1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

conditional_aces: Avoid manual parsing for ace_condition_sid

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This commit is contained in:
Andrew Bartlett 2023-09-20 09:31:31 +12:00
parent 1e45a4d10a
commit 94d1cfbd85
6 changed files with 36 additions and 39 deletions

View File

@ -152,7 +152,7 @@ static bool claim_v1_sid_to_ace_sid(
}
result->type = CONDITIONAL_ACE_TOKEN_SID;
result->data.sid.sid = sid;
result->data.sid.sid = *sid;
return true;
}
@ -370,7 +370,7 @@ static bool ace_sid_to_claim_v1_sid(TALLOC_CTX *mem_ctx,
{
/* claim_v1 sid is an "S-1-*" string data blob, not struct dom_sid. */
DATA_BLOB *blob = NULL;
char *s = dom_sid_string(mem_ctx, tok->data.sid.sid);
char *s = dom_sid_string(mem_ctx, &tok->data.sid.sid);
if (s == NULL) {
return false;
}

View File

@ -18,6 +18,7 @@
#include "replace.h"
#include "librpc/gen_ndr/ndr_security.h"
#include "librpc/gen_ndr/ndr_conditional_ace.h"
#include "librpc/gen_ndr/conditional_ace.h"
#include "libcli/security/security.h"
#include "libcli/security/conditional_ace.h"
@ -264,25 +265,21 @@ static ssize_t pull_sid(TALLOC_CTX *mem_ctx,
uint8_t *data, size_t length,
struct ace_condition_sid *tok)
{
uint32_t tok_length;
ssize_t sidlen;
if (length < 4) {
ssize_t bytes_used;
enum ndr_err_code ndr_err;
DATA_BLOB v = data_blob_const(data, length);
struct ndr_pull *ndr = ndr_pull_init_blob(&v, mem_ctx);
if (ndr == NULL) {
return -1;
}
tok_length = PULL_LE_U32(data, 0);
if (tok_length > length - 4) {
ndr_err = ndr_pull_ace_condition_sid(ndr, NDR_SCALARS|NDR_BUFFERS, tok);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
TALLOC_FREE(ndr);
return -1;
}
tok->sid = talloc(mem_ctx, struct dom_sid);
if (tok->sid == NULL) {
return -1;
}
sidlen = sid_parse(data + 4, tok_length, tok->sid);
if (sidlen == -1) {
talloc_free(tok->sid);
return -1;
}
return tok_length + 4;
bytes_used = ndr->offset;
TALLOC_FREE(ndr);
return bytes_used;
}
static ssize_t push_sid(uint8_t *data, size_t available,
@ -290,22 +287,19 @@ static ssize_t push_sid(uint8_t *data, size_t available,
{
enum ndr_err_code ndr_err;
DATA_BLOB v;
ssize_t total_length;
ndr_err = ndr_push_struct_blob(&v, NULL,
tok->sid,
(ndr_push_flags_fn_t)ndr_push_dom_sid);
tok,
(ndr_push_flags_fn_t)ndr_push_ace_condition_sid);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
return -1;
}
total_length = v.length + 4;
if (available < total_length) {
if (available < v.length) {
talloc_free(v.data);
return -1;
}
PUSH_LE_U32(data, 0, v.length);
memcpy(data + 4, v.data, v.length);
memcpy(data, v.data, v.length);
talloc_free(v.data);
return total_length;
return v.length;
}
@ -904,7 +898,7 @@ static bool member_lookup(
bool arg_is_a_single_sid;
struct dom_sid *sid_array = NULL;
size_t num_sids, i, j;
struct dom_sid *sid = NULL;
const struct dom_sid *sid = NULL;
result->type = CONDITIONAL_ACE_SAMBA_RESULT_BOOL;
result->data.result.value = ACE_CONDITION_UNKNOWN;
@ -973,7 +967,7 @@ static bool member_lookup(
* In this case the any and all operations are the
* same.
*/
sid = arg->data.sid.sid;
sid = &arg->data.sid.sid;
match = false;
for (i = 0; i < num_sids; i++) {
match = dom_sid_equal(sid, &sid_array[i]);
@ -1007,7 +1001,7 @@ static bool member_lookup(
j, member->type);
return false;
}
sid = member->data.sid.sid;
sid = &member->data.sid.sid;
match = false;
for (i = 0; i < num_sids; i++) {
match = dom_sid_equal(sid, &sid_array[i]);
@ -1397,8 +1391,8 @@ static bool compare_sids(const struct ace_condition_token *op,
const struct ace_condition_token *rhs,
int *cmp)
{
*cmp = dom_sid_compare(lhs->data.sid.sid,
rhs->data.sid.sid);
*cmp = dom_sid_compare(&lhs->data.sid.sid,
&rhs->data.sid.sid);
return true;
}

View File

@ -560,7 +560,7 @@ char *debug_conditional_ace(TALLOC_CTX *mem_ctx,
break;
case CONDITIONAL_ACE_TOKEN_SID:
utf8 = sddl_encode_sid(mem_ctx,
tok->data.sid.sid,
&tok->data.sid.sid,
NULL);
snprintf(line, sizeof(line),
"%s (%s)\n",
@ -883,7 +883,7 @@ static bool sddl_write_sid(struct sddl_write_context *ctx,
bool ok;
char *sddl = NULL;
char *sid = sddl_encode_sid(ctx->mem_ctx,
tok->data.sid.sid,
&tok->data.sid.sid,
NULL);
if (sid == NULL) {
return false;
@ -2019,7 +2019,7 @@ static bool parse_sid(struct ace_condition_sddl_compiler_context *comp)
comp->offset++;
}
token.type = CONDITIONAL_ACE_TOKEN_SID;
token.data.sid.sid = sid;
token.data.sid.sid = *sid;
return write_sddl_token(comp, token);
}
@ -3167,7 +3167,7 @@ static bool write_resource_attr_from_token(struct sddl_write_context *ctx,
case CONDITIONAL_ACE_TOKEN_SID:
/* unlike conditional ACE, SID does not had "SID()" wrapper. */
sid = sddl_encode_sid(ctx->mem_ctx, tok->data.sid.sid, NULL);
sid = sddl_encode_sid(ctx->mem_ctx, &tok->data.sid.sid, NULL);
if (sid == NULL) {
return false;
}

View File

@ -10,7 +10,7 @@ bld.SAMBA_LIBRARY('samba-security',
'util_sid.c', 'session.c', 'secdesc.c',
'conditional_ace.c', 'sddl_conditional_ace.c',
'claims-conversions.c'],
private_library=True, deps='talloc ndr NDR_SECURITY')
private_library=True, deps='talloc ndr NDR_SECURITY NDR_CONDITIONAL_ACE')
pytalloc_util = bld.pyembed_libname('pytalloc-util')
bld.SAMBA_PYTHON('pysecurity',

View File

@ -264,8 +264,6 @@ interface conditional_ace
/*
* Sub-structures for struct ace_condition_token -> data,
* which vary according to the token->type.
*
* These are not used on the wire.
*/
typedef [flag(NDR_NOALIGN)] struct {
int64 value;
@ -287,8 +285,8 @@ interface conditional_ace
uint32 length;
} ace_condition_bytes;
typedef struct {
dom_sid *sid;
typedef [public] struct {
[subcontext(4)] dom_sid sid;
} ace_condition_sid;
/*

View File

@ -448,6 +448,11 @@ bld.SAMBA_SUBSYSTEM('NDR_WINSTATION',
public_deps='ndr'
)
bld.SAMBA_SUBSYSTEM('NDR_CONDITIONAL_ACE',
source='gen_ndr/ndr_conditional_ace.c',
public_deps='ndr'
)
bld.SAMBA_SUBSYSTEM('RPC_NDR_ATSVC',
source='gen_ndr/ndr_atsvc_c.c',
public_deps='dcerpc-binding NDR_ATSVC'