From e312585d577c0207f0a222a61aea03e11078cdfb Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 14 Jun 2022 21:09:53 +1200 Subject: [PATCH 01/18] CVE-2022-32746 s4/dsdb/objectclass_attrs: Fix typo BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 Signed-off-by: Joseph Sutton --- source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c index 438d39e2521..638e9d0cfe7 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c @@ -261,7 +261,7 @@ static int attr_handler(struct oc_context *ac) LDB_CONTROL_AS_SYSTEM_OID); if (!dsdb_module_am_system(ac->module) && !as_system) { ldb_asprintf_errstring(ldb, - "objectclass_attrs: attribute '%s' on entry '%s' must can only be modified as system", + "objectclass_attrs: attribute '%s' on entry '%s' can only be modified as system", msg->elements[i].name, ldb_dn_get_linearized(msg->dn)); return LDB_ERR_CONSTRAINT_VIOLATION; -- 2.35.0 From 2e928d58ad23d5eb5dbbe02b49925ee695d615bd Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 21 Jun 2022 15:37:15 +1200 Subject: [PATCH 02/18] CVE-2022-32746 s4:dsdb:tests: Add test for deleting a disallowed SPN If an account has an SPN that requires Write Property to set, we should still be able to delete it with just Validated Write. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 Signed-off-by: Joseph Sutton --- selftest/knownfail.d/acl-spn-delete | 1 + source4/dsdb/tests/python/acl.py | 26 ++++++++++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 selftest/knownfail.d/acl-spn-delete diff --git a/selftest/knownfail.d/acl-spn-delete b/selftest/knownfail.d/acl-spn-delete new file mode 100644 index 00000000000..32018413c49 --- /dev/null +++ b/selftest/knownfail.d/acl-spn-delete @@ -0,0 +1 @@ +^samba4.ldap.acl.python.*__main__.AclSPNTests.test_delete_disallowed_spn\( diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index 245b5fd7737..0f4185c23fa 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -2285,6 +2285,32 @@ class AclSPNTests(AclTests): else: self.fail(f'able to add disallowed SPN {not_allowed_spn}') + def test_delete_disallowed_spn(self): + # Grant Validated-SPN property. + mod = f'(OA;;SW;{security.GUID_DRS_VALIDATE_SPN};;{self.user_sid1})' + self.sd_utils.dacl_add_ace(self.computerdn, mod) + + spn_base = f'HOST/{self.computername}' + + not_allowed_spn = f'{spn_base}/{self.dcctx.get_domain_name()}' + + # Add a disallowed SPN as admin. + msg = Message(Dn(self.ldb_admin, self.computerdn)) + msg['servicePrincipalName'] = MessageElement(not_allowed_spn, + FLAG_MOD_ADD, + 'servicePrincipalName') + self.ldb_admin.modify(msg) + + # Ensure we are able to delete a disallowed SPN. + msg = Message(Dn(self.ldb_user1, self.computerdn)) + msg['servicePrincipalName'] = MessageElement(not_allowed_spn, + FLAG_MOD_DELETE, + 'servicePrincipalName') + try: + self.ldb_user1.modify(msg) + except LdbError: + self.fail(f'unable to delete disallowed SPN {not_allowed_spn}') + # Important unit running information -- 2.35.0 From dc663ecaa52bf68a42fd3392dc4db5f7c28f0b7d Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 21 Jun 2022 14:41:02 +1200 Subject: [PATCH 03/18] CVE-2022-32746 s4/dsdb/partition: Fix LDB flags comparison LDB_FLAG_MOD_* values are not actually flags, and the previous comparison was equivalent to (req_msg->elements[el_idx].flags & LDB_FLAG_MOD_MASK) != 0 which is true whenever any of the LDB_FLAG_MOD_* values are set. Correct the expression to what it was probably intended to be. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 Signed-off-by: Joseph Sutton --- source4/dsdb/samdb/ldb_modules/partition.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source4/dsdb/samdb/ldb_modules/partition.c b/source4/dsdb/samdb/ldb_modules/partition.c index f66ccab1dd5..0b20ad23e47 100644 --- a/source4/dsdb/samdb/ldb_modules/partition.c +++ b/source4/dsdb/samdb/ldb_modules/partition.c @@ -497,8 +497,8 @@ static int partition_copy_all_callback_action( * them here too */ for (el_idx=0; el_idx < req_msg->num_elements; el_idx++) { - if (req_msg->elements[el_idx].flags & LDB_FLAG_MOD_DELETE - || ((req_msg->elements[el_idx].flags & LDB_FLAG_MOD_REPLACE) && + if (LDB_FLAG_MOD_TYPE(req_msg->elements[el_idx].flags) == LDB_FLAG_MOD_DELETE + || ((LDB_FLAG_MOD_TYPE(req_msg->elements[el_idx].flags) == LDB_FLAG_MOD_REPLACE) && req_msg->elements[el_idx].num_values == 0)) { if (ldb_msg_find_element(modify_msg, req_msg->elements[el_idx].name) != NULL) { -- 2.35.0 From eb2aba7f14320fa4c2bf5e50462caa70175b94f2 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 21 Jun 2022 14:49:51 +1200 Subject: [PATCH 04/18] CVE-2022-32746 s4:torture: Fix LDB flags comparison LDB_FLAG_MOD_* values are not actually flags, and the previous comparison was equivalent to (el->flags & LDB_FLAG_MOD_MASK) == 0 which is only true if none of the LDB_FLAG_MOD_* values are set. Correct the expression to what it was probably intended to be. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 Signed-off-by: Joseph Sutton --- source4/torture/drs/rpc/dssync.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/source4/torture/drs/rpc/dssync.c b/source4/torture/drs/rpc/dssync.c index 67fde7c2b61..d3fa6bf976e 100644 --- a/source4/torture/drs/rpc/dssync.c +++ b/source4/torture/drs/rpc/dssync.c @@ -525,7 +525,9 @@ static bool test_analyse_objects(struct torture_context *tctx, el = &new_msg->elements[idx]; a = dsdb_attribute_by_lDAPDisplayName(ldap_schema, el->name); - if (!(el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE))) { + if (LDB_FLAG_MOD_TYPE(el->flags) != LDB_FLAG_MOD_ADD && + LDB_FLAG_MOD_TYPE(el->flags) != LDB_FLAG_MOD_REPLACE) + { /* DRS only value */ is_warning = false; } else if (a->linkID & 1) { -- 2.35.0 From 8ebdcfb0088f392c84df63f1e8a0192b524e1fc2 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 21 Jun 2022 15:22:47 +1200 Subject: [PATCH 05/18] CVE-2022-32746 s4/dsdb/acl: Fix LDB flags comparison LDB_FLAG_MOD_* values are not actually flags, and the previous comparison was equivalent to (el->flags & LDB_FLAG_MOD_MASK) == 0 which is only true if none of the LDB_FLAG_MOD_* values are set, so we would not successfully return if the element was a DELETE. Correct the expression to what it was intended to be. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 Signed-off-by: Joseph Sutton --- selftest/knownfail.d/acl-spn-delete | 1 - source4/dsdb/samdb/ldb_modules/acl.c | 5 +++-- 2 files changed, 3 insertions(+), 3 deletions(-) delete mode 100644 selftest/knownfail.d/acl-spn-delete diff --git a/selftest/knownfail.d/acl-spn-delete b/selftest/knownfail.d/acl-spn-delete deleted file mode 100644 index 32018413c49..00000000000 --- a/selftest/knownfail.d/acl-spn-delete +++ /dev/null @@ -1 +0,0 @@ -^samba4.ldap.acl.python.*__main__.AclSPNTests.test_delete_disallowed_spn\( diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 71b3eaba2e4..decfdd2fc84 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -731,8 +731,9 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx, * If not add or replace (eg delete), * return success */ - if ((el->flags - & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE)) == 0) { + if (LDB_FLAG_MOD_TYPE(el->flags) != LDB_FLAG_MOD_ADD && + LDB_FLAG_MOD_TYPE(el->flags) != LDB_FLAG_MOD_REPLACE) + { talloc_free(tmp_ctx); return LDB_SUCCESS; } -- 2.35.0 From 48fe59b3dea88dedc74bf04e64edd2a6f1b9e6d5 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 16 Feb 2022 12:43:52 +1300 Subject: [PATCH 06/18] CVE-2022-32746 ldb:rdn_name: Use LDB_FLAG_MOD_TYPE() for flags equality check Now unrelated flags will no longer affect the result. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 Signed-off-by: Joseph Sutton --- lib/ldb/modules/rdn_name.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ldb/modules/rdn_name.c b/lib/ldb/modules/rdn_name.c index e69ad9315ae..25cffe07591 100644 --- a/lib/ldb/modules/rdn_name.c +++ b/lib/ldb/modules/rdn_name.c @@ -545,7 +545,7 @@ static int rdn_name_modify(struct ldb_module *module, struct ldb_request *req) if (e != NULL) { ldb_asprintf_errstring(ldb, "Modify of 'distinguishedName' on %s not permitted, must use 'rename' operation instead", ldb_dn_get_linearized(req->op.mod.message->dn)); - if (e->flags == LDB_FLAG_MOD_REPLACE) { + if (LDB_FLAG_MOD_TYPE(e->flags) == LDB_FLAG_MOD_REPLACE) { return LDB_ERR_CONSTRAINT_VIOLATION; } else { return LDB_ERR_UNWILLING_TO_PERFORM; -- 2.35.0 From be7ed575809ab83435f7610d84b80cd2c8067f5d Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 14 Jun 2022 19:49:19 +1200 Subject: [PATCH 07/18] CVE-2022-32746 s4/dsdb/repl_meta_data: Use LDB_FLAG_MOD_TYPE() for flags equality check Now unrelated flags will no longer affect the result. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 Signed-off-by: Joseph Sutton --- source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c index 681ee382ac4..9d159b2a00e 100644 --- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c +++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c @@ -3544,7 +3544,7 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req) return ldb_module_operr(module); } - if (req->op.mod.message->elements[0].flags != LDB_FLAG_MOD_REPLACE) { + if (LDB_FLAG_MOD_TYPE(req->op.mod.message->elements[0].flags) != LDB_FLAG_MOD_REPLACE) { return ldb_module_operr(module); } @@ -3577,11 +3577,11 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req) return ldb_module_operr(module); } - if (req->op.mod.message->elements[0].flags != LDB_FLAG_MOD_DELETE) { + if (LDB_FLAG_MOD_TYPE(req->op.mod.message->elements[0].flags) != LDB_FLAG_MOD_DELETE) { return ldb_module_operr(module); } - if (req->op.mod.message->elements[1].flags != LDB_FLAG_MOD_ADD) { + if (LDB_FLAG_MOD_TYPE(req->op.mod.message->elements[1].flags) != LDB_FLAG_MOD_ADD) { return ldb_module_operr(module); } @@ -3664,7 +3664,7 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req) return ldb_module_operr(module); } - if (msg->elements[0].flags != LDB_FLAG_MOD_ADD) { + if (LDB_FLAG_MOD_TYPE(msg->elements[0].flags) != LDB_FLAG_MOD_ADD) { talloc_free(ac); return ldb_module_operr(module); } -- 2.35.0 From ef95ca302e593cff8ae1086eccfa68d87683988d Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 14 Jun 2022 21:11:33 +1200 Subject: [PATCH 08/18] CVE-2022-32746 s4/dsdb/tombstone_reanimate: Use LDB_FLAG_MOD_TYPE() for flags equality check Now unrelated flags will no longer affect the result. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 Signed-off-by: Joseph Sutton --- source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c b/source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c index 64e05195798..5f8911c66be 100644 --- a/source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c +++ b/source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c @@ -104,7 +104,7 @@ static bool is_tombstone_reanimate_request(struct ldb_request *req, if (el_dn == NULL) { return false; } - if (el_dn->flags != LDB_FLAG_MOD_REPLACE) { + if (LDB_FLAG_MOD_TYPE(el_dn->flags) != LDB_FLAG_MOD_REPLACE) { return false; } if (el_dn->num_values != 1) { @@ -117,7 +117,7 @@ static bool is_tombstone_reanimate_request(struct ldb_request *req, return false; } - if (el_deleted->flags != LDB_FLAG_MOD_DELETE) { + if (LDB_FLAG_MOD_TYPE(el_deleted->flags) != LDB_FLAG_MOD_DELETE) { return false; } -- 2.35.0 From 169d83bec6b17803c3e45a1b4d74a7c825e09c40 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 14 Jun 2022 21:12:39 +1200 Subject: [PATCH 09/18] CVE-2022-32746 s4/registry: Use LDB_FLAG_MOD_TYPE() for flags equality check Now unrelated flags will no longer affect the result. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 Signed-off-by: Joseph Sutton --- source4/lib/registry/ldb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/lib/registry/ldb.c b/source4/lib/registry/ldb.c index 8bb6fd5c10f..969483d2f88 100644 --- a/source4/lib/registry/ldb.c +++ b/source4/lib/registry/ldb.c @@ -832,7 +832,7 @@ static WERROR ldb_set_value(struct hive_key *parent, /* Try first a "modify" and if this doesn't work do try an "add" */ for (i = 0; i < msg->num_elements; i++) { - if (msg->elements[i].flags != LDB_FLAG_MOD_DELETE) { + if (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) != LDB_FLAG_MOD_DELETE) { msg->elements[i].flags = LDB_FLAG_MOD_REPLACE; } } -- 2.35.0 From aa8fe8b1d3c16aa0c87ebf42155c8815deeddf74 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 21 Feb 2022 16:10:32 +1300 Subject: [PATCH 10/18] CVE-2022-32746 ldb: Add flag to mark message element values as shared When making a shallow copy of an ldb message, mark the message elements of the copy as sharing their values with the message elements in the original message. This flag value will be heeded in the next commit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 Signed-off-by: Joseph Sutton --- lib/ldb/common/ldb_msg.c | 43 +++++++++++++++++++++++++++++++----- lib/ldb/include/ldb_module.h | 6 +++++ 2 files changed, 43 insertions(+), 6 deletions(-) diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c index 2b5c3fc9348..a89bc8352d0 100644 --- a/lib/ldb/common/ldb_msg.c +++ b/lib/ldb/common/ldb_msg.c @@ -833,11 +833,7 @@ void ldb_msg_sort_elements(struct ldb_message *msg) ldb_msg_element_compare_name); } -/* - shallow copy a message - copying only the elements array so that the caller - can safely add new elements without changing the message -*/ -struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx, +static struct ldb_message *ldb_msg_copy_shallow_impl(TALLOC_CTX *mem_ctx, const struct ldb_message *msg) { struct ldb_message *msg2; @@ -863,6 +859,35 @@ failed: return NULL; } +/* + shallow copy a message - copying only the elements array so that the caller + can safely add new elements without changing the message +*/ +struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx, + const struct ldb_message *msg) +{ + struct ldb_message *msg2; + unsigned int i; + + msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg); + if (msg2 == NULL) { + return NULL; + } + + for (i = 0; i < msg2->num_elements; ++i) { + /* + * Mark this message's elements as sharing their values with the + * original message, so that we don't inadvertently modify or + * free them. We don't mark the original message element as + * shared, so the original message element should not be + * modified or freed while the shallow copy lives. + */ + struct ldb_message_element *el = &msg2->elements[i]; + el->flags |= LDB_FLAG_INTERNAL_SHARED_VALUES; + } + + return msg2; +} /* copy a message, allocating new memory for all parts @@ -873,7 +898,7 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx, struct ldb_message *msg2; unsigned int i, j; - msg2 = ldb_msg_copy_shallow(mem_ctx, msg); + msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg); if (msg2 == NULL) return NULL; if (msg2->dn != NULL) { @@ -894,6 +919,12 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx, goto failed; } } + + /* + * Since we copied this element's values, we can mark them as + * not shared. + */ + el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES; } return msg2; diff --git a/lib/ldb/include/ldb_module.h b/lib/ldb/include/ldb_module.h index 8c47082690b..53551df4852 100644 --- a/lib/ldb/include/ldb_module.h +++ b/lib/ldb/include/ldb_module.h @@ -96,6 +96,12 @@ struct ldb_module; */ #define LDB_FLAG_INTERNAL_FORCE_UNIQUE_INDEX 0x100 +/* + * indicates that this element's values are shared with another element (for + * example, in a shallow copy of an ldb_message) and should not be freed + */ +#define LDB_FLAG_INTERNAL_SHARED_VALUES 0x200 + /* an extended match rule that always fails to match */ #define SAMBA_LDAP_MATCH_ALWAYS_FALSE "1.3.6.1.4.1.7165.4.5.1" -- 2.35.0 From 3b0528a003dc654c80da609879a48bc628116d97 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 16 Feb 2022 12:35:13 +1300 Subject: [PATCH 11/18] CVE-2022-32746 ldb: Ensure shallow copy modifications do not affect original message Using the newly added ldb flag, we can now detect when a message has been shallow-copied so that its elements share their values with the original message elements. Then when adding values to the copied message, we now make a copy of the shared values array first. This should prevent a use-after-free that occurred in LDB modules when new values were added to a shallow copy of a message by calling talloc_realloc() on the original values array, invalidating the 'values' pointer in the original message element. The original values pointer can later be used in the database audit logging module which logs database requests, and potentially cause a crash. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 Signed-off-by: Joseph Sutton --- lib/ldb/common/ldb_msg.c | 52 ++++++++++++++++++++++++++++++++------ lib/ldb/include/ldb.h | 6 +++++ source4/dsdb/common/util.c | 20 +++++---------- 3 files changed, 56 insertions(+), 22 deletions(-) diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c index a89bc8352d0..def26179eb1 100644 --- a/lib/ldb/common/ldb_msg.c +++ b/lib/ldb/common/ldb_msg.c @@ -417,6 +417,47 @@ int ldb_msg_add(struct ldb_message *msg, return LDB_SUCCESS; } +/* + * add a value to a message element + */ +int ldb_msg_element_add_value(TALLOC_CTX *mem_ctx, + struct ldb_message_element *el, + const struct ldb_val *val) +{ + struct ldb_val *vals; + + if (el->flags & LDB_FLAG_INTERNAL_SHARED_VALUES) { + /* + * Another message is using this message element's values array, + * so we don't want to make any modifications to the original + * message, or potentially invalidate its own values by calling + * talloc_realloc(). Make a copy instead. + */ + el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES; + + vals = talloc_array(mem_ctx, struct ldb_val, + el->num_values + 1); + if (vals == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } + + if (el->values != NULL) { + memcpy(vals, el->values, el->num_values * sizeof(struct ldb_val)); + } + } else { + vals = talloc_realloc(mem_ctx, el->values, struct ldb_val, + el->num_values + 1); + if (vals == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } + } + el->values = vals; + el->values[el->num_values] = *val; + el->num_values++; + + return LDB_SUCCESS; +} + /* add a value to a message */ @@ -426,7 +467,6 @@ int ldb_msg_add_value(struct ldb_message *msg, struct ldb_message_element **return_el) { struct ldb_message_element *el; - struct ldb_val *vals; int ret; el = ldb_msg_find_element(msg, attr_name); @@ -437,14 +477,10 @@ int ldb_msg_add_value(struct ldb_message *msg, } } - vals = talloc_realloc(msg->elements, el->values, struct ldb_val, - el->num_values+1); - if (!vals) { - return LDB_ERR_OPERATIONS_ERROR; + ret = ldb_msg_element_add_value(msg->elements, el, val); + if (ret != LDB_SUCCESS) { + return ret; } - el->values = vals; - el->values[el->num_values] = *val; - el->num_values++; if (return_el) { *return_el = el; diff --git a/lib/ldb/include/ldb.h b/lib/ldb/include/ldb.h index a9120ebc405..a1ba897c100 100644 --- a/lib/ldb/include/ldb.h +++ b/lib/ldb/include/ldb.h @@ -1957,6 +1957,12 @@ int ldb_msg_add_empty(struct ldb_message *msg, int flags, struct ldb_message_element **return_el); +/** + add a value to a message element +*/ +int ldb_msg_element_add_value(TALLOC_CTX *mem_ctx, + struct ldb_message_element *el, + const struct ldb_val *val); /** add a element to a ldb_message */ diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 36bfb42e45d..6135f68a753 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -832,7 +832,7 @@ int samdb_msg_add_addval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, const char *value) { struct ldb_message_element *el; - struct ldb_val val, *vals; + struct ldb_val val; char *v; unsigned int i; bool found = false; @@ -867,14 +867,10 @@ int samdb_msg_add_addval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, } } - vals = talloc_realloc(msg->elements, el->values, struct ldb_val, - el->num_values + 1); - if (vals == NULL) { + ret = ldb_msg_element_add_value(msg->elements, el, &val); + if (ret != LDB_SUCCESS) { return ldb_oom(sam_ldb); } - el->values = vals; - el->values[el->num_values] = val; - ++(el->num_values); return LDB_SUCCESS; } @@ -888,7 +884,7 @@ int samdb_msg_add_delval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, const char *value) { struct ldb_message_element *el; - struct ldb_val val, *vals; + struct ldb_val val; char *v; unsigned int i; bool found = false; @@ -923,14 +919,10 @@ int samdb_msg_add_delval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, } } - vals = talloc_realloc(msg->elements, el->values, struct ldb_val, - el->num_values + 1); - if (vals == NULL) { + ret = ldb_msg_element_add_value(msg->elements, el, &val); + if (ret != LDB_SUCCESS) { return ldb_oom(sam_ldb); } - el->values = vals; - el->values[el->num_values] = val; - ++(el->num_values); return LDB_SUCCESS; } -- 2.35.0 From a5765c295277c3b8414aa882000b6ac4341ba094 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 16 Feb 2022 16:30:03 +1300 Subject: [PATCH 12/18] CVE-2022-32746 ldb: Add functions for appending to an ldb_message Currently, there are many places where we use ldb_msg_add_empty() to add an empty element to a message, and then call ldb_msg_add_value() or similar to add values to that element. However, this performs an unnecessary search of the message's elements to locate the new element. Moreover, if an element with the same attribute name already exists earlier in the message, the values will be added to that element, instead of to the intended newly added element. A similar pattern exists where we add values to a message, and then call ldb_msg_find_element() to locate that message element and sets its flags to (e.g.) LDB_FLAG_MOD_REPLACE. This also performs an unnecessary search, and may locate the wrong message element for setting the flags. To avoid these problems, add functions for appending a value to a message, so that a particular value can be added to the end of a message in a single operation. For ADD requests, it is important that no two message elements share the same attribute name, otherwise things will break. (Normally, ldb_msg_normalize() is called before processing the request to help ensure this.) Thus, we must be careful not to append an attribute to an ADD message, unless we are sure (e.g. through ldb_msg_find_element()) that an existing element for that attribute is not present. These functions will be used in the next commit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 Signed-off-by: Joseph Sutton --- lib/ldb/common/ldb_msg.c | 165 ++++++++++++++++++++++++++++++++++++++- lib/ldb/include/ldb.h | 24 ++++++ 2 files changed, 185 insertions(+), 4 deletions(-) diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c index def26179eb1..7a87c8414a0 100644 --- a/lib/ldb/common/ldb_msg.c +++ b/lib/ldb/common/ldb_msg.c @@ -509,12 +509,15 @@ int ldb_msg_add_steal_value(struct ldb_message *msg, /* - add a string element to a message + add a string element to a message, specifying flags */ -int ldb_msg_add_string(struct ldb_message *msg, - const char *attr_name, const char *str) +int ldb_msg_add_string_flags(struct ldb_message *msg, + const char *attr_name, const char *str, + int flags) { struct ldb_val val; + int ret; + struct ldb_message_element *el = NULL; val.data = discard_const_p(uint8_t, str); val.length = strlen(str); @@ -524,7 +527,25 @@ int ldb_msg_add_string(struct ldb_message *msg, return LDB_SUCCESS; } - return ldb_msg_add_value(msg, attr_name, &val, NULL); + ret = ldb_msg_add_value(msg, attr_name, &val, &el); + if (ret != LDB_SUCCESS) { + return ret; + } + + if (flags != 0) { + el->flags = flags; + } + + return LDB_SUCCESS; +} + +/* + add a string element to a message +*/ +int ldb_msg_add_string(struct ldb_message *msg, + const char *attr_name, const char *str) +{ + return ldb_msg_add_string_flags(msg, attr_name, str, 0); } /* @@ -586,6 +607,142 @@ int ldb_msg_add_fmt(struct ldb_message *msg, return ldb_msg_add_steal_value(msg, attr_name, &val); } +static int ldb_msg_append_value_impl(struct ldb_message *msg, + const char *attr_name, + const struct ldb_val *val, + int flags, + struct ldb_message_element **return_el) +{ + struct ldb_message_element *el = NULL; + int ret; + + ret = ldb_msg_add_empty(msg, attr_name, flags, &el); + if (ret != LDB_SUCCESS) { + return ret; + } + + ret = ldb_msg_element_add_value(msg->elements, el, val); + if (ret != LDB_SUCCESS) { + return ret; + } + + if (return_el != NULL) { + *return_el = el; + } + + return LDB_SUCCESS; +} + +/* + append a value to a message +*/ +int ldb_msg_append_value(struct ldb_message *msg, + const char *attr_name, + const struct ldb_val *val, + int flags) +{ + return ldb_msg_append_value_impl(msg, attr_name, val, flags, NULL); +} + +/* + append a value to a message, stealing it into the 'right' place +*/ +int ldb_msg_append_steal_value(struct ldb_message *msg, + const char *attr_name, + struct ldb_val *val, + int flags) +{ + int ret; + struct ldb_message_element *el = NULL; + + ret = ldb_msg_append_value_impl(msg, attr_name, val, flags, &el); + if (ret == LDB_SUCCESS) { + talloc_steal(el->values, val->data); + } + return ret; +} + +/* + append a string element to a message, stealing it into the 'right' place +*/ +int ldb_msg_append_steal_string(struct ldb_message *msg, + const char *attr_name, char *str, + int flags) +{ + struct ldb_val val; + + val.data = (uint8_t *)str; + val.length = strlen(str); + + if (val.length == 0) { + /* allow empty strings as non-existent attributes */ + return LDB_SUCCESS; + } + + return ldb_msg_append_steal_value(msg, attr_name, &val, flags); +} + +/* + append a string element to a message +*/ +int ldb_msg_append_string(struct ldb_message *msg, + const char *attr_name, const char *str, int flags) +{ + struct ldb_val val; + + val.data = discard_const_p(uint8_t, str); + val.length = strlen(str); + + if (val.length == 0) { + /* allow empty strings as non-existent attributes */ + return LDB_SUCCESS; + } + + return ldb_msg_append_value(msg, attr_name, &val, flags); +} + +/* + append a DN element to a message + WARNING: this uses the linearized string from the dn, and does not + copy the string. +*/ +int ldb_msg_append_linearized_dn(struct ldb_message *msg, const char *attr_name, + struct ldb_dn *dn, int flags) +{ + char *str = ldb_dn_alloc_linearized(msg, dn); + + if (str == NULL) { + /* we don't want to have unknown DNs added */ + return LDB_ERR_OPERATIONS_ERROR; + } + + return ldb_msg_append_steal_string(msg, attr_name, str, flags); +} + +/* + append a printf formatted element to a message +*/ +int ldb_msg_append_fmt(struct ldb_message *msg, int flags, + const char *attr_name, const char *fmt, ...) +{ + struct ldb_val val; + va_list ap; + char *str = NULL; + + va_start(ap, fmt); + str = talloc_vasprintf(msg, fmt, ap); + va_end(ap); + + if (str == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } + + val.data = (uint8_t *)str; + val.length = strlen(str); + + return ldb_msg_append_steal_value(msg, attr_name, &val, flags); +} + /* compare two ldb_message_element structures assumes case sensitive comparison diff --git a/lib/ldb/include/ldb.h b/lib/ldb/include/ldb.h index a1ba897c100..82d9186a32b 100644 --- a/lib/ldb/include/ldb.h +++ b/lib/ldb/include/ldb.h @@ -1978,12 +1978,36 @@ int ldb_msg_add_steal_value(struct ldb_message *msg, struct ldb_val *val); int ldb_msg_add_steal_string(struct ldb_message *msg, const char *attr_name, char *str); +int ldb_msg_add_string_flags(struct ldb_message *msg, + const char *attr_name, const char *str, + int flags); int ldb_msg_add_string(struct ldb_message *msg, const char *attr_name, const char *str); int ldb_msg_add_linearized_dn(struct ldb_message *msg, const char *attr_name, struct ldb_dn *dn); int ldb_msg_add_fmt(struct ldb_message *msg, const char *attr_name, const char *fmt, ...) PRINTF_ATTRIBUTE(3,4); +/** + append a element to a ldb_message +*/ +int ldb_msg_append_value(struct ldb_message *msg, + const char *attr_name, + const struct ldb_val *val, + int flags); +int ldb_msg_append_steal_value(struct ldb_message *msg, + const char *attr_name, + struct ldb_val *val, + int flags); +int ldb_msg_append_steal_string(struct ldb_message *msg, + const char *attr_name, char *str, + int flags); +int ldb_msg_append_string(struct ldb_message *msg, + const char *attr_name, const char *str, + int flags); +int ldb_msg_append_linearized_dn(struct ldb_message *msg, const char *attr_name, + struct ldb_dn *dn, int flags); +int ldb_msg_append_fmt(struct ldb_message *msg, int flags, + const char *attr_name, const char *fmt, ...) PRINTF_ATTRIBUTE(4,5); /** compare two message elements - return 0 on match -- 2.35.0 From 22c0f9470c5e43e0914e4e20cb2ab7893393bb5a Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 21 Feb 2022 16:27:37 +1300 Subject: [PATCH 13/18] CVE-2022-32746 ldb: Make use of functions for appending to an ldb_message This aims to minimise usage of the error-prone pattern of searching for a just-added message element in order to make modifications to it (and potentially finding the wrong element). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 Signed-off-by: Joseph Sutton [jsutton@samba.org Fix conflict in source4/dns_server/dnsserver_common.c, due to having 'return' rather than 'goto exit'] --- lib/ldb/ldb_map/ldb_map.c | 5 +- lib/ldb/ldb_map/ldb_map_inbound.c | 9 +- lib/ldb/modules/rdn_name.c | 22 +--- source3/passdb/pdb_samba_dsdb.c | 14 +-- source4/dns_server/dnsserver_common.c | 11 +- source4/dsdb/common/util.c | 114 ++++++++++++++---- source4/dsdb/samdb/ldb_modules/descriptor.c | 10 +- source4/dsdb/samdb/ldb_modules/objectguid.c | 20 +-- .../dsdb/samdb/ldb_modules/partition_init.c | 14 +-- .../dsdb/samdb/ldb_modules/repl_meta_data.c | 24 +--- source4/dsdb/samdb/ldb_modules/samldb.c | 78 +++++------- .../samdb/ldb_modules/tombstone_reanimate.c | 12 +- source4/nbt_server/wins/winsdb.c | 13 +- source4/rpc_server/lsa/dcesrv_lsa.c | 55 +++------ source4/winbind/idmap.c | 10 +- 15 files changed, 183 insertions(+), 228 deletions(-) diff --git a/lib/ldb/ldb_map/ldb_map.c b/lib/ldb/ldb_map/ldb_map.c index b453dff80d2..c7b0c228631 100644 --- a/lib/ldb/ldb_map/ldb_map.c +++ b/lib/ldb/ldb_map/ldb_map.c @@ -946,10 +946,7 @@ struct ldb_request *map_build_fixup_req(struct map_context *ac, if ( ! dn || ! ldb_dn_validate(msg->dn)) { goto failed; } - if (ldb_msg_add_empty(msg, IS_MAPPED, LDB_FLAG_MOD_REPLACE, NULL) != 0) { - goto failed; - } - if (ldb_msg_add_string(msg, IS_MAPPED, dn) != 0) { + if (ldb_msg_append_string(msg, IS_MAPPED, dn, LDB_FLAG_MOD_REPLACE) != 0) { goto failed; } diff --git a/lib/ldb/ldb_map/ldb_map_inbound.c b/lib/ldb/ldb_map/ldb_map_inbound.c index 324295737da..50b9427c26c 100644 --- a/lib/ldb/ldb_map/ldb_map_inbound.c +++ b/lib/ldb/ldb_map/ldb_map_inbound.c @@ -569,12 +569,9 @@ static int map_modify_do_local(struct map_context *ac) /* No local record present, add it instead */ /* Add local 'IS_MAPPED' */ /* TODO: use GUIDs here instead */ - if (ldb_msg_add_empty(ac->local_msg, IS_MAPPED, - LDB_FLAG_MOD_ADD, NULL) != 0) { - return LDB_ERR_OPERATIONS_ERROR; - } - ret = ldb_msg_add_linearized_dn(ac->local_msg, IS_MAPPED, - ac->remote_req->op.mod.message->dn); + ret = ldb_msg_append_linearized_dn(ac->local_msg, IS_MAPPED, + ac->remote_req->op.mod.message->dn, + LDB_FLAG_MOD_ADD); if (ret != 0) { return LDB_ERR_OPERATIONS_ERROR; } diff --git a/lib/ldb/modules/rdn_name.c b/lib/ldb/modules/rdn_name.c index 25cffe07591..3cb62bf567b 100644 --- a/lib/ldb/modules/rdn_name.c +++ b/lib/ldb/modules/rdn_name.c @@ -308,16 +308,10 @@ static int rdn_rename_callback(struct ldb_request *req, struct ldb_reply *ares) } rdn_val = ldb_val_dup(msg, rdn_val_p); - if (ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_REPLACE, NULL) != 0) { + if (ldb_msg_append_value(msg, rdn_name, &rdn_val, LDB_FLAG_MOD_REPLACE) != 0) { goto error; } - if (ldb_msg_add_value(msg, rdn_name, &rdn_val, NULL) != 0) { - goto error; - } - if (ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_REPLACE, NULL) != 0) { - goto error; - } - if (ldb_msg_add_value(msg, "name", &rdn_val, NULL) != 0) { + if (ldb_msg_append_value(msg, "name", &rdn_val, LDB_FLAG_MOD_REPLACE) != 0) { goto error; } @@ -466,11 +460,7 @@ static int rdn_name_modify(struct ldb_module *module, struct ldb_request *req) if (ret != 0) { return ldb_module_oom(module); } - ret = ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_ADD, NULL); - if (ret != 0) { - return ldb_module_oom(module); - } - ret = ldb_msg_add_value(msg, rdn_name, &rdn_val, NULL); + ret = ldb_msg_append_value(msg, rdn_name, &rdn_val, LDB_FLAG_MOD_ADD); if (ret != 0) { return ldb_module_oom(module); } @@ -479,11 +469,7 @@ static int rdn_name_modify(struct ldb_module *module, struct ldb_request *req) if (ret != 0) { return ldb_module_oom(module); } - ret = ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_ADD, NULL); - if (ret != 0) { - return ldb_module_oom(module); - } - ret = ldb_msg_add_value(msg, "name", &rdn_val, NULL); + ret = ldb_msg_append_value(msg, "name", &rdn_val, LDB_FLAG_MOD_ADD); if (ret != 0) { return ldb_module_oom(module); } diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c index 0753d38b5f6..b8328e81106 100644 --- a/source3/passdb/pdb_samba_dsdb.c +++ b/source3/passdb/pdb_samba_dsdb.c @@ -2858,18 +2858,10 @@ static bool pdb_samba_dsdb_set_trusteddom_pw(struct pdb_methods *m, } msg->num_elements = 0; - ret = ldb_msg_add_empty(msg, "trustAuthOutgoing", - LDB_FLAG_MOD_REPLACE, NULL); + ret = ldb_msg_append_value(msg, "trustAuthOutgoing", + &new_val, LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) { - DEBUG(0, ("ldb_msg_add_empty() failed\n")); - TALLOC_FREE(tmp_ctx); - ldb_transaction_cancel(state->ldb); - return false; - } - ret = ldb_msg_add_value(msg, "trustAuthOutgoing", - &new_val, NULL); - if (ret != LDB_SUCCESS) { - DEBUG(0, ("ldb_msg_add_value() failed\n")); + DEBUG(0, ("ldb_msg_append_value() failed\n")); TALLOC_FREE(tmp_ctx); ldb_transaction_cancel(state->ldb); return false; diff --git a/source4/dns_server/dnsserver_common.c b/source4/dns_server/dnsserver_common.c index 31641c832c8..bed7a767267 100644 --- a/source4/dns_server/dnsserver_common.c +++ b/source4/dns_server/dnsserver_common.c @@ -1040,14 +1040,9 @@ WERROR dns_common_replace(struct ldb_context *samdb, } if (was_tombstoned || become_tombstoned) { - ret = ldb_msg_add_empty(msg, "dNSTombstoned", - LDB_FLAG_MOD_REPLACE, NULL); - if (ret != LDB_SUCCESS) { - return DNS_ERR(SERVER_FAILURE); - } - - ret = ldb_msg_add_fmt(msg, "dNSTombstoned", "%s", - become_tombstoned ? "TRUE" : "FALSE"); + ret = ldb_msg_append_fmt(msg, LDB_FLAG_MOD_REPLACE, + "dNSTombstoned", "%s", + become_tombstoned ? "TRUE" : "FALSE"); if (ret != LDB_SUCCESS) { return DNS_ERR(SERVER_FAILURE); } diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 6135f68a753..39e8175c40c 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -940,6 +940,16 @@ int samdb_msg_add_int(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct l return ldb_msg_add_string(msg, attr_name, s); } +int samdb_msg_add_int_flags(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, + const char *attr_name, int v, int flags) +{ + const char *s = talloc_asprintf(mem_ctx, "%d", v); + if (s == NULL) { + return ldb_oom(sam_ldb); + } + return ldb_msg_add_string_flags(msg, attr_name, s, flags); +} + /* * Add an unsigned int element to a message * @@ -958,6 +968,12 @@ int samdb_msg_add_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct return samdb_msg_add_int(sam_ldb, mem_ctx, msg, attr_name, (int)v); } +int samdb_msg_add_uint_flags(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, + const char *attr_name, unsigned int v, int flags) +{ + return samdb_msg_add_int_flags(sam_ldb, mem_ctx, msg, attr_name, (int)v, flags); +} + /* add a (signed) int64_t element to a message */ @@ -989,6 +1005,68 @@ int samdb_msg_add_uint64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struc return samdb_msg_add_int64(sam_ldb, mem_ctx, msg, attr_name, (int64_t)v); } +/* + append a int element to a message +*/ +int samdb_msg_append_int(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, + const char *attr_name, int v, int flags) +{ + const char *s = talloc_asprintf(mem_ctx, "%d", v); + if (s == NULL) { + return ldb_oom(sam_ldb); + } + return ldb_msg_append_string(msg, attr_name, s, flags); +} + +/* + * Append an unsigned int element to a message + * + * The issue here is that we have not yet first cast to int32_t explicitly, + * before we cast to an signed int to printf() into the %d or cast to a + * int64_t before we then cast to a long long to printf into a %lld. + * + * There are *no* unsigned integers in Active Directory LDAP, even the RID + * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities. + * (See the schema, and the syntax definitions in schema_syntax.c). + * + */ +int samdb_msg_append_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, + const char *attr_name, unsigned int v, int flags) +{ + return samdb_msg_append_int(sam_ldb, mem_ctx, msg, attr_name, (int)v, flags); +} + +/* + append a (signed) int64_t element to a message +*/ +int samdb_msg_append_int64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, + const char *attr_name, int64_t v, int flags) +{ + const char *s = talloc_asprintf(mem_ctx, "%lld", (long long)v); + if (s == NULL) { + return ldb_oom(sam_ldb); + } + return ldb_msg_append_string(msg, attr_name, s, flags); +} + +/* + * Append an unsigned int64_t (uint64_t) element to a message + * + * The issue here is that we have not yet first cast to int32_t explicitly, + * before we cast to an signed int to printf() into the %d or cast to a + * int64_t before we then cast to a long long to printf into a %lld. + * + * There are *no* unsigned integers in Active Directory LDAP, even the RID + * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities. + * (See the schema, and the syntax definitions in schema_syntax.c). + * + */ +int samdb_msg_append_uint64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, + const char *attr_name, uint64_t v, int flags) +{ + return samdb_msg_append_int64(sam_ldb, mem_ctx, msg, attr_name, (int64_t)v, flags); +} + /* add a samr_Password element to a message */ @@ -2813,15 +2891,8 @@ NTSTATUS samdb_set_password_sid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, tdo_msg->num_elements = 0; TALLOC_FREE(tdo_msg->elements); - ret = ldb_msg_add_empty(tdo_msg, "trustAuthIncoming", - LDB_FLAG_MOD_REPLACE, NULL); - if (ret != LDB_SUCCESS) { - ldb_transaction_cancel(ldb); - TALLOC_FREE(frame); - return NT_STATUS_NO_MEMORY; - } - ret = ldb_msg_add_value(tdo_msg, "trustAuthIncoming", - &new_val, NULL); + ret = ldb_msg_append_value(tdo_msg, "trustAuthIncoming", + &new_val, LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) { ldb_transaction_cancel(ldb); TALLOC_FREE(frame); @@ -3181,6 +3252,7 @@ int dsdb_find_guid_by_dn(struct ldb_context *ldb, /* adds the given GUID to the given ldb_message. This value is added for the given attr_name (may be either "objectGUID" or "parentGUID"). + This function is used in processing 'add' requests. */ int dsdb_msg_add_guid(struct ldb_message *msg, struct GUID *guid, @@ -5675,7 +5747,8 @@ int dsdb_user_obj_set_defaults(struct ldb_context *ldb, } /** - * Sets 'sAMAccountType on user object based on userAccountControl + * Sets 'sAMAccountType on user object based on userAccountControl. + * This function is used in processing both 'add' and 'modify' requests. * @param ldb Current ldb_context * @param usr_obj ldb_message representing User object * @param user_account_control Value for userAccountControl flags @@ -5687,21 +5760,19 @@ int dsdb_user_obj_set_account_type(struct ldb_context *ldb, struct ldb_message * { int ret; uint32_t account_type; - struct ldb_message_element *el; account_type = ds_uf2atype(user_account_control); if (account_type == 0) { ldb_set_errstring(ldb, "dsdb: Unrecognized account type!"); return LDB_ERR_UNWILLING_TO_PERFORM; } - ret = samdb_msg_add_uint(ldb, usr_obj, usr_obj, - "sAMAccountType", - account_type); + ret = samdb_msg_add_uint_flags(ldb, usr_obj, usr_obj, + "sAMAccountType", + account_type, + LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) { return ret; } - el = ldb_msg_find_element(usr_obj, "sAMAccountType"); - el->flags = LDB_FLAG_MOD_REPLACE; if (account_type_p) { *account_type_p = account_type; @@ -5711,7 +5782,8 @@ int dsdb_user_obj_set_account_type(struct ldb_context *ldb, struct ldb_message * } /** - * Determine and set primaryGroupID based on userAccountControl value + * Determine and set primaryGroupID based on userAccountControl value. + * This function is used in processing both 'add' and 'modify' requests. * @param ldb Current ldb_context * @param usr_obj ldb_message representing User object * @param user_account_control Value for userAccountControl flags @@ -5723,17 +5795,15 @@ int dsdb_user_obj_set_primary_group_id(struct ldb_context *ldb, struct ldb_messa { int ret; uint32_t rid; - struct ldb_message_element *el; rid = ds_uf2prim_group_rid(user_account_control); - ret = samdb_msg_add_uint(ldb, usr_obj, usr_obj, - "primaryGroupID", rid); + ret = samdb_msg_add_uint_flags(ldb, usr_obj, usr_obj, + "primaryGroupID", rid, + LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) { return ret; } - el = ldb_msg_find_element(usr_obj, "primaryGroupID"); - el->flags = LDB_FLAG_MOD_REPLACE; if (group_rid_p) { *group_rid_p = rid; diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c index daa08c2ebc7..4b01961dcb0 100644 --- a/source4/dsdb/samdb/ldb_modules/descriptor.c +++ b/source4/dsdb/samdb/ldb_modules/descriptor.c @@ -857,14 +857,8 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req) return ldb_module_done(req, NULL, NULL, LDB_SUCCESS); } - ret = ldb_msg_add_empty(msg, "nTSecurityDescriptor", - LDB_FLAG_MOD_REPLACE, - &sd_element); - if (ret != LDB_SUCCESS) { - return ldb_oom(ldb); - } - ret = ldb_msg_add_value(msg, "nTSecurityDescriptor", - sd, NULL); + ret = ldb_msg_append_value(msg, "nTSecurityDescriptor", + sd, LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) { return ldb_oom(ldb); } diff --git a/source4/dsdb/samdb/ldb_modules/objectguid.c b/source4/dsdb/samdb/ldb_modules/objectguid.c index bc3260cf0d8..0fe995a5763 100644 --- a/source4/dsdb/samdb/ldb_modules/objectguid.c +++ b/source4/dsdb/samdb/ldb_modules/objectguid.c @@ -41,7 +41,6 @@ */ static int add_time_element(struct ldb_message *msg, const char *attr, time_t t) { - struct ldb_message_element *el; char *s; int ret; @@ -54,16 +53,13 @@ static int add_time_element(struct ldb_message *msg, const char *attr, time_t t) return LDB_ERR_OPERATIONS_ERROR; } - ret = ldb_msg_add_string(msg, attr, s); + /* always set as replace. This works because on add ops, the flag + is ignored */ + ret = ldb_msg_append_string(msg, attr, s, LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) { return ret; } - el = ldb_msg_find_element(msg, attr); - /* always set as replace. This works because on add ops, the flag - is ignored */ - el->flags = LDB_FLAG_MOD_REPLACE; - return LDB_SUCCESS; } @@ -73,23 +69,19 @@ static int add_time_element(struct ldb_message *msg, const char *attr, time_t t) static int add_uint64_element(struct ldb_context *ldb, struct ldb_message *msg, const char *attr, uint64_t v) { - struct ldb_message_element *el; int ret; if (ldb_msg_find_element(msg, attr) != NULL) { return LDB_SUCCESS; } - ret = samdb_msg_add_uint64(ldb, msg, msg, attr, v); + /* always set as replace. This works because on add ops, the flag + is ignored */ + ret = samdb_msg_append_uint64(ldb, msg, msg, attr, v, LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) { return ret; } - el = ldb_msg_find_element(msg, attr); - /* always set as replace. This works because on add ops, the flag - is ignored */ - el->flags = LDB_FLAG_MOD_REPLACE; - return LDB_SUCCESS; } diff --git a/source4/dsdb/samdb/ldb_modules/partition_init.c b/source4/dsdb/samdb/ldb_modules/partition_init.c index 9a8bb7e211d..39e113c7775 100644 --- a/source4/dsdb/samdb/ldb_modules/partition_init.c +++ b/source4/dsdb/samdb/ldb_modules/partition_init.c @@ -745,10 +745,6 @@ int partition_create(struct ldb_module *module, struct ldb_request *req) } mod_msg->dn = ldb_dn_new(mod_msg, ldb, DSDB_PARTITION_DN); - ret = ldb_msg_add_empty(mod_msg, DSDB_PARTITION_ATTR, LDB_FLAG_MOD_ADD, NULL); - if (ret != LDB_SUCCESS) { - return ret; - } casefold_dn = ldb_dn_get_casefold(dn); @@ -788,18 +784,16 @@ int partition_create(struct ldb_module *module, struct ldb_request *req) } partition_record = talloc_asprintf(mod_msg, "%s:%s", casefold_dn, filename); - ret = ldb_msg_add_steal_string(mod_msg, DSDB_PARTITION_ATTR, partition_record); + ret = ldb_msg_append_steal_string(mod_msg, DSDB_PARTITION_ATTR, partition_record, + LDB_FLAG_MOD_ADD); if (ret != LDB_SUCCESS) { return ret; } if (ldb_request_get_control(req, DSDB_CONTROL_PARTIAL_REPLICA)) { /* this new partition is a partial replica */ - ret = ldb_msg_add_empty(mod_msg, "partialReplica", LDB_FLAG_MOD_ADD, NULL); - if (ret != LDB_SUCCESS) { - return ret; - } - ret = ldb_msg_add_fmt(mod_msg, "partialReplica", "%s", ldb_dn_get_linearized(dn)); + ret = ldb_msg_append_fmt(mod_msg, LDB_FLAG_MOD_ADD, + "partialReplica", "%s", ldb_dn_get_linearized(dn)); if (ret != LDB_SUCCESS) { return ret; } diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c index 9d159b2a00e..2af4c36cfc0 100644 --- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c +++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c @@ -3907,22 +3907,12 @@ static int replmd_rename_callback(struct ldb_request *req, struct ldb_reply *are ldb_operr(ldb)); } - if (ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_REPLACE, NULL) != 0) { + if (ldb_msg_append_value(msg, rdn_name, rdn_val, LDB_FLAG_MOD_REPLACE) != 0) { talloc_free(ares); return ldb_module_done(ac->req, NULL, NULL, ldb_oom(ldb)); } - if (ldb_msg_add_value(msg, rdn_name, rdn_val, NULL) != 0) { - talloc_free(ares); - return ldb_module_done(ac->req, NULL, NULL, - ldb_oom(ldb)); - } - if (ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_REPLACE, NULL) != 0) { - talloc_free(ares); - return ldb_module_done(ac->req, NULL, NULL, - ldb_oom(ldb)); - } - if (ldb_msg_add_value(msg, "name", rdn_val, NULL) != 0) { + if (ldb_msg_append_value(msg, "name", rdn_val, LDB_FLAG_MOD_REPLACE) != 0) { talloc_free(ares); return ldb_module_done(ac->req, NULL, NULL, ldb_oom(ldb)); @@ -5081,16 +5071,10 @@ static int replmd_name_modify(struct replmd_replicated_request *ar, goto failed; } - if (ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_REPLACE, NULL) != 0) { + if (ldb_msg_append_value(msg, rdn_name, rdn_val, LDB_FLAG_MOD_REPLACE) != 0) { goto failed; } - if (ldb_msg_add_value(msg, rdn_name, rdn_val, NULL) != 0) { - goto failed; - } - if (ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_REPLACE, NULL) != 0) { - goto failed; - } - if (ldb_msg_add_value(msg, "name", rdn_val, NULL) != 0) { + if (ldb_msg_append_value(msg, "name", rdn_val, LDB_FLAG_MOD_REPLACE) != 0) { goto failed; } diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index ba71bea98e4..7dbf484af1a 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -1100,14 +1100,11 @@ static int samldb_rodc_add(struct samldb_ctx *ac) return LDB_ERR_OTHER; found: - ret = ldb_msg_add_empty(ac->msg, "msDS-SecondaryKrbTgtNumber", - LDB_FLAG_INTERNAL_DISABLE_VALIDATION, NULL); - if (ret != LDB_SUCCESS) { - return ldb_operr(ldb); - } - ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, - "msDS-SecondaryKrbTgtNumber", krbtgt_number); + ldb_msg_remove_attr(ac->msg, "msDS-SecondaryKrbTgtNumber"); + ret = samdb_msg_append_uint(ldb, ac->msg, ac->msg, + "msDS-SecondaryKrbTgtNumber", krbtgt_number, + LDB_FLAG_INTERNAL_DISABLE_VALIDATION); if (ret != LDB_SUCCESS) { return ldb_operr(ldb); } @@ -1789,7 +1786,7 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) struct ldb_context *ldb = ldb_module_get_ctx(ac->module); void *skip_allocate_sids = ldb_get_opaque(ldb, "skip_allocate_sids"); - struct ldb_message_element *el, *el2; + struct ldb_message_element *el; struct dom_sid *sid; int ret; @@ -1923,23 +1920,17 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) /* "isCriticalSystemObject" might be set */ if (user_account_control & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) { - ret = ldb_msg_add_string(ac->msg, "isCriticalSystemObject", - "TRUE"); + ret = ldb_msg_add_string_flags(ac->msg, "isCriticalSystemObject", + "TRUE", LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) { return ret; } - el2 = ldb_msg_find_element(ac->msg, - "isCriticalSystemObject"); - el2->flags = LDB_FLAG_MOD_REPLACE; } else if (user_account_control & UF_WORKSTATION_TRUST_ACCOUNT) { - ret = ldb_msg_add_string(ac->msg, "isCriticalSystemObject", - "FALSE"); + ret = ldb_msg_add_string_flags(ac->msg, "isCriticalSystemObject", + "FALSE", LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) { return ret; } - el2 = ldb_msg_find_element(ac->msg, - "isCriticalSystemObject"); - el2->flags = LDB_FLAG_MOD_REPLACE; } /* Step 1.4: "userAccountControl" -> "primaryGroupID" mapping */ @@ -2015,14 +2006,13 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); return LDB_ERR_UNWILLING_TO_PERFORM; } - ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, - "sAMAccountType", - account_type); + ret = samdb_msg_add_uint_flags(ldb, ac->msg, ac->msg, + "sAMAccountType", + account_type, + LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) { return ret; } - el2 = ldb_msg_find_element(ac->msg, "sAMAccountType"); - el2->flags = LDB_FLAG_MOD_REPLACE; } break; } @@ -2940,26 +2930,23 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) } if (old_atype != new_atype) { - ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, - "sAMAccountType", new_atype); + ret = samdb_msg_append_uint(ldb, ac->msg, ac->msg, + "sAMAccountType", new_atype, + LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) { return ret; } - el = ldb_msg_find_element(ac->msg, "sAMAccountType"); - el->flags = LDB_FLAG_MOD_REPLACE; } /* As per MS-SAMR 3.1.1.8.10 these flags have not to be set */ if ((clear_uac & UF_LOCKOUT) && (old_lockoutTime != 0)) { /* "lockoutTime" reset as per MS-SAMR 3.1.1.8.10 */ ldb_msg_remove_attr(ac->msg, "lockoutTime"); - ret = samdb_msg_add_uint64(ldb, ac->msg, ac->msg, "lockoutTime", - (NTTIME)0); + ret = samdb_msg_append_uint64(ldb, ac->msg, ac->msg, "lockoutTime", + (NTTIME)0, LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) { return ret; } - el = ldb_msg_find_element(ac->msg, "lockoutTime"); - el->flags = LDB_FLAG_MOD_REPLACE; } /* @@ -2970,14 +2957,12 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) * creating the attribute. */ if (old_is_critical != new_is_critical || old_atype != new_atype) { - ret = ldb_msg_add_string(ac->msg, "isCriticalSystemObject", - new_is_critical ? "TRUE": "FALSE"); + ret = ldb_msg_append_string(ac->msg, "isCriticalSystemObject", + new_is_critical ? "TRUE": "FALSE", + LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) { return ret; } - el = ldb_msg_find_element(ac->msg, - "isCriticalSystemObject"); - el->flags = LDB_FLAG_MOD_REPLACE; } if (!ldb_msg_find_element(ac->msg, "primaryGroupID") && @@ -2990,14 +2975,12 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) } } - ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, - "primaryGroupID", new_pgrid); + ret = samdb_msg_append_uint(ldb, ac->msg, ac->msg, + "primaryGroupID", new_pgrid, + LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) { return ret; } - el = ldb_msg_find_element(ac->msg, - "primaryGroupID"); - el->flags = LDB_FLAG_MOD_REPLACE; } /* Propagate eventual "userAccountControl" attribute changes */ @@ -3200,13 +3183,12 @@ static int samldb_lockout_time(struct samldb_ctx *ac) /* lockoutTime == 0 resets badPwdCount */ ldb_msg_remove_attr(ac->msg, "badPwdCount"); - ret = samdb_msg_add_int(ldb, ac->msg, ac->msg, - "badPwdCount", 0); + ret = samdb_msg_append_int(ldb, ac->msg, ac->msg, + "badPwdCount", 0, + LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) { return ret; } - el = ldb_msg_find_element(ac->msg, "badPwdCount"); - el->flags = LDB_FLAG_MOD_REPLACE; return LDB_SUCCESS; } @@ -3304,13 +3286,11 @@ static int samldb_group_type_change(struct samldb_ctx *ac) ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); return LDB_ERR_UNWILLING_TO_PERFORM; } - ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, "sAMAccountType", - account_type); + ret = samdb_msg_append_uint(ldb, ac->msg, ac->msg, "sAMAccountType", + account_type, LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) { return ret; } - el = ldb_msg_find_element(ac->msg, "sAMAccountType"); - el->flags = LDB_FLAG_MOD_REPLACE; return LDB_SUCCESS; } diff --git a/source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c b/source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c index 5f8911c66be..99c5955e9e7 100644 --- a/source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c +++ b/source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c @@ -294,14 +294,13 @@ static int tr_prepare_attributes(struct tr_context *ac) return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM, "reanimate: Unrecognized account type!"); } - ret = samdb_msg_add_uint(ldb, ac->mod_msg, ac->mod_msg, - "sAMAccountType", account_type); + ret = samdb_msg_append_uint(ldb, ac->mod_msg, ac->mod_msg, + "sAMAccountType", account_type, + LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) { return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, "reanimate: Failed to add sAMAccountType to restored object."); } - el = ldb_msg_find_element(ac->mod_msg, "sAMAccountType"); - el->flags = LDB_FLAG_MOD_REPLACE; /* Default values set by Windows */ ret = samdb_find_or_add_attribute(ldb, ac->mod_msg, @@ -324,12 +323,11 @@ static int tr_prepare_attributes(struct tr_context *ac) return ret; } - ret = ldb_msg_add_string(ac->mod_msg, "objectCategory", value); + ret = ldb_msg_append_string(ac->mod_msg, "objectCategory", value, + LDB_FLAG_MOD_ADD); if (ret != LDB_SUCCESS) { return ret; } - el = ldb_msg_find_element(ac->mod_msg, "objectCategory"); - el->flags = LDB_FLAG_MOD_ADD; } return LDB_SUCCESS; diff --git a/source4/nbt_server/wins/winsdb.c b/source4/nbt_server/wins/winsdb.c index fa9a6154b9a..da877d0d277 100644 --- a/source4/nbt_server/wins/winsdb.c +++ b/source4/nbt_server/wins/winsdb.c @@ -99,13 +99,11 @@ uint64_t winsdb_set_maxVersion(struct winsdb_handle *h, uint64_t newMaxVersion) msg->dn = dn; - ret = ldb_msg_add_empty(msg, "objectClass", LDB_FLAG_MOD_REPLACE, NULL); + ret = ldb_msg_append_string(msg, "objectClass", "winsMaxVersion", + LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) goto failed; - ret = ldb_msg_add_string(msg, "objectClass", "winsMaxVersion"); - if (ret != LDB_SUCCESS) goto failed; - ret = ldb_msg_add_empty(msg, "maxVersion", LDB_FLAG_MOD_REPLACE, NULL); - if (ret != LDB_SUCCESS) goto failed; - ret = ldb_msg_add_fmt(msg, "maxVersion", "%llu", (long long)newMaxVersion); + ret = ldb_msg_append_fmt(msg, LDB_FLAG_MOD_REPLACE, + "maxVersion", "%llu", (long long)newMaxVersion); if (ret != LDB_SUCCESS) goto failed; ret = ldb_modify(wins_db, msg); @@ -765,8 +763,7 @@ static struct ldb_message *winsdb_message(struct ldb_context *ldb, ret |= ldb_msg_add_winsdb_addr(msg, rec, "address", rec->addresses[i]); } if (rec->registered_by) { - ret |= ldb_msg_add_empty(msg, "registeredBy", 0, NULL); - ret |= ldb_msg_add_string(msg, "registeredBy", rec->registered_by); + ret |= ldb_msg_append_string(msg, "registeredBy", rec->registered_by, 0); } if (ret != LDB_SUCCESS) goto failed; return msg; diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index cbbd9f482f2..42aac8b312e 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -1718,12 +1718,7 @@ static NTSTATUS update_uint32_t_value(TALLOC_CTX *mem_ctx, goto done; } - ret = ldb_msg_add_empty(dest, attribute, flags, NULL); - if (ret != LDB_SUCCESS) { - return NT_STATUS_NO_MEMORY; - } - - ret = samdb_msg_add_uint(sam_ldb, dest, dest, attribute, value); + ret = samdb_msg_append_uint(sam_ldb, dest, dest, attribute, value, flags); if (ret != LDB_SUCCESS) { return NT_STATUS_NO_MEMORY; } @@ -1814,13 +1809,7 @@ static NTSTATUS update_trust_user(TALLOC_CTX *mem_ctx, continue; } - ret = ldb_msg_add_empty(msg, attribute, - LDB_FLAG_MOD_REPLACE, NULL); - if (ret != LDB_SUCCESS) { - return NT_STATUS_NO_MEMORY; - } - - ret = ldb_msg_add_value(msg, attribute, &v, NULL); + ret = ldb_msg_append_value(msg, attribute, &v, LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) { return NT_STATUS_NO_MEMORY; } @@ -2106,28 +2095,30 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call, } if (add_incoming || del_incoming) { - ret = ldb_msg_add_empty(msg, "trustAuthIncoming", - LDB_FLAG_MOD_REPLACE, NULL); - if (ret != LDB_SUCCESS) { - return NT_STATUS_NO_MEMORY; - } if (add_incoming) { - ret = ldb_msg_add_value(msg, "trustAuthIncoming", - &trustAuthIncoming, NULL); + ret = ldb_msg_append_value(msg, "trustAuthIncoming", + &trustAuthIncoming, LDB_FLAG_MOD_REPLACE); + if (ret != LDB_SUCCESS) { + return NT_STATUS_NO_MEMORY; + } + } else { + ret = ldb_msg_add_empty(msg, "trustAuthIncoming", + LDB_FLAG_MOD_REPLACE, NULL); if (ret != LDB_SUCCESS) { return NT_STATUS_NO_MEMORY; } } } if (add_outgoing || del_outgoing) { - ret = ldb_msg_add_empty(msg, "trustAuthOutgoing", - LDB_FLAG_MOD_REPLACE, NULL); - if (ret != LDB_SUCCESS) { - return NT_STATUS_NO_MEMORY; - } if (add_outgoing) { - ret = ldb_msg_add_value(msg, "trustAuthOutgoing", - &trustAuthOutgoing, NULL); + ret = ldb_msg_append_value(msg, "trustAuthOutgoing", + &trustAuthOutgoing, LDB_FLAG_MOD_REPLACE); + if (ret != LDB_SUCCESS) { + return NT_STATUS_NO_MEMORY; + } + } else { + ret = ldb_msg_add_empty(msg, "trustAuthOutgoing", + LDB_FLAG_MOD_REPLACE, NULL); if (ret != LDB_SUCCESS) { return NT_STATUS_NO_MEMORY; } @@ -4573,14 +4564,8 @@ static NTSTATUS dcesrv_lsa_lsaRSetForestTrustInformation(struct dcesrv_call_stat goto done; } - ret = ldb_msg_add_empty(msg, "msDS-TrustForestTrustInfo", - LDB_FLAG_MOD_REPLACE, NULL); - if (ret != LDB_SUCCESS) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - ret = ldb_msg_add_value(msg, "msDS-TrustForestTrustInfo", - &ft_blob, NULL); + ret = ldb_msg_append_value(msg, "msDS-TrustForestTrustInfo", + &ft_blob, LDB_FLAG_MOD_REPLACE); if (ret != LDB_SUCCESS) { status = NT_STATUS_NO_MEMORY; goto done; diff --git a/source4/winbind/idmap.c b/source4/winbind/idmap.c index c944132ee76..9ba2f53363f 100644 --- a/source4/winbind/idmap.c +++ b/source4/winbind/idmap.c @@ -672,14 +672,8 @@ static NTSTATUS idmap_sid_to_xid(struct idmap_context *idmap_ctx, vals[1].data = (uint8_t *)hwm_string; vals[1].length = strlen(hwm_string); } else { - ret = ldb_msg_add_empty(hwm_msg, "xidNumber", LDB_FLAG_MOD_ADD, - NULL); - if (ret != LDB_SUCCESS) { - status = NT_STATUS_NONE_MAPPED; - goto failed; - } - - ret = ldb_msg_add_string(hwm_msg, "xidNumber", hwm_string); + ret = ldb_msg_append_string(hwm_msg, "xidNumber", hwm_string, + LDB_FLAG_MOD_ADD); if (ret != LDB_SUCCESS) { status = NT_STATUS_NONE_MAPPED; -- 2.35.0 From e2d2c5a798f04fa336801121c0b3c8606a78a009 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 14 Jun 2022 15:43:26 +1200 Subject: [PATCH 14/18] CVE-2022-32746 ldb: Release LDB 1.5.9 * CVE-2022-32746 Use-after-free occurring in database audit logging module (bug 15009) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 Signed-off-by: Andrew Bartlett --- lib/ldb/ABI/ldb-1.5.9.sigs | 289 ++++++++++++++++++++++++++ lib/ldb/ABI/pyldb-util-1.5.9.sigs | 2 + lib/ldb/ABI/pyldb-util.py3-1.5.9.sigs | 2 + lib/ldb/wscript | 2 +- 4 files changed, 294 insertions(+), 1 deletion(-) create mode 100644 lib/ldb/ABI/ldb-1.5.9.sigs create mode 100644 lib/ldb/ABI/pyldb-util-1.5.9.sigs create mode 100644 lib/ldb/ABI/pyldb-util.py3-1.5.9.sigs diff --git a/lib/ldb/ABI/ldb-1.5.9.sigs b/lib/ldb/ABI/ldb-1.5.9.sigs new file mode 100644 index 00000000000..0861f360ff1 --- /dev/null +++ b/lib/ldb/ABI/ldb-1.5.9.sigs @@ -0,0 +1,289 @@ +ldb_add: int (struct ldb_context *, const struct ldb_message *) +ldb_any_comparison: int (struct ldb_context *, void *, ldb_attr_handler_t, const struct ldb_val *, const struct ldb_val *) +ldb_asprintf_errstring: void (struct ldb_context *, const char *, ...) +ldb_attr_casefold: char *(TALLOC_CTX *, const char *) +ldb_attr_dn: int (const char *) +ldb_attr_in_list: int (const char * const *, const char *) +ldb_attr_list_copy: const char **(TALLOC_CTX *, const char * const *) +ldb_attr_list_copy_add: const char **(TALLOC_CTX *, const char * const *, const char *) +ldb_base64_decode: int (char *) +ldb_base64_encode: char *(TALLOC_CTX *, const char *, int) +ldb_binary_decode: struct ldb_val (TALLOC_CTX *, const char *) +ldb_binary_encode: char *(TALLOC_CTX *, struct ldb_val) +ldb_binary_encode_string: char *(TALLOC_CTX *, const char *) +ldb_build_add_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) +ldb_build_del_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) +ldb_build_extended_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const char *, void *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) +ldb_build_mod_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) +ldb_build_rename_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, struct ldb_dn *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) +ldb_build_search_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, enum ldb_scope, const char *, const char * const *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) +ldb_build_search_req_ex: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, enum ldb_scope, struct ldb_parse_tree *, const char * const *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) +ldb_casefold: char *(struct ldb_context *, TALLOC_CTX *, const char *, size_t) +ldb_casefold_default: char *(void *, TALLOC_CTX *, const char *, size_t) +ldb_check_critical_controls: int (struct ldb_control **) +ldb_comparison_binary: int (struct ldb_context *, void *, const struct ldb_val *, const struct ldb_val *) +ldb_comparison_fold: int (struct ldb_context *, void *, const struct ldb_val *, const struct ldb_val *) +ldb_connect: int (struct ldb_context *, const char *, unsigned int, const char **) +ldb_control_to_string: char *(TALLOC_CTX *, const struct ldb_control *) +ldb_controls_except_specified: struct ldb_control **(struct ldb_control **, TALLOC_CTX *, struct ldb_control *) +ldb_debug: void (struct ldb_context *, enum ldb_debug_level, const char *, ...) +ldb_debug_add: void (struct ldb_context *, const char *, ...) +ldb_debug_end: void (struct ldb_context *, enum ldb_debug_level) +ldb_debug_set: void (struct ldb_context *, enum ldb_debug_level, const char *, ...) +ldb_delete: int (struct ldb_context *, struct ldb_dn *) +ldb_dn_add_base: bool (struct ldb_dn *, struct ldb_dn *) +ldb_dn_add_base_fmt: bool (struct ldb_dn *, const char *, ...) +ldb_dn_add_child: bool (struct ldb_dn *, struct ldb_dn *) +ldb_dn_add_child_fmt: bool (struct ldb_dn *, const char *, ...) +ldb_dn_add_child_val: bool (struct ldb_dn *, const char *, struct ldb_val) +ldb_dn_alloc_casefold: char *(TALLOC_CTX *, struct ldb_dn *) +ldb_dn_alloc_linearized: char *(TALLOC_CTX *, struct ldb_dn *) +ldb_dn_canonical_ex_string: char *(TALLOC_CTX *, struct ldb_dn *) +ldb_dn_canonical_string: char *(TALLOC_CTX *, struct ldb_dn *) +ldb_dn_check_local: bool (struct ldb_module *, struct ldb_dn *) +ldb_dn_check_special: bool (struct ldb_dn *, const char *) +ldb_dn_compare: int (struct ldb_dn *, struct ldb_dn *) +ldb_dn_compare_base: int (struct ldb_dn *, struct ldb_dn *) +ldb_dn_copy: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *) +ldb_dn_escape_value: char *(TALLOC_CTX *, struct ldb_val) +ldb_dn_extended_add_syntax: int (struct ldb_context *, unsigned int, const struct ldb_dn_extended_syntax *) +ldb_dn_extended_filter: void (struct ldb_dn *, const char * const *) +ldb_dn_extended_syntax_by_name: const struct ldb_dn_extended_syntax *(struct ldb_context *, const char *) +ldb_dn_from_ldb_val: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const struct ldb_val *) +ldb_dn_get_casefold: const char *(struct ldb_dn *) +ldb_dn_get_comp_num: int (struct ldb_dn *) +ldb_dn_get_component_name: const char *(struct ldb_dn *, unsigned int) +ldb_dn_get_component_val: const struct ldb_val *(struct ldb_dn *, unsigned int) +ldb_dn_get_extended_comp_num: int (struct ldb_dn *) +ldb_dn_get_extended_component: const struct ldb_val *(struct ldb_dn *, const char *) +ldb_dn_get_extended_linearized: char *(TALLOC_CTX *, struct ldb_dn *, int) +ldb_dn_get_ldb_context: struct ldb_context *(struct ldb_dn *) +ldb_dn_get_linearized: const char *(struct ldb_dn *) +ldb_dn_get_parent: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *) +ldb_dn_get_rdn_name: const char *(struct ldb_dn *) +ldb_dn_get_rdn_val: const struct ldb_val *(struct ldb_dn *) +ldb_dn_has_extended: bool (struct ldb_dn *) +ldb_dn_is_null: bool (struct ldb_dn *) +ldb_dn_is_special: bool (struct ldb_dn *) +ldb_dn_is_valid: bool (struct ldb_dn *) +ldb_dn_map_local: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *) +ldb_dn_map_rebase_remote: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *) +ldb_dn_map_remote: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *) +ldb_dn_minimise: bool (struct ldb_dn *) +ldb_dn_new: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const char *) +ldb_dn_new_fmt: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const char *, ...) +ldb_dn_remove_base_components: bool (struct ldb_dn *, unsigned int) +ldb_dn_remove_child_components: bool (struct ldb_dn *, unsigned int) +ldb_dn_remove_extended_components: void (struct ldb_dn *) +ldb_dn_replace_components: bool (struct ldb_dn *, struct ldb_dn *) +ldb_dn_set_component: int (struct ldb_dn *, int, const char *, const struct ldb_val) +ldb_dn_set_extended_component: int (struct ldb_dn *, const char *, const struct ldb_val *) +ldb_dn_update_components: int (struct ldb_dn *, const struct ldb_dn *) +ldb_dn_validate: bool (struct ldb_dn *) +ldb_dump_results: void (struct ldb_context *, struct ldb_result *, FILE *) +ldb_error_at: int (struct ldb_context *, int, const char *, const char *, int) +ldb_errstring: const char *(struct ldb_context *) +ldb_extended: int (struct ldb_context *, const char *, void *, struct ldb_result **) +ldb_extended_default_callback: int (struct ldb_request *, struct ldb_reply *) +ldb_filter_from_tree: char *(TALLOC_CTX *, const struct ldb_parse_tree *) +ldb_get_config_basedn: struct ldb_dn *(struct ldb_context *) +ldb_get_create_perms: unsigned int (struct ldb_context *) +ldb_get_default_basedn: struct ldb_dn *(struct ldb_context *) +ldb_get_event_context: struct tevent_context *(struct ldb_context *) +ldb_get_flags: unsigned int (struct ldb_context *) +ldb_get_opaque: void *(struct ldb_context *, const char *) +ldb_get_root_basedn: struct ldb_dn *(struct ldb_context *) +ldb_get_schema_basedn: struct ldb_dn *(struct ldb_context *) +ldb_global_init: int (void) +ldb_handle_get_event_context: struct tevent_context *(struct ldb_handle *) +ldb_handle_new: struct ldb_handle *(TALLOC_CTX *, struct ldb_context *) +ldb_handle_use_global_event_context: void (struct ldb_handle *) +ldb_handler_copy: int (struct ldb_context *, void *, const struct ldb_val *, struct ldb_val *) +ldb_handler_fold: int (struct ldb_context *, void *, const struct ldb_val *, struct ldb_val *) +ldb_init: struct ldb_context *(TALLOC_CTX *, struct tevent_context *) +ldb_ldif_message_redacted_string: char *(struct ldb_context *, TALLOC_CTX *, enum ldb_changetype, const struct ldb_message *) +ldb_ldif_message_string: char *(struct ldb_context *, TALLOC_CTX *, enum ldb_changetype, const struct ldb_message *) +ldb_ldif_parse_modrdn: int (struct ldb_context *, const struct ldb_ldif *, TALLOC_CTX *, struct ldb_dn **, struct ldb_dn **, bool *, struct ldb_dn **, struct ldb_dn **) +ldb_ldif_read: struct ldb_ldif *(struct ldb_context *, int (*)(void *), void *) +ldb_ldif_read_file: struct ldb_ldif *(struct ldb_context *, FILE *) +ldb_ldif_read_file_state: struct ldb_ldif *(struct ldb_context *, struct ldif_read_file_state *) +ldb_ldif_read_free: void (struct ldb_context *, struct ldb_ldif *) +ldb_ldif_read_string: struct ldb_ldif *(struct ldb_context *, const char **) +ldb_ldif_write: int (struct ldb_context *, int (*)(void *, const char *, ...), void *, const struct ldb_ldif *) +ldb_ldif_write_file: int (struct ldb_context *, FILE *, const struct ldb_ldif *) +ldb_ldif_write_redacted_trace_string: char *(struct ldb_context *, TALLOC_CTX *, const struct ldb_ldif *) +ldb_ldif_write_string: char *(struct ldb_context *, TALLOC_CTX *, const struct ldb_ldif *) +ldb_load_modules: int (struct ldb_context *, const char **) +ldb_map_add: int (struct ldb_module *, struct ldb_request *) +ldb_map_delete: int (struct ldb_module *, struct ldb_request *) +ldb_map_init: int (struct ldb_module *, const struct ldb_map_attribute *, const struct ldb_map_objectclass *, const char * const *, const char *, const char *) +ldb_map_modify: int (struct ldb_module *, struct ldb_request *) +ldb_map_rename: int (struct ldb_module *, struct ldb_request *) +ldb_map_search: int (struct ldb_module *, struct ldb_request *) +ldb_match_message: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, enum ldb_scope, bool *) +ldb_match_msg: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope) +ldb_match_msg_error: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope, bool *) +ldb_match_msg_objectclass: int (const struct ldb_message *, const char *) +ldb_mod_register_control: int (struct ldb_module *, const char *) +ldb_modify: int (struct ldb_context *, const struct ldb_message *) +ldb_modify_default_callback: int (struct ldb_request *, struct ldb_reply *) +ldb_module_call_chain: char *(struct ldb_request *, TALLOC_CTX *) +ldb_module_connect_backend: int (struct ldb_context *, const char *, const char **, struct ldb_module **) +ldb_module_done: int (struct ldb_request *, struct ldb_control **, struct ldb_extended *, int) +ldb_module_flags: uint32_t (struct ldb_context *) +ldb_module_get_ctx: struct ldb_context *(struct ldb_module *) +ldb_module_get_name: const char *(struct ldb_module *) +ldb_module_get_ops: const struct ldb_module_ops *(struct ldb_module *) +ldb_module_get_private: void *(struct ldb_module *) +ldb_module_init_chain: int (struct ldb_context *, struct ldb_module *) +ldb_module_load_list: int (struct ldb_context *, const char **, struct ldb_module *, struct ldb_module **) +ldb_module_new: struct ldb_module *(TALLOC_CTX *, struct ldb_context *, const char *, const struct ldb_module_ops *) +ldb_module_next: struct ldb_module *(struct ldb_module *) +ldb_module_popt_options: struct poptOption **(struct ldb_context *) +ldb_module_send_entry: int (struct ldb_request *, struct ldb_message *, struct ldb_control **) +ldb_module_send_referral: int (struct ldb_request *, char *) +ldb_module_set_next: void (struct ldb_module *, struct ldb_module *) +ldb_module_set_private: void (struct ldb_module *, void *) +ldb_modules_hook: int (struct ldb_context *, enum ldb_module_hook_type) +ldb_modules_list_from_string: const char **(struct ldb_context *, TALLOC_CTX *, const char *) +ldb_modules_load: int (const char *, const char *) +ldb_msg_add: int (struct ldb_message *, const struct ldb_message_element *, int) +ldb_msg_add_empty: int (struct ldb_message *, const char *, int, struct ldb_message_element **) +ldb_msg_add_fmt: int (struct ldb_message *, const char *, const char *, ...) +ldb_msg_add_linearized_dn: int (struct ldb_message *, const char *, struct ldb_dn *) +ldb_msg_add_steal_string: int (struct ldb_message *, const char *, char *) +ldb_msg_add_steal_value: int (struct ldb_message *, const char *, struct ldb_val *) +ldb_msg_add_string: int (struct ldb_message *, const char *, const char *) +ldb_msg_add_string_flags: int (struct ldb_message *, const char *, const char *, int) +ldb_msg_add_value: int (struct ldb_message *, const char *, const struct ldb_val *, struct ldb_message_element **) +ldb_msg_append_fmt: int (struct ldb_message *, int, const char *, const char *, ...) +ldb_msg_append_linearized_dn: int (struct ldb_message *, const char *, struct ldb_dn *, int) +ldb_msg_append_steal_string: int (struct ldb_message *, const char *, char *, int) +ldb_msg_append_steal_value: int (struct ldb_message *, const char *, struct ldb_val *, int) +ldb_msg_append_string: int (struct ldb_message *, const char *, const char *, int) +ldb_msg_append_value: int (struct ldb_message *, const char *, const struct ldb_val *, int) +ldb_msg_canonicalize: struct ldb_message *(struct ldb_context *, const struct ldb_message *) +ldb_msg_check_string_attribute: int (const struct ldb_message *, const char *, const char *) +ldb_msg_copy: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *) +ldb_msg_copy_attr: int (struct ldb_message *, const char *, const char *) +ldb_msg_copy_shallow: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *) +ldb_msg_diff: struct ldb_message *(struct ldb_context *, struct ldb_message *, struct ldb_message *) +ldb_msg_difference: int (struct ldb_context *, TALLOC_CTX *, struct ldb_message *, struct ldb_message *, struct ldb_message **) +ldb_msg_element_add_value: int (TALLOC_CTX *, struct ldb_message_element *, const struct ldb_val *) +ldb_msg_element_compare: int (struct ldb_message_element *, struct ldb_message_element *) +ldb_msg_element_compare_name: int (struct ldb_message_element *, struct ldb_message_element *) +ldb_msg_element_equal_ordered: bool (const struct ldb_message_element *, const struct ldb_message_element *) +ldb_msg_find_attr_as_bool: int (const struct ldb_message *, const char *, int) +ldb_msg_find_attr_as_dn: struct ldb_dn *(struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, const char *) +ldb_msg_find_attr_as_double: double (const struct ldb_message *, const char *, double) +ldb_msg_find_attr_as_int: int (const struct ldb_message *, const char *, int) +ldb_msg_find_attr_as_int64: int64_t (const struct ldb_message *, const char *, int64_t) +ldb_msg_find_attr_as_string: const char *(const struct ldb_message *, const char *, const char *) +ldb_msg_find_attr_as_uint: unsigned int (const struct ldb_message *, const char *, unsigned int) +ldb_msg_find_attr_as_uint64: uint64_t (const struct ldb_message *, const char *, uint64_t) +ldb_msg_find_common_values: int (struct ldb_context *, TALLOC_CTX *, struct ldb_message_element *, struct ldb_message_element *, uint32_t) +ldb_msg_find_duplicate_val: int (struct ldb_context *, TALLOC_CTX *, const struct ldb_message_element *, struct ldb_val **, uint32_t) +ldb_msg_find_element: struct ldb_message_element *(const struct ldb_message *, const char *) +ldb_msg_find_ldb_val: const struct ldb_val *(const struct ldb_message *, const char *) +ldb_msg_find_val: struct ldb_val *(const struct ldb_message_element *, struct ldb_val *) +ldb_msg_new: struct ldb_message *(TALLOC_CTX *) +ldb_msg_normalize: int (struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_message **) +ldb_msg_remove_attr: void (struct ldb_message *, const char *) +ldb_msg_remove_element: void (struct ldb_message *, struct ldb_message_element *) +ldb_msg_rename_attr: int (struct ldb_message *, const char *, const char *) +ldb_msg_sanity_check: int (struct ldb_context *, const struct ldb_message *) +ldb_msg_sort_elements: void (struct ldb_message *) +ldb_next_del_trans: int (struct ldb_module *) +ldb_next_end_trans: int (struct ldb_module *) +ldb_next_init: int (struct ldb_module *) +ldb_next_prepare_commit: int (struct ldb_module *) +ldb_next_read_lock: int (struct ldb_module *) +ldb_next_read_unlock: int (struct ldb_module *) +ldb_next_remote_request: int (struct ldb_module *, struct ldb_request *) +ldb_next_request: int (struct ldb_module *, struct ldb_request *) +ldb_next_start_trans: int (struct ldb_module *) +ldb_op_default_callback: int (struct ldb_request *, struct ldb_reply *) +ldb_options_find: const char *(struct ldb_context *, const char **, const char *) +ldb_pack_data: int (struct ldb_context *, const struct ldb_message *, struct ldb_val *) +ldb_parse_control_from_string: struct ldb_control *(struct ldb_context *, TALLOC_CTX *, const char *) +ldb_parse_control_strings: struct ldb_control **(struct ldb_context *, TALLOC_CTX *, const char **) +ldb_parse_tree: struct ldb_parse_tree *(TALLOC_CTX *, const char *) +ldb_parse_tree_attr_replace: void (struct ldb_parse_tree *, const char *, const char *) +ldb_parse_tree_copy_shallow: struct ldb_parse_tree *(TALLOC_CTX *, const struct ldb_parse_tree *) +ldb_parse_tree_walk: int (struct ldb_parse_tree *, int (*)(struct ldb_parse_tree *, void *), void *) +ldb_qsort: void (void * const, size_t, size_t, void *, ldb_qsort_cmp_fn_t) +ldb_register_backend: int (const char *, ldb_connect_fn, bool) +ldb_register_extended_match_rule: int (struct ldb_context *, const struct ldb_extended_match_rule *) +ldb_register_hook: int (ldb_hook_fn) +ldb_register_module: int (const struct ldb_module_ops *) +ldb_rename: int (struct ldb_context *, struct ldb_dn *, struct ldb_dn *) +ldb_reply_add_control: int (struct ldb_reply *, const char *, bool, void *) +ldb_reply_get_control: struct ldb_control *(struct ldb_reply *, const char *) +ldb_req_get_custom_flags: uint32_t (struct ldb_request *) +ldb_req_is_untrusted: bool (struct ldb_request *) +ldb_req_location: const char *(struct ldb_request *) +ldb_req_mark_trusted: void (struct ldb_request *) +ldb_req_mark_untrusted: void (struct ldb_request *) +ldb_req_set_custom_flags: void (struct ldb_request *, uint32_t) +ldb_req_set_location: void (struct ldb_request *, const char *) +ldb_request: int (struct ldb_context *, struct ldb_request *) +ldb_request_add_control: int (struct ldb_request *, const char *, bool, void *) +ldb_request_done: int (struct ldb_request *, int) +ldb_request_get_control: struct ldb_control *(struct ldb_request *, const char *) +ldb_request_get_status: int (struct ldb_request *) +ldb_request_replace_control: int (struct ldb_request *, const char *, bool, void *) +ldb_request_set_state: void (struct ldb_request *, int) +ldb_reset_err_string: void (struct ldb_context *) +ldb_save_controls: int (struct ldb_control *, struct ldb_request *, struct ldb_control ***) +ldb_schema_attribute_add: int (struct ldb_context *, const char *, unsigned int, const char *) +ldb_schema_attribute_add_with_syntax: int (struct ldb_context *, const char *, unsigned int, const struct ldb_schema_syntax *) +ldb_schema_attribute_by_name: const struct ldb_schema_attribute *(struct ldb_context *, const char *) +ldb_schema_attribute_fill_with_syntax: int (struct ldb_context *, TALLOC_CTX *, const char *, unsigned int, const struct ldb_schema_syntax *, struct ldb_schema_attribute *) +ldb_schema_attribute_remove: void (struct ldb_context *, const char *) +ldb_schema_attribute_remove_flagged: void (struct ldb_context *, unsigned int) +ldb_schema_attribute_set_override_handler: void (struct ldb_context *, ldb_attribute_handler_override_fn_t, void *) +ldb_schema_set_override_GUID_index: void (struct ldb_context *, const char *, const char *) +ldb_schema_set_override_indexlist: void (struct ldb_context *, bool) +ldb_search: int (struct ldb_context *, TALLOC_CTX *, struct ldb_result **, struct ldb_dn *, enum ldb_scope, const char * const *, const char *, ...) +ldb_search_default_callback: int (struct ldb_request *, struct ldb_reply *) +ldb_sequence_number: int (struct ldb_context *, enum ldb_sequence_type, uint64_t *) +ldb_set_create_perms: void (struct ldb_context *, unsigned int) +ldb_set_debug: int (struct ldb_context *, void (*)(void *, enum ldb_debug_level, const char *, va_list), void *) +ldb_set_debug_stderr: int (struct ldb_context *) +ldb_set_default_dns: void (struct ldb_context *) +ldb_set_errstring: void (struct ldb_context *, const char *) +ldb_set_event_context: void (struct ldb_context *, struct tevent_context *) +ldb_set_flags: void (struct ldb_context *, unsigned int) +ldb_set_modules_dir: void (struct ldb_context *, const char *) +ldb_set_opaque: int (struct ldb_context *, const char *, void *) +ldb_set_require_private_event_context: void (struct ldb_context *) +ldb_set_timeout: int (struct ldb_context *, struct ldb_request *, int) +ldb_set_timeout_from_prev_req: int (struct ldb_context *, struct ldb_request *, struct ldb_request *) +ldb_set_utf8_default: void (struct ldb_context *) +ldb_set_utf8_fns: void (struct ldb_context *, void *, char *(*)(void *, void *, const char *, size_t)) +ldb_setup_wellknown_attributes: int (struct ldb_context *) +ldb_should_b64_encode: int (struct ldb_context *, const struct ldb_val *) +ldb_standard_syntax_by_name: const struct ldb_schema_syntax *(struct ldb_context *, const char *) +ldb_strerror: const char *(int) +ldb_string_to_time: time_t (const char *) +ldb_string_utc_to_time: time_t (const char *) +ldb_timestring: char *(TALLOC_CTX *, time_t) +ldb_timestring_utc: char *(TALLOC_CTX *, time_t) +ldb_transaction_cancel: int (struct ldb_context *) +ldb_transaction_cancel_noerr: int (struct ldb_context *) +ldb_transaction_commit: int (struct ldb_context *) +ldb_transaction_prepare_commit: int (struct ldb_context *) +ldb_transaction_start: int (struct ldb_context *) +ldb_unpack_data: int (struct ldb_context *, const struct ldb_val *, struct ldb_message *) +ldb_unpack_data_only_attr_list: int (struct ldb_context *, const struct ldb_val *, struct ldb_message *, const char * const *, unsigned int, unsigned int *) +ldb_unpack_data_only_attr_list_flags: int (struct ldb_context *, const struct ldb_val *, struct ldb_message *, const char * const *, unsigned int, unsigned int, unsigned int *) +ldb_unpack_get_format: int (const struct ldb_val *, uint32_t *) +ldb_val_dup: struct ldb_val (TALLOC_CTX *, const struct ldb_val *) +ldb_val_equal_exact: int (const struct ldb_val *, const struct ldb_val *) +ldb_val_map_local: struct ldb_val (struct ldb_module *, void *, const struct ldb_map_attribute *, const struct ldb_val *) +ldb_val_map_remote: struct ldb_val (struct ldb_module *, void *, const struct ldb_map_attribute *, const struct ldb_val *) +ldb_val_string_cmp: int (const struct ldb_val *, const char *) +ldb_val_to_time: int (const struct ldb_val *, time_t *) +ldb_valid_attr_name: int (const char *) +ldb_vdebug: void (struct ldb_context *, enum ldb_debug_level, const char *, va_list) +ldb_wait: int (struct ldb_handle *, enum ldb_wait_type) diff --git a/lib/ldb/ABI/pyldb-util-1.5.9.sigs b/lib/ldb/ABI/pyldb-util-1.5.9.sigs new file mode 100644 index 00000000000..74d6719d2bc --- /dev/null +++ b/lib/ldb/ABI/pyldb-util-1.5.9.sigs @@ -0,0 +1,2 @@ +pyldb_Dn_FromDn: PyObject *(struct ldb_dn *) +pyldb_Object_AsDn: bool (TALLOC_CTX *, PyObject *, struct ldb_context *, struct ldb_dn **) diff --git a/lib/ldb/ABI/pyldb-util.py3-1.5.9.sigs b/lib/ldb/ABI/pyldb-util.py3-1.5.9.sigs new file mode 100644 index 00000000000..74d6719d2bc --- /dev/null +++ b/lib/ldb/ABI/pyldb-util.py3-1.5.9.sigs @@ -0,0 +1,2 @@ +pyldb_Dn_FromDn: PyObject *(struct ldb_dn *) +pyldb_Object_AsDn: bool (TALLOC_CTX *, PyObject *, struct ldb_context *, struct ldb_dn **) diff --git a/lib/ldb/wscript b/lib/ldb/wscript index 2197a304e94..b65b152e77c 100644 --- a/lib/ldb/wscript +++ b/lib/ldb/wscript @@ -1,7 +1,7 @@ #!/usr/bin/env python APPNAME = 'ldb' -VERSION = '1.5.8' +VERSION = '1.5.9' import sys, os -- 2.35.0 From 55121c53f1dc2e4bb192d26d1aeb05f072a6b41f Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 16 Feb 2022 17:03:10 +1300 Subject: [PATCH 15/18] CVE-2022-32745 s4/dsdb/samldb: Check for empty values array This avoids potentially trying to access the first element of an empty array. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008 Signed-off-by: Joseph Sutton --- source4/dsdb/samdb/ldb_modules/samldb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 7dbf484af1a..fb043a871b7 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -748,7 +748,7 @@ static int samldb_schema_add_handle_linkid(struct samldb_ctx *ac) return ret; } - if (el == NULL) { + if (el == NULL || el->num_values == 0) { return LDB_SUCCESS; } @@ -916,7 +916,7 @@ static int samldb_schema_add_handle_mapiid(struct samldb_ctx *ac) return ret; } - if (el == NULL) { + if (el == NULL || el->num_values == 0) { return LDB_SUCCESS; } -- 2.35.0 From 1d2ec8f5b1b1af50aeee6a99a10a6896cc239c96 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 17 Feb 2022 11:11:53 +1300 Subject: [PATCH 16/18] CVE-2022-32745 s4/dsdb/util: Use correct value for loop count limit Currently, we can crash the server by sending a large number of values of a specific attribute (such as sAMAccountName) spread across a few message elements. If val_count is larger than the total number of elements, we get an access beyond the elements array. Similarly, we can include unrelated message elements prior to the message elements of the attribute in question, so that not all of the attribute's values are copied into the returned elements values array. This can cause the server to access uninitialised data, likely resulting in a crash or unexpected behaviour. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008 Signed-off-by: Joseph Sutton --- source4/dsdb/samdb/ldb_modules/util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c index d14f0bcbf51..a45b1e5b463 100644 --- a/source4/dsdb/samdb/ldb_modules/util.c +++ b/source4/dsdb/samdb/ldb_modules/util.c @@ -1476,7 +1476,7 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx, v = _el->values; - for (i = 0; i < val_count; i++) { + for (i = 0; i < msg->num_elements; i++) { if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) { if ((operation == LDB_MODIFY) && (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) -- 2.35.0 From d45ebb128c6d0eb264b9c7722005b036f22203d3 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 17 Feb 2022 11:13:38 +1300 Subject: [PATCH 17/18] CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a NULL pointer Doing so is undefined behaviour. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008 Signed-off-by: Joseph Sutton --- source4/dsdb/samdb/ldb_modules/util.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c index a45b1e5b463..db7edb61564 100644 --- a/source4/dsdb/samdb/ldb_modules/util.c +++ b/source4/dsdb/samdb/ldb_modules/util.c @@ -1478,15 +1478,19 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx, for (i = 0; i < msg->num_elements; i++) { if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) { + const struct ldb_message_element *tmp_el = &msg->elements[i]; if ((operation == LDB_MODIFY) && - (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) + (LDB_FLAG_MOD_TYPE(tmp_el->flags) == LDB_FLAG_MOD_DELETE)) { continue; } + if (tmp_el->values == NULL || tmp_el->num_values == 0) { + continue; + } memcpy(v, - msg->elements[i].values, - msg->elements[i].num_values); - v += msg->elements[i].num_values; + tmp_el->values, + tmp_el->num_values); + v += tmp_el->num_values; } } -- 2.35.0 From 0097c962c14f0b1304cb5e981effd984c0a7e837 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 3 Jun 2022 16:16:31 +1200 Subject: [PATCH 18/18] CVE-2022-32745 s4/dsdb/util: Correctly copy values into message element To use memcpy(), we need to specify the number of bytes to copy, rather than the number of ldb_val structures. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008 Signed-off-by: Joseph Sutton --- source4/dsdb/samdb/ldb_modules/util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c index db7edb61564..68e2fe30751 100644 --- a/source4/dsdb/samdb/ldb_modules/util.c +++ b/source4/dsdb/samdb/ldb_modules/util.c @@ -1489,7 +1489,7 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx, } memcpy(v, tmp_el->values, - tmp_el->num_values); + tmp_el->num_values * sizeof(*v)); v += tmp_el->num_values; } } -- 2.35.0