1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

130220 Commits

Author SHA1 Message Date
Joseph Sutton
be239c7168 CVE-2022-2031 tests/krb5: Test truncated forms of server principals
We should not be able to use krb@REALM instead of krbtgt@REALM.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
bbad8f1de4 CVE-2022-32744 s4:kdc: Don't allow HDB keytab iteration
A fallback in krb5_rd_req_ctx() means that Samba's kpasswd service will
try many inappropriate keys to decrypt the ticket supplied to it. For
example, it will accept a ticket encrypted with the Administrator's key,
when it should rather accept only tickets encrypted with the krbtgt's
key (and not an RODC krbtgt). To fix this, declare the HDB keytab using
the HDBGET ops, which do not support iteration.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
ffb599050a CVE-2022-2031 s4:kdc: Reject tickets during the last two minutes of their life
For Heimdal, this now matches the behaviour of Windows. The object of
this requirement is to ensure we don't allow kpasswd tickets, not having
a lifetime of more than two minutes, to be passed off as TGTs.

An existing requirement for TGTs to contain a REQUESTER_SID PAC buffer
suffices to prevent kpasswd ticket misuse, so this is just an additional
precaution on top.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
018bdbc29d CVE-2022-2031 third_party/heimdal: Add function to get current KDC time
This allows the plugin to check the endtime of a ticket against the
KDC's current time, to see if the ticket will expire in the next two
minutes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-27 10:52:36 +00:00
Joseph Sutton
3e773a3954 CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less
This matches the behaviour of Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
c0282bbbc1 CVE-2022-2031 s4:kdc: Fix canonicalisation of kadmin/changepw principal
Since this principal goes through the samba_kdc_fetch_server() path,
setting the canonicalisation flag would cause the principal to be
replaced with the sAMAccountName; this meant requests to
kadmin/changepw@REALM would result in a ticket to krbtgt@REALM. Now we
properly handle canonicalisation for the kadmin/changepw principal.

View with 'git show -b'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
186f0c6e48 CVE-2022-2031 s4:kdc: Refactor samba_kdc_get_entry_principal()
This eliminates some duplicate branches.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
c6d9350491 CVE-2022-2031 s4:kdc: Split out a samba_kdc_get_entry_principal() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Andreas Schneider
23a03911a7 CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-27 10:52:36 +00:00
Andreas Schneider
a8068e32a0 CVE-2022-2031 testprogs: Add kadmin/changepw canonicalization test with MIT kpasswd
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-27 10:52:36 +00:00
Joseph Sutton
d6580f3572 s4:kpasswd: Restructure code for clarity
View with 'git show -b'.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
ce3b7b27a3 CVE-2022-2031 s4:kpasswd: Require an initial ticket
Ensure that for password changes the client uses an AS-REQ to get the
ticket to kpasswd, and not a TGS-REQ.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
bbfbbb9f64 CVE-2022-2031 gensec_krb5: Add helper function to check if client sent an initial ticket
This will be used in the kpasswd service to ensure that the client has
an initial ticket to kadmin/changepw, and not a service ticket.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
e0c135e6c1 CVE-2022-2031 s4:kpasswd: Return a kpasswd error code in KRB-ERROR
If we attempt to return an error code outside of Heimdal's allowed range
[KRB5KDC_ERR_NONE, KRB5_ERR_RCSID), it will be replaced with a GENERIC
error, and the error text will be set to the meaningless result of
krb5_get_error_message(). Avoid this by ensuring the error code is in
the correct range.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
4e2e767a78 CVE-2022-2031 lib:krb5_wrap: Generate valid error codes in smb_krb5_mk_error()
The error code passed in will be an offset from ERROR_TABLE_BASE_krb5,
so we need to subtract that before creating the error. Heimdal does this
internally, so it isn't needed there.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
f89e5eff5f CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failure
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
1f7d94b5fc CVE-2022-2031 s4:kpasswd: Correctly generate error strings
The error_data we create already has an explicit length, and should not
be zero-terminated, so we omit the trailing null byte. Previously,
Heimdal builds would leave a superfluous trailing null byte on error
strings, while MIT builds would omit the final character.

The two bytes added to the string's length are for the prepended error
code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
86698b313e CVE-2022-2031 tests/krb5: Add tests for kpasswd service
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
192d597c2f CVE-2022-2031 tests/krb5: Consider kadmin/* principals as TGS for MIT KRB5 >= 1.20
With MIT Kerberos >= 1.20, we should not expect a ticket checksum in
tickets to principals such as kpasswd/changepw, as they are encrypted
with the krbtgt's key.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
4212037a6a CVE-2022-32744 selftest: Specify Administrator kvno for Python krb5 tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
6a2ec50bfd CVE-2022-2031 tests/krb5: Add kpasswd_exchange() method
Now we can test the kpasswd service from Python.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
332fd6032a CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and realm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
1e80767c1d tests/krb5: Add option for creating accounts with expired passwords
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
2bb1f40b9a tests/krb5: Fix enum typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
18bd6dafb5 CVE-2022-2031 tests/krb5: Add methods to send and receive generic messages
This allows us to send and receive kpasswd messages, while avoiding the
existing logic for encoding and decoding other Kerberos message types.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
888d58f433 CVE-2022-2031 tests/krb5: Add 'port' parameter to connect()
This allows us to use the kpasswd port, 464.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
a5a2fc4259 CVE-2022-2031 tests/krb5: Add methods to create ASN1 kpasswd structures
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
48eb3354c5 CVE-2022-2031 tests/krb5: Add new definitions for kpasswd
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
ebccd0440a CVE-2022-32744 tests/krb5: Correctly calculate salt for pre-existing accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
a118881f4f CVE-2022-2031 tests/krb5: Split out _make_tgs_request()
This allows us to make use of it in other tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
f152afa74e CVE-2022-32744 tests/krb5: Correctly handle specifying account kvno
The environment variable is a string, but we expect an integer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
714cadfc40 CVE-2022-2031 s4:kpasswd: Add MIT fallback for decoding setpw structure
The target principal and realm fields of the setpw structure are
supposed to be optional, but in MIT Kerberos they are mandatory. For
better compatibility and ease of testing, fall back to parsing the
simpler (containing only the new password) structure if the MIT function
fails to decode it.

Although the target principal and realm fields should be optional, one
is not supposed to specified without the other, so we don't have to deal
with the case where only one is specified.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
b423c370b9 CVE-2022-2031 s4:kpasswd: Account for missing target principal
This field is supposed to be optional.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
2872ccc931 CVE-2022-2031 third_party/heimdal: Check generate_pac() return code
If the function fails, we should not issue a ticket missing the PAC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-27 10:52:36 +00:00
Joseph Sutton
9881491023 CVE-2022-32745 s4/dsdb/util: Correctly copy values into message element
To use memcpy(), we need to specify the number of bytes to copy, rather
than the number of ldb_val structures.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-27 10:52:36 +00:00
Joseph Sutton
aa728dfcc9 CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a NULL pointer
Doing so is undefined behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-27 10:52:36 +00:00
Joseph Sutton
4a31c48057 CVE-2022-32745 s4/dsdb/util: Use correct value for loop count limit
Currently, we can crash the server by sending a large number of values
of a specific attribute (such as sAMAccountName) spread across a few
message elements. If val_count is larger than the total number of
elements, we get an access beyond the elements array.

Similarly, we can include unrelated message elements prior to the
message elements of the attribute in question, so that not all of the
attribute's values are copied into the returned elements values array.
This can cause the server to access uninitialised data, likely resulting
in a crash or unexpected behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-27 10:52:36 +00:00
Joseph Sutton
4ec784e0a9 CVE-2022-32745 s4/dsdb/samldb: Check for empty values array
This avoids potentially trying to access the first element of an empty
array.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-27 10:52:36 +00:00
Andrew Bartlett
f4eb4e6478 CVE-2022-32746 ldb: Release LDB 2.6.1
* CVE-2022-32746 Use-after-free occurring in database audit logging module (bug 15009)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
0a3aa5f908 CVE-2022-32746 ldb: Make use of functions for appending to an ldb_message
This aims to minimise usage of the error-prone pattern of searching for
a just-added message element in order to make modifications to it (and
potentially finding the wrong element).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-27 10:52:36 +00:00
Joseph Sutton
df487eb2d7 CVE-2022-32746 ldb: Add functions for appending to an ldb_message
Currently, there are many places where we use ldb_msg_add_empty() to add
an empty element to a message, and then call ldb_msg_add_value() or
similar to add values to that element. However, this performs an
unnecessary search of the message's elements to locate the new element.
Moreover, if an element with the same attribute name already exists
earlier in the message, the values will be added to that element,
instead of to the intended newly added element.

A similar pattern exists where we add values to a message, and then call
ldb_msg_find_element() to locate that message element and sets its flags
to (e.g.) LDB_FLAG_MOD_REPLACE. This also performs an unnecessary
search, and may locate the wrong message element for setting the flags.

To avoid these problems, add functions for appending a value to a
message, so that a particular value can be added to the end of a message
in a single operation.

For ADD requests, it is important that no two message elements share the
same attribute name, otherwise things will break. (Normally,
ldb_msg_normalize() is called before processing the request to help
ensure this.) Thus, we must be careful not to append an attribute to an
ADD message, unless we are sure (e.g. through ldb_msg_find_element())
that an existing element for that attribute is not present.

These functions will be used in the next commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-27 10:52:36 +00:00
Joseph Sutton
a2bb5beee8 CVE-2022-32746 ldb: Ensure shallow copy modifications do not affect original message
Using the newly added ldb flag, we can now detect when a message has
been shallow-copied so that its elements share their values with the
original message elements. Then when adding values to the copied
message, we now make a copy of the shared values array first.

This should prevent a use-after-free that occurred in LDB modules when
new values were added to a shallow copy of a message by calling
talloc_realloc() on the original values array, invalidating the 'values'
pointer in the original message element. The original values pointer can
later be used in the database audit logging module which logs database
requests, and potentially cause a crash.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-27 10:52:36 +00:00
Joseph Sutton
7efe8182c1 CVE-2022-32746 ldb: Add flag to mark message element values as shared
When making a shallow copy of an ldb message, mark the message elements
of the copy as sharing their values with the message elements in the
original message.

This flag value will be heeded in the next commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-27 10:52:36 +00:00
Joseph Sutton
3e4439565b CVE-2022-32746 s4/registry: Use LDB_FLAG_MOD_TYPE() for flags equality check
Now unrelated flags will no longer affect the result.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-27 10:52:36 +00:00
Joseph Sutton
e8ebdb9936 CVE-2022-32746 s4/dsdb/tombstone_reanimate: Use LDB_FLAG_MOD_TYPE() for flags equality check
Now unrelated flags will no longer affect the result.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-27 10:52:36 +00:00
Joseph Sutton
e3b0026413 CVE-2022-32746 s4/dsdb/repl_meta_data: Use LDB_FLAG_MOD_TYPE() for flags equality check
Now unrelated flags will no longer affect the result.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-27 10:52:36 +00:00
Joseph Sutton
41b1fe6d4a CVE-2022-32746 ldb:rdn_name: Use LDB_FLAG_MOD_TYPE() for flags equality check
Now unrelated flags will no longer affect the result.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-27 10:52:36 +00:00
Joseph Sutton
99b805e4cb CVE-2022-32746 s4/dsdb/acl: Fix LDB flags comparison
LDB_FLAG_MOD_* values are not actually flags, and the previous
comparison was equivalent to

(el->flags & LDB_FLAG_MOD_MASK) == 0

which is only true if none of the LDB_FLAG_MOD_* values are set, so we
would not successfully return if the element was a DELETE. Correct the
expression to what it was intended to be.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-27 10:52:36 +00:00
Joseph Sutton
64258fd8b1 CVE-2022-32746 s4:torture: Fix LDB flags comparison
LDB_FLAG_MOD_* values are not actually flags, and the previous
comparison was equivalent to

(el->flags & LDB_FLAG_MOD_MASK) == 0

which is only true if none of the LDB_FLAG_MOD_* values are set. Correct
the expression to what it was probably intended to be.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-27 10:52:36 +00:00
Joseph Sutton
d178a06140 CVE-2022-32746 s4/dsdb/partition: Fix LDB flags comparison
LDB_FLAG_MOD_* values are not actually flags, and the previous
comparison was equivalent to

(req_msg->elements[el_idx].flags & LDB_FLAG_MOD_MASK) != 0

which is true whenever any of the LDB_FLAG_MOD_* values are set. Correct
the expression to what it was probably intended to be.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-27 10:52:36 +00:00