CVE-2018-10919 acl_read: Small refactor to aclread_callback()

Flip the dirsync check (to avoid a double negative), and use a helper
boolean variable.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index f42b131948c73d49587bde9d260b3dd07101cdd9..17d6492cd3579f44a36b18fc9f0ccb84a5b77446 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -398,18 +398,12 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
                         * in anycase.
                         */
                        if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
-                               if (!ac->indirsync) {
-                                       /*
-                                        * do not return this entry if attribute is
-                                        * part of the search filter
-                                        */
-                                       if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
-                                                               msg->elements[i].name)) {
-                                               talloc_free(tmp_ctx);
-                                               return LDB_SUCCESS;
-                                       }
-                                       aclread_mark_inaccesslible(&msg->elements[i]);
-                               } else {
+                               bool in_search_filter;
+
+                               in_search_filter = dsdb_attr_in_parse_tree(ac->req->op.search.tree,
+                                                               msg->elements[i].name);
+
+                               if (ac->indirsync) {
                                        /*
                                         * We are doing dirysnc answers
                                         * and the object shouldn't be returned (normally)
@@ -418,13 +412,22 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
                                         * (remove the object if it is not deleted, or return
                                         * just the objectGUID if it's deleted).
                                         */
-                                       if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
-                                                               msg->elements[i].name)) {
+                                       if (in_search_filter) {
                                                ldb_msg_remove_attr(msg, "replPropertyMetaData");
                                                break;
                                        } else {
                                                aclread_mark_inaccesslible(&msg->elements[i]);
                                        }
+                               } else {
+                                       /*
+                                        * do not return this entry if attribute is
+                                        * part of the search filter
+                                        */
+                                       if (in_search_filter) {
+                                               talloc_free(tmp_ctx);
+                                               return LDB_SUCCESS;
+                                       }
+                                       aclread_mark_inaccesslible(&msg->elements[i]);
                                }
                        } else if (ret != LDB_SUCCESS) {
                                ldb_debug_set(ldb, LDB_DEBUG_FATAL,