From 672fc0a1abbf65eca63337e75296a828c79aaabf Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Thu, 24 Aug 2023 15:08:13 +1200 Subject: [PATCH] libcli/security: find SDDL coda for RA and conditional ACEs Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- libcli/security/sddl.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c index 6da0a612efb..c7f13e9b9a1 100644 --- a/libcli/security/sddl.c +++ b/libcli/security/sddl.c @@ -481,6 +481,7 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx, size_t len; size_t count = 0; char *str = *sddl_copy; + bool has_extra_data = false; ZERO_STRUCTP(ace); if (*str != '(') { @@ -488,7 +489,7 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx, } str++; /* - * First we split apart the 6 tokens. + * First we split apart the 6 (or 7) tokens. * * 0. ace type * 1. ace flags @@ -497,6 +498,7 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx, * 4. inherit guid * 5. sid * + * 6/extra_data rare optional extra data */ tok[0] = str; while (*str != '\0') { @@ -507,11 +509,13 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx, tok[count] = str; if (count == 6) { /* - * When we get conditional or resource ACEs, - * this will set a flag and break; - * for now we just... + * this looks like a conditional ACE + * or resource ACE, but we can't say + * for sure until we look at the ACE + * type (tok[0]), after the loop. */ - return false; + has_extra_data = true; + break; } continue; } @@ -546,6 +550,11 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx, ace->type = v; + if (has_extra_data) { + DBG_WARNING("ACE has trailing section which is not yet supported"); + return false; + } + /* ace flags */ if (!sddl_map_flags(ace_flags, tok[1], &v, NULL, false)) { return false;