SIDs may contain non-zero memory beyond SubAuthorityCount:
{
key(15) = "SECRETS/SID/FOO"
data(68) = "\01\04\00\00\00\00\00\05\15\00\00\00}u@\8C\08\A3\06nx\95\16\FE\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00`F\92\B7\03\00\00\00\18e\92\B7\03\00\00\00@H\92\B7\00\00\00\00"
}
These parts are lost when converting to ``string format syntax``
so a roundtrip conversion does not result in the same binary
representation.
Ensure that these never reach the tdb by using an initialized
copy. This allows bitwise comparisons of secrets.tdb after
dumping SIDs as text and reading them back.
Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Oct 19 13:59:04 CEST 2018 on sn-devel-144
{
char *protect_ids;
bool ret;
+ struct dom_sid clean_sid = { 0 };
protect_ids = secrets_fetch(protect_ids_keystr(domain), NULL);
if (protect_ids) {
}
SAFE_FREE(protect_ids);
- ret = secrets_store(domain_sid_keystr(domain), sid, sizeof(struct dom_sid ));
+ /*
+ * use a copy to prevent uninitialized memory from being carried over
+ * to the tdb
+ */
+ sid_copy(&clean_sid, sid);
+
+ ret = secrets_store(domain_sid_keystr(domain),
+ &clean_sid,
+ sizeof(struct dom_sid));
/* Force a re-query, in the case where we modified our domain */
if (ret) {