From e35d54fd4d381df67ab9b4f8390e2109b2142678 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Thu, 4 Apr 2024 14:08:02 +1300
Subject: [PATCH] s3:util:sharesec ace_compare() uses NUMERIC_CMP()

ace->access_mask is uint32_t, so can overflow a signed int.
This would be easy to trigger, as it is a flags field rather than an
allocation count.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source3/utils/sharesec.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/source3/utils/sharesec.c b/source3/utils/sharesec.c
index a6481e25481..417572954c8 100644
--- a/source3/utils/sharesec.c
+++ b/source3/utils/sharesec.c
@@ -120,19 +120,19 @@ static int ace_compare(struct security_ace *ace1, struct security_ace *ace2)
 		return 0;
 
 	if (ace1->type != ace2->type)
-		return ace2->type - ace1->type;
+		return NUMERIC_CMP(ace2->type, ace1->type);
 
 	if (dom_sid_compare(&ace1->trustee, &ace2->trustee))
 		return dom_sid_compare(&ace1->trustee, &ace2->trustee);
 
 	if (ace1->flags != ace2->flags)
-		return ace1->flags - ace2->flags;
+		return NUMERIC_CMP(ace1->flags, ace2->flags);
 
 	if (ace1->access_mask != ace2->access_mask)
-		return ace1->access_mask - ace2->access_mask;
+		return NUMERIC_CMP(ace1->access_mask, ace2->access_mask);
 
 	if (ace1->size != ace2->size)
-		return ace1->size - ace2->size;
+		return NUMERIC_CMP(ace1->size, ace2->size);
 
 	return memcmp(ace1, ace2, sizeof(struct security_ace));
 }
-- 
2.34.1