diff options
author | Ralph Boehme <slow@samba.org> | 2018-02-15 23:11:38 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2018-03-13 10:23:10 +0100 |
commit | 87b10d37533950abf793f64b43542632b3cb40ae (patch) | |
tree | 7de397160dea0be9adf8358634c4702239158879 /source4/dsdb | |
parent | 5c957af090354f678a75cb59861a3a61ef24333e (diff) | |
download | samba-87b10d37533950abf793f64b43542632b3cb40ae.tar.gz |
CVE-2018-1057: s4:dsdb/acl: changing dBCSPwd is only allowed with a control
This is not strictly needed to fig bug 13272, but it makes sense to also
fix this while fixing the overall ACL checking logic.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source4/dsdb')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 9b4be7b6909..d750362c47f 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -971,7 +971,7 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, struct ldb_message *msg; struct ldb_control *c = NULL; const char *passwordAttrs[] = { "userPassword", "clearTextPassword", - "unicodePwd", "dBCSPwd", NULL }, **l; + "unicodePwd", NULL }, **l; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); struct dsdb_control_password_acl_validation *pav = NULL; @@ -1031,6 +1031,15 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx, goto checked; } + el = ldb_msg_find_element(req->op.mod.message, "dBCSPwd"); + if (el != NULL) { + /* + * dBCSPwd is only allowed with a control. + */ + talloc_free(tmp_ctx); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + msg = ldb_msg_copy_shallow(tmp_ctx, req->op.mod.message); if (msg == NULL) { return ldb_module_oom(module); |