mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
CVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*() helper
This avoids a crash that's triggered by windows clients using handles from samr_Connect*() on across multiple connections within an association group. In other cases is not strictly required, but it makes it easier to audit that source4/rpc_server no longer calls samdb_connect() directly and also improves the auditing for the dcesrv_samdb_connect_as_system() case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
b1aba4e2bc
commit
25c944643f
@ -212,8 +212,6 @@ exit:
|
||||
static NTSTATUS dcesrv_samr_Connect(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
|
||||
struct samr_Connect *r)
|
||||
{
|
||||
struct auth_session_info *session_info =
|
||||
dcesrv_call_session_info(dce_call);
|
||||
struct samr_connect_state *c_state;
|
||||
struct dcesrv_handle *handle;
|
||||
|
||||
@ -225,18 +223,12 @@ static NTSTATUS dcesrv_samr_Connect(struct dcesrv_call_state *dce_call, TALLOC_C
|
||||
}
|
||||
|
||||
/* make sure the sam database is accessible */
|
||||
c_state->sam_ctx = samdb_connect(c_state,
|
||||
dce_call->event_ctx,
|
||||
dce_call->conn->dce_ctx->lp_ctx,
|
||||
session_info,
|
||||
dce_call->conn->remote_address,
|
||||
0);
|
||||
c_state->sam_ctx = dcesrv_samdb_connect_as_user(c_state, dce_call);
|
||||
if (c_state->sam_ctx == NULL) {
|
||||
talloc_free(c_state);
|
||||
return NT_STATUS_INVALID_SYSTEM_SERVICE;
|
||||
}
|
||||
|
||||
|
||||
handle = dcesrv_handle_create(dce_call, SAMR_HANDLE_CONNECT);
|
||||
if (!handle) {
|
||||
talloc_free(c_state);
|
||||
@ -4809,8 +4801,6 @@ static NTSTATUS dcesrv_samr_RemoveMultipleMembersFromAlias(struct dcesrv_call_st
|
||||
static NTSTATUS dcesrv_samr_GetDomPwInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
|
||||
struct samr_GetDomPwInfo *r)
|
||||
{
|
||||
struct auth_session_info *session_info =
|
||||
dcesrv_call_session_info(dce_call);
|
||||
struct ldb_message **msgs;
|
||||
int ret;
|
||||
const char * const attrs[] = {"minPwdLength", "pwdProperties", NULL };
|
||||
@ -4818,12 +4808,7 @@ static NTSTATUS dcesrv_samr_GetDomPwInfo(struct dcesrv_call_state *dce_call, TAL
|
||||
|
||||
ZERO_STRUCTP(r->out.info);
|
||||
|
||||
sam_ctx = samdb_connect(mem_ctx,
|
||||
dce_call->event_ctx,
|
||||
dce_call->conn->dce_ctx->lp_ctx,
|
||||
session_info,
|
||||
dce_call->conn->remote_address,
|
||||
0);
|
||||
sam_ctx = dcesrv_samdb_connect_as_user(mem_ctx, dce_call);
|
||||
if (sam_ctx == NULL) {
|
||||
return NT_STATUS_INVALID_SYSTEM_SERVICE;
|
||||
}
|
||||
|
@ -22,6 +22,7 @@
|
||||
|
||||
#include "includes.h"
|
||||
#include "rpc_server/dcerpc_server.h"
|
||||
#include "rpc_server/common/common.h"
|
||||
#include "rpc_server/samr/dcesrv_samr.h"
|
||||
#include "system/time.h"
|
||||
#include "lib/crypto/md4.h"
|
||||
@ -156,12 +157,7 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
|
||||
|
||||
/* Connect to a SAMDB with system privileges for fetching the old pw
|
||||
* hashes. */
|
||||
sam_ctx = samdb_connect(mem_ctx,
|
||||
dce_call->event_ctx,
|
||||
dce_call->conn->dce_ctx->lp_ctx,
|
||||
system_session(dce_call->conn->dce_ctx->lp_ctx),
|
||||
dce_call->conn->remote_address,
|
||||
0);
|
||||
sam_ctx = dcesrv_samdb_connect_as_system(mem_ctx, dce_call);
|
||||
if (sam_ctx == NULL) {
|
||||
return NT_STATUS_INVALID_SYSTEM_SERVICE;
|
||||
}
|
||||
@ -262,12 +258,7 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
|
||||
}
|
||||
|
||||
/* Connect to a SAMDB with user privileges for the password change */
|
||||
sam_ctx = samdb_connect(mem_ctx,
|
||||
dce_call->event_ctx,
|
||||
dce_call->conn->dce_ctx->lp_ctx,
|
||||
session_info,
|
||||
dce_call->conn->remote_address,
|
||||
0);
|
||||
sam_ctx = dcesrv_samdb_connect_as_user(mem_ctx, dce_call);
|
||||
if (sam_ctx == NULL) {
|
||||
return NT_STATUS_INVALID_SYSTEM_SERVICE;
|
||||
}
|
||||
@ -340,8 +331,6 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
struct samr_ChangePasswordUser3 *r)
|
||||
{
|
||||
struct auth_session_info *session_info =
|
||||
dcesrv_call_session_info(dce_call);
|
||||
struct imessaging_context *imsg_ctx =
|
||||
dcesrv_imessaging_context(dce_call->conn);
|
||||
NTSTATUS status = NT_STATUS_WRONG_PASSWORD;
|
||||
@ -387,12 +376,7 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
|
||||
|
||||
/* Connect to a SAMDB with system privileges for fetching the old pw
|
||||
* hashes. */
|
||||
sam_ctx = samdb_connect(mem_ctx,
|
||||
dce_call->event_ctx,
|
||||
dce_call->conn->dce_ctx->lp_ctx,
|
||||
system_session(dce_call->conn->dce_ctx->lp_ctx),
|
||||
dce_call->conn->remote_address,
|
||||
0);
|
||||
sam_ctx = dcesrv_samdb_connect_as_system(mem_ctx, dce_call);
|
||||
if (sam_ctx == NULL) {
|
||||
return NT_STATUS_INVALID_SYSTEM_SERVICE;
|
||||
}
|
||||
@ -498,12 +482,7 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
|
||||
}
|
||||
|
||||
/* Connect to a SAMDB with user privileges for the password change */
|
||||
sam_ctx = samdb_connect(mem_ctx,
|
||||
dce_call->event_ctx,
|
||||
dce_call->conn->dce_ctx->lp_ctx,
|
||||
session_info,
|
||||
dce_call->conn->remote_address,
|
||||
0);
|
||||
sam_ctx = dcesrv_samdb_connect_as_user(mem_ctx, dce_call);
|
||||
if (sam_ctx == NULL) {
|
||||
return NT_STATUS_INVALID_SYSTEM_SERVICE;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user