CVE-2023-0614 s4-acl: Avoid calling dsdb_module_am_system() if we can help it

If the AS_SYSTEM control is present, we know we have system privileges,
and have no need to call dsdb_module_am_system().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index 8ca8607b925ad916c22fd3c51d31e554c651fbd2..6dcc3c9b36e9211f3f7b3defa16250b13c7b3325 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -860,7 +860,7 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
        int ret;
        struct aclread_context *ac;
        struct ldb_request *down_req;
-       struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
+       bool am_system;
        struct ldb_result *res;
        struct aclread_private *p;
        bool need_sd = false;
@@ -877,11 +877,16 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
        ldb = ldb_module_get_ctx(module);
        p = talloc_get_type(ldb_module_get_private(module), struct aclread_private);
 
+       am_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID) != NULL;
+       if (!am_system) {
+               am_system = dsdb_module_am_system(module);
+       }
+
        /* skip access checks if we are system or system control is supplied
         * or this is not LDAP server request */
        if (!p || !p->enabled ||
-           dsdb_module_am_system(module)
-           || as_system || !is_untrusted) {
+           am_system ||
+           !is_untrusted) {
                return ldb_next_request(module, req);
        }
        /* no checks on special dn */