CVE-2022-32743 s4:rpc_server/common: Add dcesrv_samdb_connect_session_info()

This function allows us to connect to samdb as a particular user by passing in that user's session info. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
author: Joseph Sutton <josephsutton@catalyst.net.nz> 2022-06-09 19:32:30 +1200
committer: Douglas Bagnall <dbagnall@samba.org> 2022-07-28 22:47:38 +0000
commit: 6b76bc7339addb14884c2d6ddb20c559c7fbe07d (patch)
tree: 4b57779e20578eb013b27b710c21697690f67fd8 /source4
parent: e1c52ac05a9ff505d2e5eac2f1ece4e95844ee71 (diff)
download: samba-6b76bc7339addb14884c2d6ddb20c559c7fbe07d.tar.gz
2 files changed, 40 insertions, 26 deletions
diff --git a/source4/rpc_server/common/common.h b/source4/rpc_server/common/common.h
index 7d2f8c569e4..b57ddf20db5 100644
--- a/source4/rpc_server/common/common.h
+++ b/source4/rpc_server/common/common.h
@@ -30,6 +30,7 @@ struct dcesrv_context;
 struct dcesrv_call_state;
 struct ndr_interface_table;
 struct ncacn_packet;
+struct auth_session_info;
 
 struct dcerpc_server_info { 
 	const char *domain_name;
diff --git a/source4/rpc_server/common/server_info.c b/source4/rpc_server/common/server_info.c
index a2af37653ef..34228c3d889 100644
--- a/source4/rpc_server/common/server_info.c
+++ b/source4/rpc_server/common/server_info.c
@@ -190,48 +190,44 @@ bool dcesrv_common_validate_share_name(TALLOC_CTX *mem_ctx, const char *share_na
 	return true;
 }
 
-static struct ldb_context *dcesrv_samdb_connect_common(
+/*
+ * call_session_info is session info for samdb. call_audit_session_info is for
+ * auditing and may be NULL.
+ */
+struct ldb_context *dcesrv_samdb_connect_session_info(
 	TALLOC_CTX *mem_ctx,
 	struct dcesrv_call_state *dce_call,
-	bool as_system)
+	const struct auth_session_info *call_session_info,
+	const struct auth_session_info *call_audit_session_info)
 {
 	struct ldb_context *samdb = NULL;
-	struct auth_session_info *system_session_info = NULL;
-	const struct auth_session_info *call_session_info =
-		dcesrv_call_session_info(dce_call);
 	struct auth_session_info *user_session_info = NULL;
-	struct auth_session_info *ldb_session_info = NULL;
 	struct auth_session_info *audit_session_info = NULL;
 	struct tsocket_address *remote_address = NULL;
 
-	if (as_system) {
-		system_session_info = system_session(dce_call->conn->dce_ctx->lp_ctx);
-		if (system_session_info == NULL) {
-			return NULL;
-		}
-	}
-
 	user_session_info = copy_session_info(mem_ctx, call_session_info);
 	if (user_session_info == NULL) {
 		return NULL;
 	}
 
+	if (call_audit_session_info != NULL) {
+		audit_session_info = copy_session_info(mem_ctx, call_audit_session_info);
+		if (audit_session_info == NULL) {
+			talloc_free(user_session_info);
+			return NULL;
+		}
+	}
+
 	if (dce_call->conn->remote_address != NULL) {
 		remote_address = tsocket_address_copy(dce_call->conn->remote_address,
 						      user_session_info);
 		if (remote_address == NULL) {
+			TALLOC_FREE(audit_session_info);
+			talloc_free(user_session_info);
 			return NULL;
 		}
 	}
 
-	if (system_session_info != NULL) {
-		ldb_session_info = system_session_info;
-		audit_session_info = user_session_info;
-	} else {
-		ldb_session_info = user_session_info;
-		audit_session_info = NULL;
-	}
-
 	/*
 	 * We need to make sure every argument
 	 * stays arround for the lifetime of 'samdb',
@@ -253,10 +249,11 @@ static struct ldb_context *dcesrv_samdb_connect_common(
 		mem_ctx,
 		dce_call->event_ctx,
 		dce_call->conn->dce_ctx->lp_ctx,
-		ldb_session_info,
+		user_session_info,
 		remote_address,
 		0);
 	if (samdb == NULL) {
+		TALLOC_FREE(audit_session_info);
 		talloc_free(user_session_info);
 		return NULL;
 	}
@@ -265,6 +262,8 @@ static struct ldb_context *dcesrv_samdb_connect_common(
 	if (audit_session_info != NULL) {
 		int ret;
 
+		talloc_steal(samdb, audit_session_info);
+
 		ret = ldb_set_opaque(samdb,
 				     DSDB_NETWORK_SESSION_INFO,
 				     audit_session_info);
@@ -288,8 +287,18 @@ struct ldb_context *dcesrv_samdb_connect_as_system(
 	TALLOC_CTX *mem_ctx,
 	struct dcesrv_call_state *dce_call)
 {
-	return dcesrv_samdb_connect_common(mem_ctx, dce_call,
-					   true /* as_system */);
+	const struct auth_session_info *system_session_info = NULL;
+	const struct auth_session_info *call_session_info = NULL;
+
+	system_session_info = system_session(dce_call->conn->dce_ctx->lp_ctx);
+	if (system_session_info == NULL) {
+		return NULL;
+	}
+
+	call_session_info = dcesrv_call_session_info(dce_call);
+
+	return dcesrv_samdb_connect_session_info(mem_ctx, dce_call,
+						 system_session_info, call_session_info);
 }
 
 /*
@@ -301,6 +310,10 @@ struct ldb_context *dcesrv_samdb_connect_as_user(
 	TALLOC_CTX *mem_ctx,
 	struct dcesrv_call_state *dce_call)
 {
-	return dcesrv_samdb_connect_common(mem_ctx, dce_call,
-					   false /* not as_system */);
+	const struct auth_session_info *call_session_info = NULL;
+
+	call_session_info = dcesrv_call_session_info(dce_call);
+
+	return dcesrv_samdb_connect_session_info(mem_ctx, dce_call,
+						 call_session_info, NULL);
 }
author	Joseph Sutton <josephsutton@catalyst.net.nz>	2022-06-09 19:32:30 +1200
committer	Douglas Bagnall <dbagnall@samba.org>	2022-07-28 22:47:38 +0000
commit	6b76bc7339addb14884c2d6ddb20c559c7fbe07d (patch)
tree	4b57779e20578eb013b27b710c21697690f67fd8 /source4
parent	e1c52ac05a9ff505d2e5eac2f1ece4e95844ee71 (diff)
download	samba-6b76bc7339addb14884c2d6ddb20c559c7fbe07d.tar.gz