diff options
Diffstat (limited to 'main/samba/0002-CVE-2018-10919-security-Add-more-comments-to-the-obj.patch')
| -rw-r--r-- | main/samba/0002-CVE-2018-10919-security-Add-more-comments-to-the-obj.patch | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/main/samba/0002-CVE-2018-10919-security-Add-more-comments-to-the-obj.patch b/main/samba/0002-CVE-2018-10919-security-Add-more-comments-to-the-obj.patch new file mode 100644 index 0000000000..f500faea47 --- /dev/null +++ b/main/samba/0002-CVE-2018-10919-security-Add-more-comments-to-the-obj.patch @@ -0,0 +1,78 @@ +From 81865e8584a0f597650a9df31d49bad3e7549d26 Mon Sep 17 00:00:00 2001 +From: Tim Beale <timbeale@catalyst.net.nz> +Date: Fri, 20 Jul 2018 13:13:50 +1200 +Subject: [PATCH] CVE-2018-10919 security: Add more comments to the + object-specific access checks + +Reading the spec and then reading the code makes sense, but we could +comment the code more so it makes sense on its own. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 + +Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> +--- + libcli/security/access_check.c | 30 ++++++++++++++++++++++-------- + 1 file changed, 22 insertions(+), 8 deletions(-) + +diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c +index b4e62441542..93eb85def91 100644 +--- a/libcli/security/access_check.c ++++ b/libcli/security/access_check.c +@@ -392,32 +392,46 @@ static NTSTATUS check_object_specific_access(struct security_ace *ace, + + *grant_access = false; + +- /* +- * check only in case we have provided a tree, +- * the ACE has an object type and that type +- * is in the tree +- */ +- type = get_ace_object_type(ace); +- ++ /* if no tree was supplied, we can't do object-specific access checks */ + if (!tree) { + return NT_STATUS_OK; + } + ++ /* Get the ObjectType GUID this ACE applies to */ ++ type = get_ace_object_type(ace); ++ ++ /* ++ * If the ACE doesn't have a type, then apply it to the whole tree, i.e. ++ * treat 'OA' ACEs as 'A' and 'OD' as 'D' ++ */ + if (!type) { + node = tree; + } else { +- if (!(node = get_object_tree_by_GUID(tree, type))) { ++ ++ /* skip it if the ACE's ObjectType GUID is not in the tree */ ++ node = get_object_tree_by_GUID(tree, type); ++ if (!node) { + return NT_STATUS_OK; + } + } + + if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) { ++ ++ /* apply the access rights to this node, and any children */ + object_tree_modify_access(node, ace->access_mask); ++ ++ /* ++ * Currently all nodes in the tree request the same access mask, ++ * so we can use any node to check if processing this ACE now ++ * means the requested access has been granted ++ */ + if (node->remaining_access == 0) { + *grant_access = true; + return NT_STATUS_OK; + } + } else { ++ ++ /* this ACE denies access to the requested object/attribute */ + if (node->remaining_access & ace->access_mask){ + return NT_STATUS_ACCESS_DENIED; + } +-- +2.18.0 + |