CVE-2018-10919 acl_read: Split access_mask logic out into helper function

author Tim Beale <timbeale@catalyst.net.nz>

Fri, 20 Jul 2018 01:52:24 +0000 (13:52 +1200)

committer Karolin Seeger <kseeger@samba.org>

Tue, 14 Aug 2018 11:57:16 +0000 (13:57 +0200)
author Tim Beale <timbeale@catalyst.net.nz>
Fri, 20 Jul 2018 01:52:24 +0000 (13:52 +1200)
committer Karolin Seeger <kseeger@samba.org>
Tue, 14 Aug 2018 11:57:16 +0000 (13:57 +0200)
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c

index 3c9cf7c0672c945dd5d7e5484b5d9196baa1cf62..f42b131948c73d49587bde9d260b3dd07101cdd9 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -227,6 +227,40 @@ static int aclread_get_sd_from_ldb_message(struct aclread_context *ac,
         return LDB_SUCCESS;
  }
  
+/*
+ * Returns the access mask required to read a given attribute
+ */
+static uint32_t get_attr_access_mask(const struct dsdb_attribute *attr,
+                                    uint32_t sd_flags)
+{
+
+       uint32_t access_mask = 0;
+       bool is_sd;
+
+       /* nTSecurityDescriptor is a special case */
+       is_sd = (ldb_attr_cmp("nTSecurityDescriptor",
+                             attr->lDAPDisplayName) == 0);
+
+       if (is_sd) {
+               if (sd_flags & (SECINFO_OWNER|SECINFO_GROUP)) {
+                       access_mask |= SEC_STD_READ_CONTROL;
+               }
+               if (sd_flags & SECINFO_DACL) {
+                       access_mask |= SEC_STD_READ_CONTROL;
+               }
+               if (sd_flags & SECINFO_SACL) {
+                       access_mask |= SEC_FLAG_SYSTEM_SECURITY;
+               }
+       } else {
+               access_mask = SEC_ADS_READ_PROP;
+       }
+
+       if (attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL) {
+               access_mask |= SEC_ADS_CONTROL_ACCESS;
+       }
+
+       return access_mask;
+}
  
  static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
  {
@@ -342,26 +376,8 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
                                 aclread_mark_inaccesslible(&msg->elements[i]);
                                 continue;
                         }
-                       /* nTSecurityDescriptor is a special case */
-                       if (is_sd) {
-                               access_mask = 0;
-
-                               if (ac->sd_flags & (SECINFO_OWNER|SECINFO_GROUP)) {
-                                       access_mask |= SEC_STD_READ_CONTROL;
-                               }
-                               if (ac->sd_flags & SECINFO_DACL) {
-                                       access_mask |= SEC_STD_READ_CONTROL;
-                               }
-                               if (ac->sd_flags & SECINFO_SACL) {
-                                       access_mask |= SEC_FLAG_SYSTEM_SECURITY;
-                               }
-                       } else {
-                               access_mask = SEC_ADS_READ_PROP;
-                       }
  
-                       if (attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL) {
-                               access_mask |= SEC_ADS_CONTROL_ACCESS;
-                       }
+                       access_mask = get_attr_access_mask(attr, ac->sd_flags);
  
                         if (access_mask == 0) {
                                 aclread_mark_inaccesslible(&msg->elements[i]);
author	Tim Beale <timbeale@catalyst.net.nz>
	Fri, 20 Jul 2018 01:52:24 +0000 (13:52 +1200)
committer	Karolin Seeger <kseeger@samba.org>
	Tue, 14 Aug 2018 11:57:16 +0000 (13:57 +0200)