CVE-2018-10919 acl_read: Flip the logic in the dirsync check

This better reflects the special case we're making for dirsync, and gets
rid of a 'if-else' clause.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index 17d6492cd3579f44a36b18fc9f0ccb84a5b77446..9607ed05ee7d4931f014eed51b8d34d9f9a2e4fd 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -400,10 +400,12 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
                        if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
                                bool in_search_filter;
 
+                               /* check if attr is part of the search filter */
                                in_search_filter = dsdb_attr_in_parse_tree(ac->req->op.search.tree,
                                                                msg->elements[i].name);
 
-                               if (ac->indirsync) {
+                               if (in_search_filter) {
+
                                        /*
                                         * We are doing dirysnc answers
                                         * and the object shouldn't be returned (normally)
@@ -412,21 +414,16 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
                                         * (remove the object if it is not deleted, or return
                                         * just the objectGUID if it's deleted).
                                         */
-                                       if (in_search_filter) {
+                                       if (ac->indirsync) {
                                                ldb_msg_remove_attr(msg, "replPropertyMetaData");
                                                break;
                                        } else {
-                                               aclread_mark_inaccesslible(&msg->elements[i]);
-                                       }
-                               } else {
-                                       /*
-                                        * do not return this entry if attribute is
-                                        * part of the search filter
-                                        */
-                                       if (in_search_filter) {
+
+                                               /* do not return this entry */
                                                talloc_free(tmp_ctx);
                                                return LDB_SUCCESS;
                                        }
+                               } else {
                                        aclread_mark_inaccesslible(&msg->elements[i]);
                                }
                        } else if (ret != LDB_SUCCESS) {