CVE-2018-10919 acl_read: Split access_mask logic out into helper function
authorTim Beale <timbeale@catalyst.net.nz>
Fri, 20 Jul 2018 01:52:24 +0000 (13:52 +1200)
committerKarolin Seeger <kseeger@samba.org>
Sat, 11 Aug 2018 06:16:02 +0000 (08:16 +0200)
So we can re-use the same logic laster for checking the search-ops.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
source4/dsdb/samdb/ldb_modules/acl_read.c

index 3c9cf7c0672c945dd5d7e5484b5d9196baa1cf62..f42b131948c73d49587bde9d260b3dd07101cdd9 100644 (file)
@@ -227,6 +227,40 @@ static int aclread_get_sd_from_ldb_message(struct aclread_context *ac,
        return LDB_SUCCESS;
 }
 
+/*
+ * Returns the access mask required to read a given attribute
+ */
+static uint32_t get_attr_access_mask(const struct dsdb_attribute *attr,
+                                    uint32_t sd_flags)
+{
+
+       uint32_t access_mask = 0;
+       bool is_sd;
+
+       /* nTSecurityDescriptor is a special case */
+       is_sd = (ldb_attr_cmp("nTSecurityDescriptor",
+                             attr->lDAPDisplayName) == 0);
+
+       if (is_sd) {
+               if (sd_flags & (SECINFO_OWNER|SECINFO_GROUP)) {
+                       access_mask |= SEC_STD_READ_CONTROL;
+               }
+               if (sd_flags & SECINFO_DACL) {
+                       access_mask |= SEC_STD_READ_CONTROL;
+               }
+               if (sd_flags & SECINFO_SACL) {
+                       access_mask |= SEC_FLAG_SYSTEM_SECURITY;
+               }
+       } else {
+               access_mask = SEC_ADS_READ_PROP;
+       }
+
+       if (attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL) {
+               access_mask |= SEC_ADS_CONTROL_ACCESS;
+       }
+
+       return access_mask;
+}
 
 static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
 {
@@ -342,26 +376,8 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
                                aclread_mark_inaccesslible(&msg->elements[i]);
                                continue;
                        }
-                       /* nTSecurityDescriptor is a special case */
-                       if (is_sd) {
-                               access_mask = 0;
-
-                               if (ac->sd_flags & (SECINFO_OWNER|SECINFO_GROUP)) {
-                                       access_mask |= SEC_STD_READ_CONTROL;
-                               }
-                               if (ac->sd_flags & SECINFO_DACL) {
-                                       access_mask |= SEC_STD_READ_CONTROL;
-                               }
-                               if (ac->sd_flags & SECINFO_SACL) {
-                                       access_mask |= SEC_FLAG_SYSTEM_SECURITY;
-                               }
-                       } else {
-                               access_mask = SEC_ADS_READ_PROP;
-                       }
 
-                       if (attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL) {
-                               access_mask |= SEC_ADS_CONTROL_ACCESS;
-                       }
+                       access_mask = get_attr_access_mask(attr, ac->sd_flags);
 
                        if (access_mask == 0) {
                                aclread_mark_inaccesslible(&msg->elements[i]);