subject: [PATCH 3/5] s3:notifyd: Use a watcher per db record
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This fixes a O(n²) performance regression in notifyd. The problem was
+that we had a watcher per notify instance. This changes the code to have
+a watcher per notify db entry.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14430
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Tue Oct  1 14:22:43 UTC 2024 on atb-devel-224
+---
+ source3/smbd/notifyd/notifyd.c         | 214 ++++++++++++++++++-------
+ source3/smbd/notifyd/notifyd_db.c      |   5 +-
+ source3/smbd/notifyd/notifyd_entry.c   |  51 ++++--
+ source3/smbd/notifyd/notifyd_private.h |  46 ++++--
+ 4 files changed, 228 insertions(+), 88 deletions(-)
+
+diff --git a/source3/smbd/notifyd/notifyd.c b/source3/smbd/notifyd/notifyd.c
+index ca303bd4d51..b368b8390fa 100644
+--- a/source3/smbd/notifyd/notifyd.c
++++ b/source3/smbd/notifyd/notifyd.c
+@@ -337,6 +337,7 @@ static bool notifyd_apply_rec_change(
+ 	struct messaging_context *msg_ctx)
+ {
+ 	struct db_record *rec = NULL;
++	struct notifyd_watcher watcher = {};
+ 	struct notifyd_instance *instances = NULL;
+ 	size_t num_instances;
+ 	size_t i;
+@@ -344,6 +345,7 @@ static bool notifyd_apply_rec_change(
+ 	TDB_DATA value;
+ 	NTSTATUS status;
+ 	bool ok = false;
++	bool new_watcher = false;
+ 
+ 	if (pathlen == 0) {
+ 		DBG_WARNING("pathlen==0\n");
+@@ -374,8 +376,12 @@ static bool notifyd_apply_rec_change(
+ 	value = dbwrap_record_get_value(rec);
+ 
+ 	if (value.dsize != 0) {
+-		if (!notifyd_parse_entry(value.dptr, value.dsize, NULL,
+-					 &num_instances)) {
++		ok = notifyd_parse_entry(value.dptr,
++					 value.dsize,
++					 &watcher,
++					 NULL,
++					 &num_instances);
++		if (!ok) {
+ 			goto fail;
+ 		}
+ 	}
+@@ -390,8 +396,22 @@ static bool notifyd_apply_rec_change(
+ 		goto fail;
+ 	}
+ 
+-	if (value.dsize != 0) {
+-		memcpy(instances, value.dptr, value.dsize);
++	if (num_instances > 0) {
++		struct notifyd_instance *tmp = NULL;
++		size_t num_tmp = 0;
++
++		ok = notifyd_parse_entry(value.dptr,
++					 value.dsize,
++					 NULL,
++					 &tmp,
++					 &num_tmp);
++		if (!ok) {
++			goto fail;
++		}
++
++		memcpy(instances,
++		       tmp,
++		       sizeof(struct notifyd_instance) * num_tmp);
+ 	}
+ 
+ 	for (i=0; i<num_instances; i++) {
+@@ -414,41 +434,106 @@ static bool notifyd_apply_rec_change(
+ 		*instance = (struct notifyd_instance) {
+ 			.client = *client,
+ 			.instance = *chg,
+-			.internal_filter = chg->filter,
+-			.internal_subdir_filter = chg->subdir_filter
+ 		};
+ 
+ 		num_instances += 1;
+ 	}
+ 
+-	if ((instance->instance.filter != 0) ||
+-	    (instance->instance.subdir_filter != 0)) {
+-		int ret;
++	/*
++	 * Calculate an intersection of the instances filters for the watcher.
++	 */
++	if (instance->instance.filter > 0) {
++		uint32_t filter = instance->instance.filter;
++
++		if ((watcher.filter & filter) != filter) {
++			watcher.filter |= filter;
++
++			new_watcher = true;
++		}
++	}
++
++	/*
++	 * Calculate an intersection of the instances subdir_filters for the
++	 * watcher.
++	 */
++	if (instance->instance.subdir_filter > 0) {
++		uint32_t subdir_filter = instance->instance.subdir_filter;
+ 
+-		TALLOC_FREE(instance->sys_watch);
++		if ((watcher.subdir_filter & subdir_filter) != subdir_filter) {
++			watcher.subdir_filter |= subdir_filter;
+ 
+-		ret = sys_notify_watch(entries, sys_notify_ctx, path,
+-				       &instance->internal_filter,
+-				       &instance->internal_subdir_filter,
+-				       notifyd_sys_callback, msg_ctx,
+-				       &instance->sys_watch);
+-		if (ret != 0) {
+-			DBG_WARNING("sys_notify_watch for [%s] returned %s\n",
+-				    path, strerror(errno));
++			new_watcher = true;
+ 		}
+ 	}
+ 
+ 	if ((instance->instance.filter == 0) &&
+ 	    (instance->instance.subdir_filter == 0)) {
++		uint32_t tmp_filter = 0;
++		uint32_t tmp_subdir_filter = 0;
++
+ 		/* This is a delete request */
+-		TALLOC_FREE(instance->sys_watch);
+ 		*instance = instances[num_instances-1];
+ 		num_instances -= 1;
++
++		for (i = 0; i < num_instances; i++) {
++			struct notifyd_instance *tmp = &instances[i];
++
++			tmp_filter |= tmp->instance.filter;
++			tmp_subdir_filter |= tmp->instance.subdir_filter;
++		}
++
++		/*
++		 * If the filter has changed, register a new watcher with the
++		 * changed filter.
++		 */
++		if (watcher.filter != tmp_filter ||
++		    watcher.subdir_filter != tmp_subdir_filter)
++		{
++			watcher.filter = tmp_filter;
++			watcher.subdir_filter = tmp_subdir_filter;
++
++			new_watcher = true;
++		}
++	}
++
++	if (new_watcher) {
++		/*
++		 * In case we removed all notify instances, we want to remove
++		 * the watcher. We won't register a new one, if no filters are
++		 * set anymore.
++		 */
++
++		TALLOC_FREE(watcher.sys_watch);
++
++		watcher.sys_filter = watcher.filter;
++		watcher.sys_subdir_filter = watcher.subdir_filter;
++
++		/*
++		 * Only register a watcher if we have filter.
++		 */
++		if (watcher.filter != 0 || watcher.subdir_filter != 0) {
++			int ret = sys_notify_watch(entries,
++						   sys_notify_ctx,
++						   path,
++						   &watcher.sys_filter,
++						   &watcher.sys_subdir_filter,
++						   notifyd_sys_callback,
++						   msg_ctx,
++						   &watcher.sys_watch);
++			if (ret != 0) {
++				DBG_WARNING("sys_notify_watch for [%s] "
++					    "returned %s\n",
++					    path,
++					    strerror(errno));
++			}
++		}
+ 	}
+ 
+ 	DBG_DEBUG("%s has %zu instances\n", path, num_instances);
+ 
+ 	if (num_instances == 0) {
++		TALLOC_FREE(watcher.sys_watch);
++
+ 		status = dbwrap_record_delete(rec);
+ 		if (!NT_STATUS_IS_OK(status)) {
+ 			DBG_WARNING("dbwrap_record_delete returned %s\n",
+@@ -456,13 +541,21 @@ static bool notifyd_apply_rec_change(
+ 			goto fail;
+ 		}
+ 	} else {
+-		value = make_tdb_data(
+-			(uint8_t *)instances,
+-			sizeof(struct notifyd_instance) * num_instances);
++		struct TDB_DATA iov[2] = {
++			{
++				.dptr = (uint8_t *)&watcher,
++				.dsize = sizeof(struct notifyd_watcher),
++			},
++			{
++				.dptr = (uint8_t *)instances,
++				.dsize = sizeof(struct notifyd_instance) *
++					 num_instances,
++			},
++		};
+ 
+-		status = dbwrap_record_store(rec, value, 0);
++		status = dbwrap_record_storev(rec, iov, ARRAY_SIZE(iov), 0);
+ 		if (!NT_STATUS_IS_OK(status)) {
+-			DBG_WARNING("dbwrap_record_store returned %s\n",
++			DBG_WARNING("dbwrap_record_storev returned %s\n",
+ 				    nt_errstr(status));
+ 			goto fail;
+ 		}
+@@ -706,12 +799,18 @@ static void notifyd_trigger_parser(TDB_DATA key, TDB_DATA data,
+ 					.when = tstate->msg->when };
+ 	struct iovec iov[2];
+ 	size_t path_len = key.dsize;
++	struct notifyd_watcher watcher = {};
+ 	struct notifyd_instance *instances = NULL;
+ 	size_t num_instances = 0;
+ 	size_t i;
++	bool ok;
+ 
+-	if (!notifyd_parse_entry(data.dptr, data.dsize, &instances,
+-				 &num_instances)) {
++	ok = notifyd_parse_entry(data.dptr,
++				 data.dsize,
++				 &watcher,
++				 &instances,
++				 &num_instances);
++	if (!ok) {
+ 		DBG_DEBUG("Could not parse notifyd_entry\n");
+ 		return;
+ 	}
+@@ -734,9 +833,11 @@ static void notifyd_trigger_parser(TDB_DATA key, TDB_DATA data,
+ 
+ 		if (tstate->covered_by_sys_notify) {
+ 			if (tstate->recursive) {
+-				i_filter = instance->internal_subdir_filter;
++				i_filter = watcher.sys_subdir_filter &
++					   instance->instance.subdir_filter;
+ 			} else {
+-				i_filter = instance->internal_filter;
++				i_filter = watcher.sys_filter &
++					   instance->instance.filter;
+ 			}
+ 		} else {
+ 			if (tstate->recursive) {
+@@ -1142,46 +1243,39 @@ static int notifyd_add_proxy_syswatches(struct db_record *rec,
+ 	struct db_context *db = dbwrap_record_get_db(rec);
+ 	TDB_DATA key = dbwrap_record_get_key(rec);
+ 	TDB_DATA value = dbwrap_record_get_value(rec);
+-	struct notifyd_instance *instances = NULL;
+-	size_t num_instances = 0;
+-	size_t i;
++	struct notifyd_watcher watcher = {};
+ 	char path[key.dsize+1];
+ 	bool ok;
++	int ret;
+ 
+ 	memcpy(path, key.dptr, key.dsize);
+ 	path[key.dsize] = '\0';
+ 
+-	ok = notifyd_parse_entry(value.dptr, value.dsize, &instances,
+-				 &num_instances);
++	/* This is a remote database, we just need the watcher. */
++	ok = notifyd_parse_entry(value.dptr, value.dsize, &watcher, NULL, NULL);
+ 	if (!ok) {
+ 		DBG_WARNING("Could not parse notifyd entry for %s\n", path);
+ 		return 0;
+ 	}
+ 
+-	for (i=0; i<num_instances; i++) {
+-		struct notifyd_instance *instance = &instances[i];
+-		uint32_t filter = instance->instance.filter;
+-		uint32_t subdir_filter = instance->instance.subdir_filter;
+-		int ret;
++	watcher.sys_watch = NULL;
++	watcher.sys_filter = watcher.filter;
++	watcher.sys_subdir_filter = watcher.subdir_filter;
+ 
+-		/*
+-		 * This is a remote database. Pointers that we were
+-		 * given don't make sense locally. Initialize to NULL
+-		 * in case sys_notify_watch fails.
+-		 */
+-		instances[i].sys_watch = NULL;
+-
+-		ret = state->sys_notify_watch(
+-			db, state->sys_notify_ctx, path,
+-			&filter, &subdir_filter,
+-			notifyd_sys_callback, state->msg_ctx,
+-			&instance->sys_watch);
+-		if (ret != 0) {
+-			DBG_WARNING("inotify_watch returned %s\n",
+-				    strerror(errno));
+-		}
++	ret = state->sys_notify_watch(db,
++				      state->sys_notify_ctx,
++				      path,
++				      &watcher.filter,
++				      &watcher.subdir_filter,
++				      notifyd_sys_callback,
++				      state->msg_ctx,
++				      &watcher.sys_watch);
++	if (ret != 0) {
++		DBG_WARNING("inotify_watch returned %s\n", strerror(errno));
+ 	}
+ 
++	memcpy(value.dptr, &watcher, sizeof(struct notifyd_watcher));
++
+ 	return 0;
+ }
+ 
+@@ -1189,21 +1283,17 @@ static int notifyd_db_del_syswatches(struct db_record *rec, void *private_data)
+ {
+ 	TDB_DATA key = dbwrap_record_get_key(rec);
+ 	TDB_DATA value = dbwrap_record_get_value(rec);
+-	struct notifyd_instance *instances = NULL;
+-	size_t num_instances = 0;
+-	size_t i;
++	struct notifyd_watcher watcher = {};
+ 	bool ok;
+ 
+-	ok = notifyd_parse_entry(value.dptr, value.dsize, &instances,
+-				 &num_instances);
++	ok = notifyd_parse_entry(value.dptr, value.dsize, &watcher, NULL, NULL);
+ 	if (!ok) {
+ 		DBG_WARNING("Could not parse notifyd entry for %.*s\n",
+ 			    (int)key.dsize, (char *)key.dptr);
+ 		return 0;
+ 	}
+-	for (i=0; i<num_instances; i++) {
+-		TALLOC_FREE(instances[i].sys_watch);
+-	}
++	TALLOC_FREE(watcher.sys_watch);
++
+ 	return 0;
+ }
+ 
+diff --git a/source3/smbd/notifyd/notifyd_db.c b/source3/smbd/notifyd/notifyd_db.c
+index 18228619e9a..7dc3cd58081 100644
+--- a/source3/smbd/notifyd/notifyd_db.c
++++ b/source3/smbd/notifyd/notifyd_db.c
+@@ -40,7 +40,10 @@ static bool notifyd_parse_db_parser(TDB_DATA key, TDB_DATA value,
+ 	memcpy(path, key.dptr, key.dsize);
+ 	path[key.dsize] = 0;
+ 
+-	ok = notifyd_parse_entry(value.dptr, value.dsize, &instances,
++	ok = notifyd_parse_entry(value.dptr,
++				 value.dsize,
++				 NULL,
++				 &instances,
+ 				 &num_instances);
+ 	if (!ok) {
+ 		DBG_DEBUG("Could not parse entry for path %s\n", path);
+diff --git a/source3/smbd/notifyd/notifyd_entry.c b/source3/smbd/notifyd/notifyd_entry.c
+index 539010de03a..f3b0e908136 100644
+--- a/source3/smbd/notifyd/notifyd_entry.c
++++ b/source3/smbd/notifyd/notifyd_entry.c
+@@ -21,22 +21,51 @@
+  * Parse an entry in the notifyd_context->entries database
+  */
+ 
+-bool notifyd_parse_entry(
+-	uint8_t *buf,
+-	size_t buflen,
+-	struct notifyd_instance **instances,
+-	size_t *num_instances)
++/**
++ * @brief Parse a notifyd database entry.
++ *
++ * The memory we pass down needs to be aligned. If it isn't aligned we can run
++ * into obscure errors as we just point into the data buffer.
++ *
++ * @param data The data to parse
++ * @param data_len The length of the data to parse
++ * @param watcher A pointer to store the watcher data or NULL.
++ * @param instances A pointer to store the array of notify instances or NULL.
++ * @param pnum_instances The number of elements in the array. If you just want
++ * the number of elements pass NULL for the watcher and instances pointers.
++ *
++ * @return true on success, false if an error occurred.
++ */
++bool notifyd_parse_entry(uint8_t *data,
++			 size_t data_len,
++			 struct notifyd_watcher *watcher,
++			 struct notifyd_instance **instances,
++			 size_t *pnum_instances)
+ {
+-	if ((buflen % sizeof(struct notifyd_instance)) != 0) {
+-		DBG_WARNING("invalid buffer size: %zu\n", buflen);
++	size_t ilen;
++
++	if (data_len < sizeof(struct notifyd_watcher)) {
+ 		return false;
+ 	}
+ 
+-	if (instances != NULL) {
+-		*instances = (struct notifyd_instance *)buf;
++	if (watcher != NULL) {
++		*watcher = *((struct notifyd_watcher *)(uintptr_t)data);
+ 	}
+-	if (num_instances != NULL) {
+-		*num_instances = buflen / sizeof(struct notifyd_instance);
++
++	ilen = data_len - sizeof(struct notifyd_watcher);
++	if ((ilen % sizeof(struct notifyd_instance)) != 0) {
++		return false;
++	}
++
++	if (pnum_instances != NULL) {
++		*pnum_instances = ilen / sizeof(struct notifyd_instance);
+ 	}
++	if (instances != NULL) {
++		/* The (uintptr_t) cast removes a warning from -Wcast-align. */
++		*instances =
++			(struct notifyd_instance *)(uintptr_t)
++				(data + sizeof(struct notifyd_watcher));
++	}
++
+ 	return true;
+ }
+diff --git a/source3/smbd/notifyd/notifyd_private.h b/source3/smbd/notifyd/notifyd_private.h
+index 36c08f47c54..db8e6e1c005 100644
+--- a/source3/smbd/notifyd/notifyd_private.h
++++ b/source3/smbd/notifyd/notifyd_private.h
+@@ -20,30 +20,48 @@
+ #include "lib/util/server_id.h"
+ #include "notifyd.h"
+ 
++
+ /*
+- * notifyd's representation of a notify instance
++ * Representation of a watcher for a path
++ *
++ * This will be stored in the db.
+  */
+-struct notifyd_instance {
+-	struct server_id client;
+-	struct notify_instance instance;
+-
+-	void *sys_watch; /* inotify/fam/etc handle */
++struct notifyd_watcher {
++	/*
++	 * This is an intersections of the filter the watcher is listening for.
++	 */
++	uint32_t filter;
++	uint32_t subdir_filter;
+ 
+ 	/*
+-	 * Filters after sys_watch took responsibility of some bits
++	 * Those are inout variables passed to the sys_watcher. The sys_watcher
++	 * will remove the bits it can't handle.
+ 	 */
+-	uint32_t internal_filter;
+-	uint32_t internal_subdir_filter;
++	uint32_t sys_filter;
++	uint32_t sys_subdir_filter;
++
++	/* The handle for inotify/fam etc. */
++	void *sys_watch;
++};
++
++/*
++ * Representation of a notifyd instance
++ *
++ * This will be stored in the db.
++ */
++struct notifyd_instance {
++	struct server_id client;
++	struct notify_instance instance;
+ };
+ 
+ /*
+  * Parse an entry in the notifyd_context->entries database
+  */
+ 
+-bool notifyd_parse_entry(
+-	uint8_t *buf,
+-	size_t buflen,
+-	struct notifyd_instance **instances,
+-	size_t *num_instances);
++bool notifyd_parse_entry(uint8_t *data,
++			 size_t data_len,
++			 struct notifyd_watcher *watcher,
++			 struct notifyd_instance **instances,
++			 size_t *num_instances);
+ 
+ #endif
+-- 
+2.49.0
+
+
+From 908674e5cef83c2ad9f2073a8fd362007b8a55f4 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Wed, 15 Jan 2025 10:21:19 -0800
+Subject: [PATCH 4/5] auth: Add missing talloc_free() in error code path.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15782
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+
+Autobuild-User(master): Günther Deschner <gd@samba.org>
+Autobuild-Date(master): Thu Jan 16 14:32:39 UTC 2025 on atb-devel-224
+
+(cherry picked from commit c514ce8dcadcbbf0d86f3038d2be0f9253a76b75)
+---
+ auth/kerberos/kerberos_pac.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
+index b6272ac15eb..1f7d3e7ef26 100644
+--- a/auth/kerberos/kerberos_pac.c
++++ b/auth/kerberos/kerberos_pac.c
+@@ -360,6 +360,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+ 		if (ret) {
+ 			DEBUG(5, ("PAC Decode: Failed to verify the service "
+ 				  "signature: %s\n", error_message(ret)));
++			talloc_free(tmp_ctx);
+ 			return NT_STATUS_ACCESS_DENIED;
+ 		}
+ 
+-- 
+2.49.0
+
+
+From 761dbf898d92e00385e3516b487d5c4bdd761f23 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 16 Jan 2025 16:12:31 -0800
+Subject: [PATCH 5/5] auth: Cleanup exit code paths in kerberos_decode_pac().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+One more memory leak missed and now fixed. tmp_ctx
+must be freed once the pac data is talloc_move'd.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15782
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
+Reviewed-by: Christian Ambach <ambi@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+
+Autobuild-User(master): Günther Deschner <gd@samba.org>
+Autobuild-Date(master): Fri Jan 17 12:01:47 UTC 2025 on atb-devel-224
+
+(cherry picked from commit f9eb0b248da0689c82656f3e482161c45749afb6)
+---
+ auth/kerberos/kerberos_pac.c | 88 ++++++++++++++++++------------------
+ 1 file changed, 43 insertions(+), 45 deletions(-)
+
+diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
+index 1f7d3e7ef26..4c61cfe838f 100644
+--- a/auth/kerberos/kerberos_pac.c
++++ b/auth/kerberos/kerberos_pac.c
+@@ -137,7 +137,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+ 			     time_t tgs_authtime,
+ 			     struct PAC_DATA **pac_data_out)
+ {
+-	NTSTATUS status;
++	NTSTATUS status = NT_STATUS_NO_MEMORY;
+ 	enum ndr_err_code ndr_err;
+ 	krb5_error_code ret;
+ 	DATA_BLOB modified_pac_blob;
+@@ -173,8 +173,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+ 	kdc_sig_wipe = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA);
+ 	srv_sig_wipe = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA);
+ 	if (!pac_data_raw || !pac_data || !kdc_sig_wipe || !srv_sig_wipe) {
+-		talloc_free(tmp_ctx);
+-		return NT_STATUS_NO_MEMORY;
++		status = NT_STATUS_NO_MEMORY;
++		goto out;
+ 	}
+ 
+ 	ndr_err = ndr_pull_struct_blob(&pac_data_blob, pac_data, pac_data,
+@@ -183,15 +183,14 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+ 		status = ndr_map_error2ntstatus(ndr_err);
+ 		DEBUG(0,("can't parse the PAC: %s\n",
+ 			nt_errstr(status)));
+-		talloc_free(tmp_ctx);
+-		return status;
++		goto out;
+ 	}
+ 
+ 	if (pac_data->num_buffers < 4) {
+ 		/* we need logon_info, service_key and kdc_key */
+ 		DEBUG(0,("less than 4 PAC buffers\n"));
+-		talloc_free(tmp_ctx);
+-		return NT_STATUS_INVALID_PARAMETER;
++		status = NT_STATUS_INVALID_PARAMETER;
++		goto out;
+ 	}
+ 
+ 	ndr_err = ndr_pull_struct_blob(
+@@ -201,15 +200,14 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+ 		status = ndr_map_error2ntstatus(ndr_err);
+ 		DEBUG(0,("can't parse the PAC: %s\n",
+ 			nt_errstr(status)));
+-		talloc_free(tmp_ctx);
+-		return status;
++		goto out;
+ 	}
+ 
+ 	if (pac_data_raw->num_buffers < 4) {
+ 		/* we need logon_info, service_key and kdc_key */
+ 		DEBUG(0,("less than 4 PAC buffers\n"));
+-		talloc_free(tmp_ctx);
+-		return NT_STATUS_INVALID_PARAMETER;
++		status = NT_STATUS_INVALID_PARAMETER;
++		goto out;
+ 	}
+ 
+ 	if (pac_data->num_buffers != pac_data_raw->num_buffers) {
+@@ -217,8 +215,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+ 		DEBUG(0, ("misparse! PAC_DATA has %d buffers while "
+ 			  "PAC_DATA_RAW has %d\n", pac_data->num_buffers,
+ 			  pac_data_raw->num_buffers));
+-		talloc_free(tmp_ctx);
+-		return NT_STATUS_INVALID_PARAMETER;
++		status = NT_STATUS_INVALID_PARAMETER;
++		goto out;
+ 	}
+ 
+ 	for (i=0; i < pac_data->num_buffers; i++) {
+@@ -229,8 +227,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+ 			DEBUG(0, ("misparse! PAC_DATA buffer %d has type "
+ 				  "%d while PAC_DATA_RAW has %d\n", i,
+ 				  data_buf->type, raw_buf->type));
+-			talloc_free(tmp_ctx);
+-			return NT_STATUS_INVALID_PARAMETER;
++			status = NT_STATUS_INVALID_PARAMETER;
++			goto out;
+ 		}
+ 		switch (data_buf->type) {
+ 		case PAC_TYPE_LOGON_INFO:
+@@ -263,26 +261,26 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+ 
+ 	if (!logon_info) {
+ 		DEBUG(0,("PAC no logon_info\n"));
+-		talloc_free(tmp_ctx);
+-		return NT_STATUS_INVALID_PARAMETER;
++		status = NT_STATUS_INVALID_PARAMETER;
++		goto out;
+ 	}
+ 
+ 	if (!logon_name) {
+ 		DEBUG(0,("PAC no logon_name\n"));
+-		talloc_free(tmp_ctx);
+-		return NT_STATUS_INVALID_PARAMETER;
++		status = NT_STATUS_INVALID_PARAMETER;
++		goto out;
+ 	}
+ 
+ 	if (!srv_sig_ptr || !srv_sig_blob) {
+ 		DEBUG(0,("PAC no srv_key\n"));
+-		talloc_free(tmp_ctx);
+-		return NT_STATUS_INVALID_PARAMETER;
++		status = NT_STATUS_INVALID_PARAMETER;
++		goto out;
+ 	}
+ 
+ 	if (!kdc_sig_ptr || !kdc_sig_blob) {
+ 		DEBUG(0,("PAC no kdc_key\n"));
+-		talloc_free(tmp_ctx);
+-		return NT_STATUS_INVALID_PARAMETER;
++		status = NT_STATUS_INVALID_PARAMETER;
++		goto out;
+ 	}
+ 
+ 	/* Find and zero out the signatures,
+@@ -297,8 +295,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+ 		status = ndr_map_error2ntstatus(ndr_err);
+ 		DEBUG(0,("can't parse the KDC signature: %s\n",
+ 			nt_errstr(status)));
+-		talloc_free(tmp_ctx);
+-		return status;
++		goto out;
+ 	}
+ 
+ 	ndr_err = ndr_pull_struct_blob(
+@@ -308,8 +305,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+ 		status = ndr_map_error2ntstatus(ndr_err);
+ 		DEBUG(0,("can't parse the SRV signature: %s\n",
+ 			nt_errstr(status)));
+-		talloc_free(tmp_ctx);
+-		return status;
++		goto out;
+ 	}
+ 
+ 	/* Now zero the decoded structure */
+@@ -326,8 +322,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+ 		status = ndr_map_error2ntstatus(ndr_err);
+ 		DEBUG(0,("can't repack the KDC signature: %s\n",
+ 			nt_errstr(status)));
+-		talloc_free(tmp_ctx);
+-		return status;
++		goto out;
+ 	}
+ 	ndr_err = ndr_push_struct_blob(
+ 			srv_sig_blob, pac_data_raw, srv_sig_wipe,
+@@ -336,8 +331,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+ 		status = ndr_map_error2ntstatus(ndr_err);
+ 		DEBUG(0,("can't repack the SRV signature: %s\n",
+ 			nt_errstr(status)));
+-		talloc_free(tmp_ctx);
+-		return status;
++		goto out;
+ 	}
+ 
+ 	/* push out the whole structure, but now with zero'ed signatures */
+@@ -348,8 +342,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+ 		status = ndr_map_error2ntstatus(ndr_err);
+ 		DEBUG(0,("can't repack the RAW PAC: %s\n",
+ 			nt_errstr(status)));
+-		talloc_free(tmp_ctx);
+-		return status;
++		goto out;
+ 	}
+ 
+ 	if (service_keyblock) {
+@@ -360,8 +353,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+ 		if (ret) {
+ 			DEBUG(5, ("PAC Decode: Failed to verify the service "
+ 				  "signature: %s\n", error_message(ret)));
+-			talloc_free(tmp_ctx);
+-			return NT_STATUS_ACCESS_DENIED;
++			status = NT_STATUS_ACCESS_DENIED;
++			goto out;
+ 		}
+ 
+ 		if (krbtgt_keyblock) {
+@@ -371,8 +364,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+ 			if (ret) {
+ 				DEBUG(1, ("PAC Decode: Failed to verify the KDC signature: %s\n",
+ 					  smb_get_krb5_error_message(context, ret, tmp_ctx)));
+-				talloc_free(tmp_ctx);
+-				return NT_STATUS_ACCESS_DENIED;
++				status = NT_STATUS_ACCESS_DENIED;
++				goto out;
+ 			}
+ 		}
+ 	}
+@@ -388,8 +381,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+ 				  nt_time_string(tmp_ctx, logon_name->logon_time)));
+ 			DEBUG(2, ("PAC Decode: Ticket: %s\n",
+ 				  nt_time_string(tmp_ctx, tgs_authtime_nttime)));
+-			talloc_free(tmp_ctx);
+-			return NT_STATUS_ACCESS_DENIED;
++			status = NT_STATUS_ACCESS_DENIED;
++			goto out;
+ 		}
+ 	}
+ 
+@@ -401,8 +394,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+ 		if (ret) {
+ 			DEBUG(2, ("Could not unparse name from ticket to match with name from PAC: [%s]:%s\n",
+ 				  logon_name->account_name, error_message(ret)));
+-			talloc_free(tmp_ctx);
+-			return NT_STATUS_INVALID_PARAMETER;
++			status = NT_STATUS_INVALID_PARAMETER;
++			goto out;
+ 		}
+ 
+ 		bool_ret = strcmp(client_principal_string, logon_name->account_name) == 0;
+@@ -413,8 +406,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+ 				  logon_name->account_name,
+ 				  client_principal_string));
+ 			SAFE_FREE(client_principal_string);
+-			talloc_free(tmp_ctx);
+-			return NT_STATUS_ACCESS_DENIED;
++			status = NT_STATUS_ACCESS_DENIED;
++			goto out;
+ 		}
+ 		SAFE_FREE(client_principal_string);
+ 
+@@ -435,10 +428,15 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+ 	}
+ 
+ 	if (pac_data_out) {
+-		*pac_data_out = talloc_steal(mem_ctx, pac_data);
++		*pac_data_out = talloc_move(mem_ctx, &pac_data);
+ 	}
+ 
+-	return NT_STATUS_OK;
++	status = NT_STATUS_OK;
++
++    out:
++
++	TALLOC_FREE(tmp_ctx);
++	return status;
+ }
+ 
+ NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
+-- 
+2.49.0
 

SPECS/samba.spec

@@ -205,7 +205,7 @@
 
 Name:           samba
 Version:        %{samba_version}
-Release:        %{samba_release}%{?dist}
+Release:        %{samba_release}.0.1%{?dist}.1
 
 %if 0%{?fedora}
 Epoch:          2
@@ -248,6 +248,9 @@ Source202:      samba.abignore
 
 Patch0:        redhat-4.20.2.patch
 
+# Oracle Patches
+Patch102:	102-orabug36566309-s3-winbindd-winbindd_pam-fix-leak-in-extract_pac_vrfy_sigs.patch
+
 Requires(pre): %{name}-common = %{samba_depver}
 Requires: %{name}-common = %{samba_depver}
 Requires: %{name}-common-libs = %{samba_depver}
@@ -1371,9 +1374,11 @@ popd
 install -d -m 0755 %{buildroot}/usr/{sbin,bin}
 install -d -m 0755 %{buildroot}%{_libdir}/security
 install -d -m 0755 %{buildroot}/var/lib/samba
+install -d -m 0755 %{buildroot}/var/lib/samba/certs
 install -d -m 0755 %{buildroot}/var/lib/samba/drivers
 install -d -m 0755 %{buildroot}/var/lib/samba/lock
 install -d -m 0755 %{buildroot}/var/lib/samba/private
+install -d -m 0755 %{buildroot}/var/lib/samba/private/certs
 install -d -m 0755 %{buildroot}/var/lib/samba/scripts
 install -d -m 0755 %{buildroot}/var/lib/samba/sysvol
 install -d -m 0755 %{buildroot}/var/lib/samba/usershares
@@ -2004,7 +2009,9 @@ fi
 %ghost %dir /run/samba
 %ghost %dir /run/winbindd
 %dir /var/lib/samba
+%dir /var/lib/samba/certs
 %attr(700,root,root) %dir /var/lib/samba/private
+%attr(700,root,root) %dir /var/lib/samba/private/certs
 %dir /var/lib/samba/lock
 %attr(755,root,root) %dir %{_sysconfdir}/samba
 %config(noreplace) %{_sysconfdir}/samba/smb.conf
@@ -4606,6 +4613,18 @@ fi
 %endif
 
 %changelog
+* Tue May 06 2025 EL Errata <el-errata_ww@oracle.com> - 4.20.2-2.0.1.1
+- s3: winbindd: winbindd_pam: fix leak in extract_pac_vrfy_sigs [Orabug: 36566309]
+
+* Fri Apr 11 2025 Pavel Filipenský <pfilipen@redhat.com> - 4.20.2-2.1
+- resolves: RHEL-85347 - Fix winbind memory leak
+
+* Wed Oct 02 2024 Andreas Schneider <asn@redhat.com> - 4.20.2-2
+- resolves: RHEL-59912 - Fix performance issue in notifyd
+
+* Wed Oct 02 2024 Andreas Schneider <asn@redhat.com> - 4.20.2-2
+* resolves: RHEL-59913 - Package cert directories used by samba-gpupdate
+
 * Thu Aug 01 2024 Pavel Filipenský <pfilipen@redhat.com> - 4.20.2-2
 - resolves: RHEL-47757 - Allow to run samba-bgqd as a standalone systemd service