sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-11 16:58:40 +03:00
Code

CVE-2023-0614 ldb: Filter on search base before redacting message

Browse Source 
Redaction may be expensive if we end up needing to fetch a security
descriptor to verify rights to an attribute. Checking the search scope
is probably cheaper, so do that first.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2023-03-03 17:35:55 +13:00 committed by Jule Anger
parent d60683e5e9
commit a74571b49f
4 changed files with 47 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/ldb/common/ldb_match.c
View File

@ -39,10 +39,10 @@
/*
check if the scope matches in a search result
*/
static int ldb_match_scope(struct ldb_context *ldb,
struct ldb_dn *base,
struct ldb_dn *dn,
enum ldb_scope scope)
int ldb_match_scope(struct ldb_context *ldb,
struct ldb_dn *base,
struct ldb_dn *dn,
enum ldb_scope scope)
{
int ret = 0;

8
lib/ldb/include/ldb_private.h
View File

@ -322,6 +322,14 @@ int ldb_match_message(struct ldb_context *ldb,
const struct ldb_parse_tree *tree,
enum ldb_scope scope, bool *matched);
/*
check if the scope matches in a search result
*/
int ldb_match_scope(struct ldb_context *ldb,
struct ldb_dn *base,
struct ldb_dn *dn,
enum ldb_scope scope);
/* Reallocate elements to drop any excess capacity. */
void ldb_msg_shrink_to_fit(struct ldb_message *msg);

40
lib/ldb/ldb_key_value/ldb_kv_index.c
View File

@ -2428,6 +2428,27 @@ static int ldb_kv_index_filter(struct ldb_kv_private *ldb_kv,
return LDB_ERR_OPERATIONS_ERROR;
}
/*
* We trust the index for LDB_SCOPE_ONELEVEL
* unless the index key has been truncated.
*
* LDB_SCOPE_BASE is not passed in by our only caller.
*/
if (ac->scope != LDB_SCOPE_ONELEVEL ||
!ldb_kv->cache->one_level_indexes ||
scope_one_truncation != KEY_NOT_TRUNCATED)
{
/*
* The redaction callback may be expensive to call if it
* fetches a security descriptor. Check the DN early and
* bail out if it doesn't match the base.
*/
if (!ldb_match_scope(ldb, ac->base, msg->dn, ac->scope)) {
talloc_free(msg);
continue;
}
}
if (ldb->redact.callback != NULL) {
ret = ldb->redact.callback(ldb->redact.module, ac->req, msg);
if (ret != LDB_SUCCESS) {
@ -2436,23 +2457,8 @@ static int ldb_kv_index_filter(struct ldb_kv_private *ldb_kv,
}
}
/*
* We trust the index for LDB_SCOPE_ONELEVEL
* unless the index key has been truncated.
*
* LDB_SCOPE_BASE is not passed in by our only caller.
*/
if (ac->scope == LDB_SCOPE_ONELEVEL &&
ldb_kv->cache->one_level_indexes &&
scope_one_truncation == KEY_NOT_TRUNCATED) {
ret = ldb_match_message(ldb, msg, ac->tree,
ac->scope, &matched);
} else {
ret = ldb_match_msg_error(ldb, msg,
ac->tree, ac->base,
ac->scope, &matched);
}
ret = ldb_match_message(ldb, msg, ac->tree,
ac->scope, &matched);
if (ret != LDB_SUCCESS) {
talloc_free(keys);
talloc_free(msg);

14
lib/ldb/ldb_key_value/ldb_kv_search.c
View File

@ -395,6 +395,16 @@ static int search_func(_UNUSED_ struct ldb_kv_private *ldb_kv,
}
}
/*
* The redaction callback may be expensive to call if it fetches a
* security descriptor. Check the DN early and bail out if it doesn't
* match the base.
*/
if (!ldb_match_scope(ldb, ac->base, msg->dn, ac->scope)) {
talloc_free(msg);
return 0;
}
if (ldb->redact.callback != NULL) {
ret = ldb->redact.callback(ldb->redact.module, ac->req, msg);
if (ret != LDB_SUCCESS) {
@ -404,8 +414,8 @@ static int search_func(_UNUSED_ struct ldb_kv_private *ldb_kv,
}
/* see if it matches the given expression */
ret = ldb_match_msg_error(ldb, msg,
ac->tree, ac->base, ac->scope, &matched);
ret = ldb_match_message(ldb, msg,
ac->tree, ac->scope, &matched);
if (ret != LDB_SUCCESS) {
talloc_free(msg);
ac->error = LDB_ERR_OPERATIONS_ERROR;