diff options
| author | Tim Beale <timbeale@catalyst.net.nz> | 2018-07-26 12:20:49 +1200 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2018-08-13 09:13:36 +0200 |
| commit | 533106ae9c210a3d7c501f239e7de9d0966f27b9 (patch) | |
| tree | 19684b111d91bfe2ef733e78f722b9b9110b1f49 | |
| parent | fa7bcea388b310f461f1f2c1788687523c6f1a18 (diff) | |
| download | samba-533106ae9c210a3d7c501f239e7de9d0966f27b9.tar.gz | |
CVE-2018-10919 acl_read: Small refactor to aclread_callback()
Flip the dirsync check (to avoid a double negative), and use a helper
boolean variable.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl_read.c | 31 |
1 files changed, 17 insertions, 14 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index 4aa517c9980..75642b305c5 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -239,18 +239,12 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) * in anycase. */ if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) { - if (!ac->indirsync) { - /* - * do not return this entry if attribute is - * part of the search filter - */ - if (dsdb_attr_in_parse_tree(ac->req->op.search.tree, - msg->elements[i].name)) { - talloc_free(tmp_ctx); - return LDB_SUCCESS; - } - aclread_mark_inaccesslible(&msg->elements[i]); - } else { + bool in_search_filter; + + in_search_filter = dsdb_attr_in_parse_tree(ac->req->op.search.tree, + msg->elements[i].name); + + if (ac->indirsync) { /* * We are doing dirysnc answers * and the object shouldn't be returned (normally) @@ -259,13 +253,22 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) * (remove the object if it is not deleted, or return * just the objectGUID if it's deleted). */ - if (dsdb_attr_in_parse_tree(ac->req->op.search.tree, - msg->elements[i].name)) { + if (in_search_filter) { ldb_msg_remove_attr(msg, "replPropertyMetaData"); break; } else { aclread_mark_inaccesslible(&msg->elements[i]); } + } else { + /* + * do not return this entry if attribute is + * part of the search filter + */ + if (in_search_filter) { + talloc_free(tmp_ctx); + return LDB_SUCCESS; + } + aclread_mark_inaccesslible(&msg->elements[i]); } } else if (ret != LDB_SUCCESS) { ldb_debug_set(ldb, LDB_DEBUG_FATAL, |