1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
From df6c1dbeb27ab4c7dedc2461a9d20a6b67ffdda4 Mon Sep 17 00:00:00 2001
From: Tim Beale <timbeale@catalyst.net.nz>
Date: Thu, 26 Jul 2018 12:20:49 +1200
Subject: [PATCH] CVE-2018-10919 acl_read: Small refactor to aclread_callback()
Flip the dirsync check (to avoid a double negative), and use a helper
boolean variable.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
---
source4/dsdb/samdb/ldb_modules/acl_read.c | 31 +++++++++++++----------
1 file changed, 17 insertions(+), 14 deletions(-)
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index f42b131948c..17d6492cd35 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -398,18 +398,12 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
* in anycase.
*/
if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
- if (!ac->indirsync) {
- /*
- * do not return this entry if attribute is
- * part of the search filter
- */
- if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
- msg->elements[i].name)) {
- talloc_free(tmp_ctx);
- return LDB_SUCCESS;
- }
- aclread_mark_inaccesslible(&msg->elements[i]);
- } else {
+ bool in_search_filter;
+
+ in_search_filter = dsdb_attr_in_parse_tree(ac->req->op.search.tree,
+ msg->elements[i].name);
+
+ if (ac->indirsync) {
/*
* We are doing dirysnc answers
* and the object shouldn't be returned (normally)
@@ -418,13 +412,22 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
* (remove the object if it is not deleted, or return
* just the objectGUID if it's deleted).
*/
- if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
- msg->elements[i].name)) {
+ if (in_search_filter) {
ldb_msg_remove_attr(msg, "replPropertyMetaData");
break;
} else {
aclread_mark_inaccesslible(&msg->elements[i]);
}
+ } else {
+ /*
+ * do not return this entry if attribute is
+ * part of the search filter
+ */
+ if (in_search_filter) {
+ talloc_free(tmp_ctx);
+ return LDB_SUCCESS;
+ }
+ aclread_mark_inaccesslible(&msg->elements[i]);
}
} else if (ret != LDB_SUCCESS) {
ldb_debug_set(ldb, LDB_DEBUG_FATAL,
--
2.18.0
|