sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00
Code

CVE-2020-25722 s4/dsdb/pwd_hash: rework pwdLastSet bypass

Browse Source 
This tightens the logic a bit, in that a message with trailing DELETE
elements is no longer accepted when the bypass flag is set. In any case
this is an unlikely scenario as this is an internal flag set by a private
control in pdb_samba_dsdb_replace_by_sam().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Douglas Bagnall 2021-10-20 17:20:54 +13:00 committed by Jule Anger
parent 59201d5424
commit b9962c1e5e
1 changed files with 19 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
source4/dsdb/samdb/ldb_modules/password_hash.c
View File

@ -2247,23 +2247,31 @@ static int setup_last_set_field(struct setup_password_fields_io *io)
}
if (io->ac->pwd_last_set_bypass) {
struct ldb_message_element *el1 = NULL;
struct ldb_message_element *el2 = NULL;
struct ldb_message_element *el = NULL;
size_t i;
size_t count = 0;
/*
* This is a message from pdb_samba_dsdb_replace_by_sam()
*
* We want to ensure there is only one pwdLastSet element, and
* it isn't deleting.
*/
if (msg == NULL) {
return LDB_ERR_CONSTRAINT_VIOLATION;
}
el1 = dsdb_get_single_valued_attr(msg, "pwdLastSet",
io->ac->req->operation);
if (el1 == NULL) {
for (i = 0; i < msg->num_elements; i++) {
if (ldb_attr_cmp(msg->elements[i].name,
"pwdLastSet") == 0) {
count++;
el = &msg->elements[i];
}
}
if (count != 1) {
return LDB_ERR_CONSTRAINT_VIOLATION;
}
el2 = ldb_msg_find_element(msg, "pwdLastSet");
if (el2 == NULL) {
return LDB_ERR_CONSTRAINT_VIOLATION;
}
if (el1 != el2) {
if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE) {
return LDB_ERR_CONSTRAINT_VIOLATION;
}