1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
From 717bde3288704d501368ca650963e2648d005c55 Mon Sep 17 00:00:00 2001
From: Tim Beale <timbeale@catalyst.net.nz>
Date: Mon, 30 Jul 2018 16:00:15 +1200
Subject: [PATCH] CVE-2018-10919 acl_read: Flip the logic in the dirsync check
This better reflects the special case we're making for dirsync, and gets
rid of a 'if-else' clause.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
---
source4/dsdb/samdb/ldb_modules/acl_read.c | 17 +++++++----------
1 file changed, 7 insertions(+), 10 deletions(-)
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index 17d6492cd35..9607ed05ee7 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -400,10 +400,12 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
bool in_search_filter;
+ /* check if attr is part of the search filter */
in_search_filter = dsdb_attr_in_parse_tree(ac->req->op.search.tree,
msg->elements[i].name);
- if (ac->indirsync) {
+ if (in_search_filter) {
+
/*
* We are doing dirysnc answers
* and the object shouldn't be returned (normally)
@@ -412,21 +414,16 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
* (remove the object if it is not deleted, or return
* just the objectGUID if it's deleted).
*/
- if (in_search_filter) {
+ if (ac->indirsync) {
ldb_msg_remove_attr(msg, "replPropertyMetaData");
break;
} else {
- aclread_mark_inaccesslible(&msg->elements[i]);
- }
- } else {
- /*
- * do not return this entry if attribute is
- * part of the search filter
- */
- if (in_search_filter) {
+
+ /* do not return this entry */
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
+ } else {
aclread_mark_inaccesslible(&msg->elements[i]);
}
} else if (ret != LDB_SUCCESS) {
--
2.18.0
|
