sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-07 17:18:11 +03:00
Code

s4-rpc_server/drsuapi: Rename ncRoot -> untrusted_ncRoot to avoid misuse

Browse Source 
Because of the requirement to echo back the original string, we can
not force this to be a trustworthy value.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 2ed9815eea)
This commit is contained in:
Andrew Bartlett 2023-06-27 14:43:39 +12:00 committed by Jule Anger
parent 7c63aa6959
commit 0a269490b6
1 changed files with 19 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
source4/rpc_server/drsuapi/getncchanges.c
View File

@ -2708,7 +2708,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
dcesrv_call_session_info(dce_call); dcesrv_call_session_info(dce_call);
struct imessaging_context *imsg_ctx = struct imessaging_context *imsg_ctx =
dcesrv_imessaging_context(dce_call->conn); dcesrv_imessaging_context(dce_call->conn);
struct drsuapi_DsReplicaObjectIdentifier *ncRoot; struct drsuapi_DsReplicaObjectIdentifier *untrusted_ncRoot;
int ret; int ret;
uint32_t i, k; uint32_t i, k;
struct dsdb_schema *schema; struct dsdb_schema *schema;
@ -2830,8 +2830,8 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
} }
/* Perform access checks. */ /* Perform access checks. */
ncRoot = req10->naming_context; untrusted_ncRoot = req10->naming_context;
if (ncRoot == NULL) { if (untrusted_ncRoot == NULL) {
DEBUG(0,(__location__ ": Request for DsGetNCChanges with no NC\n")); DEBUG(0,(__location__ ": Request for DsGetNCChanges with no NC\n"));
return WERR_DS_DRA_INVALID_PARAMETER; return WERR_DS_DRA_INVALID_PARAMETER;
} }
@ -3000,7 +3000,7 @@ allowed:
struct ldb_dn *new_dn; struct ldb_dn *new_dn;
ret = drs_ObjectIdentifier_to_dn_and_nc_root(getnc_state, ret = drs_ObjectIdentifier_to_dn_and_nc_root(getnc_state,
sam_ctx, sam_ctx,
ncRoot, untrusted_ncRoot,
&new_dn, &new_dn,
NULL); NULL);
if (ret != LDB_SUCCESS) { if (ret != LDB_SUCCESS) {
@ -3011,7 +3011,7 @@ allowed:
* in case. * in case.
*/ */
DBG_ERR("Bad DN '%s' as Naming Context for GetNCChanges: %s\n", DBG_ERR("Bad DN '%s' as Naming Context for GetNCChanges: %s\n",
drs_ObjectIdentifier_to_debug_string(mem_ctx, ncRoot), drs_ObjectIdentifier_to_debug_string(mem_ctx, untrusted_ncRoot),
ldb_strerror(ret)); ldb_strerror(ret));
return WERR_DS_DRA_INVALID_PARAMETER; return WERR_DS_DRA_INVALID_PARAMETER;
} }
@ -3056,12 +3056,12 @@ allowed:
ret = drs_ObjectIdentifier_to_dn_and_nc_root(mem_ctx, ret = drs_ObjectIdentifier_to_dn_and_nc_root(mem_ctx,
sam_ctx, sam_ctx,
ncRoot, untrusted_ncRoot,
&ncRoot_dn, &ncRoot_dn,
NULL); NULL);
if (ret != LDB_SUCCESS) { if (ret != LDB_SUCCESS) {
DBG_ERR("Bad DN '%s' as Naming Context or EXOP DN for GetNCChanges: %s\n", DBG_ERR("Bad DN '%s' as Naming Context or EXOP DN for GetNCChanges: %s\n",
drs_ObjectIdentifier_to_debug_string(mem_ctx, ncRoot), drs_ObjectIdentifier_to_debug_string(mem_ctx, untrusted_ncRoot),
ldb_strerror(ret)); ldb_strerror(ret));
return WERR_DS_DRA_BAD_DN; return WERR_DS_DRA_BAD_DN;
} }
@ -3380,7 +3380,7 @@ allowed:
* Match Windows and echo back the original values from the request, even if * Match Windows and echo back the original values from the request, even if
* they say DummyDN for the string NC * they say DummyDN for the string NC
*/ */
*r->out.ctr->ctr6.naming_context = *ncRoot; *r->out.ctr->ctr6.naming_context = *untrusted_ncRoot;
/* find the SID if there is one */ /* find the SID if there is one */
dsdb_find_sid_by_dn(sam_ctx, getnc_state->ncRoot_dn, &r->out.ctr->ctr6.naming_context->sid); dsdb_find_sid_by_dn(sam_ctx, getnc_state->ncRoot_dn, &r->out.ctr->ctr6.naming_context->sid);
@ -3615,7 +3615,15 @@ allowed:
struct drsuapi_DsReplicaUpdateRefsRequest1 ureq; struct drsuapi_DsReplicaUpdateRefsRequest1 ureq;
DEBUG(3,("UpdateRefs on getncchanges for %s\n", DEBUG(3,("UpdateRefs on getncchanges for %s\n",
GUID_string(mem_ctx, &req10->destination_dsa_guid))); GUID_string(mem_ctx, &req10->destination_dsa_guid)));
ureq.naming_context = ncRoot;
/*
* We pass the pre-validation NC root here as
* drsuapi_UpdateRefs() has to check its own input
* values due to being called from
* dcesrv_drsuapi_DsReplicaUpdateRefs()
*/
ureq.naming_context = untrusted_ncRoot;
ureq.dest_dsa_dns_name = samdb_ntds_msdcs_dns_name(sam_ctx, mem_ctx, ureq.dest_dsa_dns_name = samdb_ntds_msdcs_dns_name(sam_ctx, mem_ctx,
&req10->destination_dsa_guid); &req10->destination_dsa_guid);
if (!ureq.dest_dsa_dns_name) { if (!ureq.dest_dsa_dns_name) {
@ -3638,7 +3646,7 @@ allowed:
&ureq); &ureq);
if (!W_ERROR_IS_OK(werr)) { if (!W_ERROR_IS_OK(werr)) {
DEBUG(0,(__location__ ": Failed UpdateRefs on %s for %s in DsGetNCChanges - %s\n", DEBUG(0,(__location__ ": Failed UpdateRefs on %s for %s in DsGetNCChanges - %s\n",
drs_ObjectIdentifier_to_debug_string(mem_ctx, ncRoot), drs_ObjectIdentifier_to_debug_string(mem_ctx, untrusted_ncRoot),
ureq.dest_dsa_dns_name, ureq.dest_dsa_dns_name,
win_errstr(werr))); win_errstr(werr)));
} }
@ -3772,7 +3780,7 @@ allowed:
("DsGetNCChanges with uSNChanged >= %llu flags 0x%08x on %s gave %u objects (done %u/%u) %u links (done %u/%u (as %s))\n", ("DsGetNCChanges with uSNChanged >= %llu flags 0x%08x on %s gave %u objects (done %u/%u) %u links (done %u/%u (as %s))\n",
(unsigned long long)(req10->highwatermark.highest_usn+1), (unsigned long long)(req10->highwatermark.highest_usn+1),
req10->replica_flags, req10->replica_flags,
drs_ObjectIdentifier_to_debug_string(mem_ctx, ncRoot), drs_ObjectIdentifier_to_debug_string(mem_ctx, untrusted_ncRoot),
r->out.ctr->ctr6.object_count, r->out.ctr->ctr6.object_count,
i, r->out.ctr->ctr6.more_data?getnc_state->num_records:i, i, r->out.ctr->ctr6.more_data?getnc_state->num_records:i,
r->out.ctr->ctr6.linked_attributes_count, r->out.ctr->ctr6.linked_attributes_count,