CVE-2018-1057: s4:dsdb/acl: only call dsdb_acl_debug() if we checked the acl in acl_c...

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 27d4e7659cc619e56cfd3f00fe22a45888722cc1..edc6733c7abade0bde80c4cd6819b271b6e83fc6 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -1014,12 +1014,14 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
                                               GUID_DRS_USER_CHANGE_PASSWORD,
                                               SEC_ADS_CONTROL_ACCESS,
                                               sid);
+               goto checked;
        }
        else if (rep_attr_cnt > 0 || (add_attr_cnt != del_attr_cnt)) {
                ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
                                               GUID_DRS_FORCE_CHANGE_PASSWORD,
                                               SEC_ADS_CONTROL_ACCESS,
                                               sid);
+               goto checked;
        }
        else if (add_attr_cnt == 1 && del_attr_cnt == 1) {
                ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
@@ -1030,7 +1032,13 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
                if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
                        ret = LDB_ERR_CONSTRAINT_VIOLATION;
                }
+               goto checked;
        }
+
+       talloc_free(tmp_ctx);
+       return LDB_SUCCESS;
+
+checked:
        if (ret != LDB_SUCCESS) {
                dsdb_acl_debug(sd, acl_user_token(module),
                               req->op.mod.message->dn,