From 5ad8536ec766b1d0867acfe2c34677400fb29526 Mon Sep 17 00:00:00 2001 From: Volker Lendecke <vl@samba.org> Date: Wed, 4 Sep 2024 17:13:44 +0200 Subject: [PATCH] libsecurity: Simplify struct ace_condition_script We only need the stack temporarily, no reason to put it in the struct Signed-off-by: Volker Lendecke <vl@samba.org> Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Sep 6 14:23:58 UTC 2024 on atb-devel-224 --- libcli/security/conditional_ace.c | 54 +++++++++++++------------- libcli/security/sddl_conditional_ace.c | 12 +++--- librpc/idl/conditional_ace.idl | 1 - 3 files changed, 33 insertions(+), 34 deletions(-) diff --git a/libcli/security/conditional_ace.c b/libcli/security/conditional_ace.c index 158c8ecf82e..c2411c4649e 100644 --- a/libcli/security/conditional_ace.c +++ b/libcli/security/conditional_ace.c @@ -706,17 +706,6 @@ struct ace_condition_script *parse_conditional_ace(TALLOC_CTX *mem_ctx, if (program->tokens == NULL) { goto fail; } - /* - * When interpreting the program we will need a stack, which in the - * very worst case can be as deep as the program is long. - */ - program->stack = talloc_array(program, - struct ace_condition_token, - program->length + 1); - if (program->stack == NULL) { - goto fail; - } - return program; fail: talloc_free(program); @@ -2218,8 +2207,20 @@ int run_conditional_ace(TALLOC_CTX *mem_ctx, struct ace_condition_token *lhs = NULL; struct ace_condition_token *rhs = NULL; struct ace_condition_token result = {}; + struct ace_condition_token *stack = NULL; bool ok; + /* + * When interpreting the program we will need a stack, which in the + * very worst case can be as deep as the program is long. + */ + stack = talloc_array(mem_ctx, + struct ace_condition_token, + program->length + 1); + if (stack == NULL) { + goto error; + } + for (i = 0; i < program->length; i++) { struct ace_condition_token *tok = &program->tokens[i]; switch (tok->type) { @@ -2232,7 +2233,7 @@ int run_conditional_ace(TALLOC_CTX *mem_ctx, case CONDITIONAL_ACE_TOKEN_SID: case CONDITIONAL_ACE_TOKEN_COMPOSITE: /* just plonk these literals on the stack */ - program->stack[depth] = *tok; + stack[depth] = *tok; depth++; break; @@ -2243,7 +2244,7 @@ int run_conditional_ace(TALLOC_CTX *mem_ctx, if (! ok) { goto error; } - program->stack[depth] = result; + stack[depth] = result; depth++; break; @@ -2255,7 +2256,7 @@ int run_conditional_ace(TALLOC_CTX *mem_ctx, if (! ok) { goto error; } - program->stack[depth] = result; + stack[depth] = result; depth++; break; @@ -2271,12 +2272,12 @@ int run_conditional_ace(TALLOC_CTX *mem_ctx, goto error; } depth--; - lhs = &program->stack[depth]; + lhs = &stack[depth]; ok = member_lookup(token, tok, lhs, &result); if (! ok) { goto error; } - program->stack[depth] = result; + stack[depth] = result; depth++; break; /* binary relational operators */ @@ -2294,14 +2295,14 @@ int run_conditional_ace(TALLOC_CTX *mem_ctx, goto error; } depth--; - rhs = &program->stack[depth]; + rhs = &stack[depth]; depth--; - lhs = &program->stack[depth]; + lhs = &stack[depth]; ok = relational_operator(token, tok, lhs, rhs, &result); if (! ok) { goto error; } - program->stack[depth] = result; + stack[depth] = result; depth++; break; /* unary logical operators */ @@ -2312,12 +2313,12 @@ int run_conditional_ace(TALLOC_CTX *mem_ctx, goto error; } depth--; - lhs = &program->stack[depth]; + lhs = &stack[depth]; ok = unary_logic_operator(mem_ctx, token, tok, lhs, sd, &result); if (!ok) { goto error; } - program->stack[depth] = result; + stack[depth] = result; depth++; break; /* binary logical operators */ @@ -2327,14 +2328,14 @@ int run_conditional_ace(TALLOC_CTX *mem_ctx, goto error; } depth--; - rhs = &program->stack[depth]; + rhs = &stack[depth]; depth--; - lhs = &program->stack[depth]; + lhs = &stack[depth]; ok = binary_logic_operator(token, tok, lhs, rhs, &result); if (! ok) { goto error; } - program->stack[depth] = result; + stack[depth] = result; depth++; break; default: @@ -2348,11 +2349,11 @@ int run_conditional_ace(TALLOC_CTX *mem_ctx, if (depth != 1) { goto error; } - result = program->stack[0]; + result = stack[0]; if (result.type != CONDITIONAL_ACE_SAMBA_RESULT_BOOL) { goto error; } - + TALLOC_FREE(stack); return result.data.result.value; error: @@ -2360,6 +2361,7 @@ int run_conditional_ace(TALLOC_CTX *mem_ctx, * the result of an error is always UNKNOWN, which should be * interpreted pessimistically, not allowing access. */ + TALLOC_FREE(stack); return ACE_CONDITION_UNKNOWN; } diff --git a/libcli/security/sddl_conditional_ace.c b/libcli/security/sddl_conditional_ace.c index e9d83b7f9c1..cd39e3c4c50 100644 --- a/libcli/security/sddl_conditional_ace.c +++ b/libcli/security/sddl_conditional_ace.c @@ -2893,16 +2893,14 @@ static bool init_compiler_context( TALLOC_FREE(program); return false; } - program->stack = talloc_array(program, - struct ace_condition_token, - max_stack + 1); - if (program->stack == NULL) { + comp->program = program; + comp->stack = talloc_array(program, + struct ace_condition_token, + max_stack + 1); + if (comp->stack == NULL) { TALLOC_FREE(program); return false; } - comp->program = program; - /* we can borrow the program stack for the operator stack */ - comp->stack = program->stack; comp->target = program->tokens; comp->target_len = &program->length; comp->length = strlen(sddl); diff --git a/librpc/idl/conditional_ace.idl b/librpc/idl/conditional_ace.idl index 8db0ed66b7b..3b8236f7e37 100644 --- a/librpc/idl/conditional_ace.idl +++ b/librpc/idl/conditional_ace.idl @@ -390,7 +390,6 @@ interface conditional_ace */ typedef [public] struct { ace_condition_token *tokens; - ace_condition_token *stack; uint32 length; } ace_condition_script;