1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
From 81865e8584a0f597650a9df31d49bad3e7549d26 Mon Sep 17 00:00:00 2001
From: Tim Beale <timbeale@catalyst.net.nz>
Date: Fri, 20 Jul 2018 13:13:50 +1200
Subject: [PATCH] CVE-2018-10919 security: Add more comments to the
object-specific access checks
Reading the spec and then reading the code makes sense, but we could
comment the code more so it makes sense on its own.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
---
libcli/security/access_check.c | 30 ++++++++++++++++++++++--------
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index b4e62441542..93eb85def91 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -392,32 +392,46 @@ static NTSTATUS check_object_specific_access(struct security_ace *ace,
*grant_access = false;
- /*
- * check only in case we have provided a tree,
- * the ACE has an object type and that type
- * is in the tree
- */
- type = get_ace_object_type(ace);
-
+ /* if no tree was supplied, we can't do object-specific access checks */
if (!tree) {
return NT_STATUS_OK;
}
+ /* Get the ObjectType GUID this ACE applies to */
+ type = get_ace_object_type(ace);
+
+ /*
+ * If the ACE doesn't have a type, then apply it to the whole tree, i.e.
+ * treat 'OA' ACEs as 'A' and 'OD' as 'D'
+ */
if (!type) {
node = tree;
} else {
- if (!(node = get_object_tree_by_GUID(tree, type))) {
+
+ /* skip it if the ACE's ObjectType GUID is not in the tree */
+ node = get_object_tree_by_GUID(tree, type);
+ if (!node) {
return NT_STATUS_OK;
}
}
if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
+
+ /* apply the access rights to this node, and any children */
object_tree_modify_access(node, ace->access_mask);
+
+ /*
+ * Currently all nodes in the tree request the same access mask,
+ * so we can use any node to check if processing this ACE now
+ * means the requested access has been granted
+ */
if (node->remaining_access == 0) {
*grant_access = true;
return NT_STATUS_OK;
}
} else {
+
+ /* this ACE denies access to the requested object/attribute */
if (node->remaining_access & ace->access_mask){
return NT_STATUS_ACCESS_DENIED;
}
--
2.18.0
|
