CVE-2022-32746 s4/dsdb/partition: Fix LDB flags comparison

LDB_FLAG_MOD_* values are not actually flags, and the previous
comparison was equivalent to

(req_msg->elements[el_idx].flags & LDB_FLAG_MOD_MASK) != 0

which is true whenever any of the LDB_FLAG_MOD_* values are set. Correct
the expression to what it was probably intended to be.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>

diff --git a/source4/dsdb/samdb/ldb_modules/partition.c b/source4/dsdb/samdb/ldb_modules/partition.c
index 2544a106d131e11f0e1f30d4b40aa77b4caf47c8..2d90ca5d1b37f449bf77bf0d54fa0068c7ee011e 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/partition.c
+++ b/source4/dsdb/samdb/ldb_modules/partition.c
@@ -493,8 +493,8 @@ static int partition_copy_all_callback_action(
                         * them here too
                         */
                        for (el_idx=0; el_idx < req_msg->num_elements; el_idx++) {
-                               if (req_msg->elements[el_idx].flags & LDB_FLAG_MOD_DELETE
-                                   || ((req_msg->elements[el_idx].flags & LDB_FLAG_MOD_REPLACE) &&
+                               if (LDB_FLAG_MOD_TYPE(req_msg->elements[el_idx].flags) == LDB_FLAG_MOD_DELETE
+                                   || ((LDB_FLAG_MOD_TYPE(req_msg->elements[el_idx].flags) == LDB_FLAG_MOD_REPLACE) &&
                                        req_msg->elements[el_idx].num_values == 0)) {
                                        if (ldb_msg_find_element(modify_msg,
                                                                 req_msg->elements[el_idx].name) != NULL) {