104 lines
3.4 KiB
Diff
104 lines
3.4 KiB
Diff
From 7ebf51dd8b57b5932bb6f923d513e3f84c653567 Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Thu, 16 Mar 2023 10:00:11 +0100
|
|
Subject: [PATCH 15/28] CVE-2023-4154 libcli/security: prepare
|
|
security_descriptor_acl_add() to place the ace at a position
|
|
|
|
Often it is important to insert an ace at a specific position in the
|
|
ACL. As a default we still append by default by using -1, which is the
|
|
generic version of passing the number of existing aces.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
|
|
(cherry picked from commit c3cb915a67aff6739b72b86d7d139609df309ada)
|
|
|
|
Conflict: NA
|
|
Reference: https://download.samba.org/pub/samba/patches/security/samba-4.18.8-security-2023-10-10.patch
|
|
[PATCH 15/28] CVE-2023-4154 libcli/security: prepare
|
|
security_descriptor_acl_add() to place the ace at a position
|
|
---
|
|
libcli/security/security_descriptor.c | 27 ++++++++++++++++++++-------
|
|
1 file changed, 20 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/libcli/security/security_descriptor.c b/libcli/security/security_descriptor.c
|
|
index 23d436dbaeb..bc38a405e1e 100644
|
|
--- a/libcli/security/security_descriptor.c
|
|
+++ b/libcli/security/security_descriptor.c
|
|
@@ -268,9 +268,11 @@ NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx,
|
|
|
|
static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
|
|
bool add_to_sacl,
|
|
- const struct security_ace *ace)
|
|
+ const struct security_ace *ace,
|
|
+ ssize_t _idx)
|
|
{
|
|
struct security_acl *acl = NULL;
|
|
+ ssize_t idx;
|
|
|
|
if (add_to_sacl) {
|
|
acl = sd->sacl;
|
|
@@ -289,15 +291,28 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
|
|
acl->aces = NULL;
|
|
}
|
|
|
|
+ if (_idx < 0) {
|
|
+ idx = (acl->num_aces + 1) + _idx;
|
|
+ } else {
|
|
+ idx = _idx;
|
|
+ }
|
|
+
|
|
+ if (idx < 0) {
|
|
+ return NT_STATUS_ARRAY_BOUNDS_EXCEEDED;
|
|
+ } else if (idx > acl->num_aces) {
|
|
+ return NT_STATUS_ARRAY_BOUNDS_EXCEEDED;
|
|
+ }
|
|
+
|
|
acl->aces = talloc_realloc(acl, acl->aces,
|
|
struct security_ace, acl->num_aces+1);
|
|
if (acl->aces == NULL) {
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
- acl->aces[acl->num_aces] = *ace;
|
|
+ ARRAY_INSERT_ELEMENT(acl->aces, acl->num_aces, *ace, idx);
|
|
+ acl->num_aces++;
|
|
|
|
- switch (acl->aces[acl->num_aces].type) {
|
|
+ switch (acl->aces[idx].type) {
|
|
case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
|
|
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
|
|
case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
|
|
@@ -308,8 +323,6 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
|
|
break;
|
|
}
|
|
|
|
- acl->num_aces++;
|
|
-
|
|
if (add_to_sacl) {
|
|
sd->sacl = acl;
|
|
sd->type |= SEC_DESC_SACL_PRESENT;
|
|
@@ -328,7 +341,7 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
|
|
NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
|
|
const struct security_ace *ace)
|
|
{
|
|
- return security_descriptor_acl_add(sd, true, ace);
|
|
+ return security_descriptor_acl_add(sd, true, ace, -1);
|
|
}
|
|
|
|
/*
|
|
@@ -338,7 +351,7 @@ NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
|
|
NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
|
|
const struct security_ace *ace)
|
|
{
|
|
- return security_descriptor_acl_add(sd, false, ace);
|
|
+ return security_descriptor_acl_add(sd, false, ace, -1);
|
|
}
|
|
|
|
/*
|
|
--
|
|
2.34.1
|