CVE-2022-32746 ldb: Add flag to mark message element values as shared

When making a shallow copy of an ldb message, mark the message elements
of the copy as sharing their values with the message elements in the
original message.

This flag value will be heeded in the next commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>

diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c
index 57dfc5a04c2b3f08c3a8535cc2569f44b9efb5e8..2a9ce384bb98f3aa0c8d03e20f796a96cff4ce02 100644 (file)
--- a/lib/ldb/common/ldb_msg.c
+++ b/lib/ldb/common/ldb_msg.c
@@ -833,11 +833,7 @@ void ldb_msg_sort_elements(struct ldb_message *msg)
                       ldb_msg_element_compare_name);
 }
 
-/*
-  shallow copy a message - copying only the elements array so that the caller
-  can safely add new elements without changing the message
-*/
-struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx,
+static struct ldb_message *ldb_msg_copy_shallow_impl(TALLOC_CTX *mem_ctx,
                                         const struct ldb_message *msg)
 {
        struct ldb_message *msg2;
@@ -863,6 +859,35 @@ failed:
        return NULL;
 }
 
+/*
+  shallow copy a message - copying only the elements array so that the caller
+  can safely add new elements without changing the message
+*/
+struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx,
+                                        const struct ldb_message *msg)
+{
+       struct ldb_message *msg2;
+       unsigned int i;
+
+       msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg);
+       if (msg2 == NULL) {
+               return NULL;
+       }
+
+       for (i = 0; i < msg2->num_elements; ++i) {
+               /*
+                * Mark this message's elements as sharing their values with the
+                * original message, so that we don't inadvertently modify or
+                * free them. We don't mark the original message element as
+                * shared, so the original message element should not be
+                * modified or freed while the shallow copy lives.
+                */
+               struct ldb_message_element *el = &msg2->elements[i];
+               el->flags |= LDB_FLAG_INTERNAL_SHARED_VALUES;
+       }
+
+        return msg2;
+}
 
 /*
   copy a message, allocating new memory for all parts
@@ -873,7 +898,7 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx,
        struct ldb_message *msg2;
        unsigned int i, j;
 
-       msg2 = ldb_msg_copy_shallow(mem_ctx, msg);
+       msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg);
        if (msg2 == NULL) return NULL;
 
        if (msg2->dn != NULL) {
@@ -894,6 +919,12 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx,
                                goto failed;
                        }
                }
+
+                /*
+                 * Since we copied this element's values, we can mark them as
+                 * not shared.
+                */
+               el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES;
        }
 
        return msg2;

diff --git a/lib/ldb/include/ldb_module.h b/lib/ldb/include/ldb_module.h
index 8c1e5ee7936c3a1b9af7d54369b5cfdc385244ab..4c7c85a17f0056fca5967670c88f18846692e5cd 100644 (file)
--- a/lib/ldb/include/ldb_module.h
+++ b/lib/ldb/include/ldb_module.h
@@ -96,6 +96,12 @@ struct ldb_module;
  */
 #define LDB_FLAG_INTERNAL_FORCE_UNIQUE_INDEX 0x100
 
+/*
+ * indicates that this element's values are shared with another element (for
+ * example, in a shallow copy of an ldb_message) and should not be freed
+ */
+#define LDB_FLAG_INTERNAL_SHARED_VALUES 0x200
+
 /* an extended match rule that always fails to match */
 #define SAMBA_LDAP_MATCH_ALWAYS_FALSE "1.3.6.1.4.1.7165.4.5.1"