sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-26 01:49:31 +03:00
Code Activity

CVE-2023-4154 libcli/security: prepare security_descriptor_acl_add() to place the ace at a position

Browse Source 
Often it is important to insert an ace at a specific position in the
ACL. As a default we still append by default by using -1, which is the
generic version of passing the number of existing aces.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

(cherry picked from commit c3cb915a67)
This commit is contained in:
Stefan Metzmacher
2023-03-16 10:00:11 +01:00
committed by Jule Anger
parent 2c7710bd5b
commit 3c34a51da1
1 changed files with 20 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
libcli/security/security_descriptor.c
View File

@ -267,9 +267,11 @@ NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx,
static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
bool add_to_sacl,
const struct security_ace *ace)
const struct security_ace *ace,
ssize_t _idx)
{
struct security_acl *acl = NULL;
ssize_t idx;
if (add_to_sacl) {
acl = sd->sacl;
@ -288,15 +290,28 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
acl->aces = NULL;
}
if (_idx < 0) {
idx = (acl->num_aces + 1) + _idx;
} else {
idx = _idx;
}
if (idx < 0) {
return NT_STATUS_ARRAY_BOUNDS_EXCEEDED;
} else if (idx > acl->num_aces) {
return NT_STATUS_ARRAY_BOUNDS_EXCEEDED;
}
acl->aces = talloc_realloc(acl, acl->aces,
struct security_ace, acl->num_aces+1);
if (acl->aces == NULL) {
return NT_STATUS_NO_MEMORY;
}
acl->aces[acl->num_aces] = *ace;
ARRAY_INSERT_ELEMENT(acl->aces, acl->num_aces, *ace, idx);
acl->num_aces++;
switch (acl->aces[acl->num_aces].type) {
switch (acl->aces[idx].type) {
case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
@ -307,8 +322,6 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
break;
}
acl->num_aces++;
if (add_to_sacl) {
sd->sacl = acl;
sd->type |= SEC_DESC_SACL_PRESENT;
@ -327,7 +340,7 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
const struct security_ace *ace)
{
return security_descriptor_acl_add(sd, true, ace);
return security_descriptor_acl_add(sd, true, ace, -1);
}
/*
@ -337,7 +350,7 @@ NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
const struct security_ace *ace)
{
return security_descriptor_acl_add(sd, false, ace);
return security_descriptor_acl_add(sd, false, ace, -1);
}
/*