mirror of
https://github.com/samba-team/samba.git
synced 2025-08-26 01:49:31 +03:00
s3:passdb: Zero secrets_domain_info1_password created via secrets_fetch()
Zero out these members of struct secrets_domain_info1_password: DATA_BLOB cleartext_blob; struct samr_Password nt_hash; struct secrets_domain_info1_kerberos_key *keys; Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
committed by
Andreas Schneider
parent
01c0ab191a
commit
da2c723266
@ -685,6 +685,28 @@ char *secrets_fetch_machine_password(const char *domain,
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int password_nt_hash_destructor(struct secrets_domain_info1_password *pw)
|
||||
{
|
||||
ZERO_STRUCT(pw->nt_hash);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int setup_password_zeroing(struct secrets_domain_info1_password *pw)
|
||||
{
|
||||
if (pw != NULL) {
|
||||
size_t i;
|
||||
|
||||
talloc_keep_secret(pw->cleartext_blob.data);
|
||||
talloc_set_destructor(pw, password_nt_hash_destructor);
|
||||
for (i = 0; i < pw->num_keys; i++) {
|
||||
talloc_keep_secret(pw->keys[i].value.data);
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static char *domain_info_keystr(const char *domain)
|
||||
{
|
||||
char *keystr;
|
||||
@ -726,6 +748,13 @@ static NTSTATUS secrets_fetch_domain_info1_by_key(const char *key,
|
||||
return NT_STATUS_INTERNAL_DB_CORRUPTION;
|
||||
}
|
||||
|
||||
if (sdib.info.info1->next_change != NULL) {
|
||||
setup_password_zeroing(sdib.info.info1->next_change->password);
|
||||
}
|
||||
setup_password_zeroing(sdib.info.info1->password);
|
||||
setup_password_zeroing(sdib.info.info1->old_password);
|
||||
setup_password_zeroing(sdib.info.info1->older_password);
|
||||
|
||||
if (sdib.version != SECRETS_DOMAIN_INFO_VERSION_1) {
|
||||
DBG_ERR("sdib.version = %u\n", (unsigned)sdib.version);
|
||||
return NT_STATUS_INTERNAL_DB_CORRUPTION;
|
||||
|
Reference in New Issue
Block a user