master

分支 (15)

标签 (14)

管理

管理

master

openEuler-22.09

openEuler-22.03-LTS

openEuler-22.03-LTS-Next

openEuler-20.03-LTS-SP3

openEuler-20.03-LTS-SP1

openEuler-22.03-LTS-LoongArch

openEuler-20.03-LTS-SP2

openEuler-20.03-LTS

openEuler-20.03-LTS-Next

openEuler-21.03

openEuler-21.09

openEuler-20.09

openEuler1.0

openEuler1.0-base

openEuler-22.09-release

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

samba
/
0014-CVE-2022-32743-s4-rpc_server-com...

From 6b76bc7339addb14884c2d6ddb20c559c7fbe07d Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 9 Jun 2022 19:32:30 +1200
Subject: [PATCH 14/15] CVE-2022-32743 s4:rpc_server/common: Add
 dcesrv_samdb_connect_session_info()

This function allows us to connect to samdb as a particular user by
passing in that user's session info.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---
 source4/rpc_server/common/common.h      |  1 +
 source4/rpc_server/common/server_info.c | 65 ++++++++++++++++++++-------------
 2 files changed, 40 insertions(+), 26 deletions(-)

diff --git a/source4/rpc_server/common/common.h b/source4/rpc_server/common/common.h
index 7d2f8c5..b57ddf2 100644
--- a/source4/rpc_server/common/common.h
+++ b/source4/rpc_server/common/common.h
@@ -30,6 +30,7 @@ struct dcesrv_context;
 struct dcesrv_call_state;
 struct ndr_interface_table;
 struct ncacn_packet;
+struct auth_session_info;

 struct dcerpc_server_info {
 	const char *domain_name;
diff --git a/source4/rpc_server/common/server_info.c b/source4/rpc_server/common/server_info.c
index a2af376..34228c3 100644
--- a/source4/rpc_server/common/server_info.c
+++ b/source4/rpc_server/common/server_info.c
@@ -190,48 +190,44 @@ bool dcesrv_common_validate_share_name(TALLOC_CTX *mem_ctx, const char *share_na
 	return true;
 }

-static struct ldb_context *dcesrv_samdb_connect_common(
+/*
+ * call_session_info is session info for samdb. call_audit_session_info is for
+ * auditing and may be NULL.
+ */
+struct ldb_context *dcesrv_samdb_connect_session_info(
 	TALLOC_CTX *mem_ctx,
 	struct dcesrv_call_state *dce_call,
-	bool as_system)
+	const struct auth_session_info *call_session_info,
+	const struct auth_session_info *call_audit_session_info)
 {
 	struct ldb_context *samdb = NULL;
-	struct auth_session_info *system_session_info = NULL;
-	const struct auth_session_info *call_session_info =
-		dcesrv_call_session_info(dce_call);
 	struct auth_session_info *user_session_info = NULL;
-	struct auth_session_info *ldb_session_info = NULL;
 	struct auth_session_info *audit_session_info = NULL;
 	struct tsocket_address *remote_address = NULL;

-	if (as_system) {
-		system_session_info = system_session(dce_call->conn->dce_ctx->lp_ctx);
-		if (system_session_info == NULL) {
-			return NULL;
-		}
-	}
-
 	user_session_info = copy_session_info(mem_ctx, call_session_info);
 	if (user_session_info == NULL) {
 		return NULL;
 	}

+	if (call_audit_session_info != NULL) {
+		audit_session_info = copy_session_info(mem_ctx, call_audit_session_info);
+		if (audit_session_info == NULL) {
+			talloc_free(user_session_info);
+			return NULL;
+		}
+	}
+
 	if (dce_call->conn->remote_address != NULL) {
 		remote_address = tsocket_address_copy(dce_call->conn->remote_address,
 						      user_session_info);
 		if (remote_address == NULL) {
+			TALLOC_FREE(audit_session_info);
+			talloc_free(user_session_info);
 			return NULL;
 		}
 	}

-	if (system_session_info != NULL) {
-		ldb_session_info = system_session_info;
-		audit_session_info = user_session_info;
-	} else {
-		ldb_session_info = user_session_info;
-		audit_session_info = NULL;
-	}
-
 	/*
 	 * We need to make sure every argument
 	 * stays arround for the lifetime of 'samdb',
@@ -253,10 +249,11 @@ static struct ldb_context *dcesrv_samdb_connect_common(
 		mem_ctx,
 		dce_call->event_ctx,
 		dce_call->conn->dce_ctx->lp_ctx,
-		ldb_session_info,
+		user_session_info,
 		remote_address,
 		0);
 	if (samdb == NULL) {
+		TALLOC_FREE(audit_session_info);
 		talloc_free(user_session_info);
 		return NULL;
 	}
@@ -265,6 +262,8 @@ static struct ldb_context *dcesrv_samdb_connect_common(
 	if (audit_session_info != NULL) {
 		int ret;

+		talloc_steal(samdb, audit_session_info);
+
 		ret = ldb_set_opaque(samdb,
 				     DSDB_NETWORK_SESSION_INFO,
 				     audit_session_info);
@@ -288,8 +287,18 @@ struct ldb_context *dcesrv_samdb_connect_as_system(
 	TALLOC_CTX *mem_ctx,
 	struct dcesrv_call_state *dce_call)
 {
-	return dcesrv_samdb_connect_common(mem_ctx, dce_call,
-					   true /* as_system */);
+	const struct auth_session_info *system_session_info = NULL;
+	const struct auth_session_info *call_session_info = NULL;
+
+	system_session_info = system_session(dce_call->conn->dce_ctx->lp_ctx);
+	if (system_session_info == NULL) {
+		return NULL;
+	}
+
+	call_session_info = dcesrv_call_session_info(dce_call);
+
+	return dcesrv_samdb_connect_session_info(mem_ctx, dce_call,
+						 system_session_info, call_session_info);
 }

 /*
@@ -301,6 +310,10 @@ struct ldb_context *dcesrv_samdb_connect_as_user(
 	TALLOC_CTX *mem_ctx,
 	struct dcesrv_call_state *dce_call)
 {
-	return dcesrv_samdb_connect_common(mem_ctx, dce_call,
-					   false /* not as_system */);
+	const struct auth_session_info *call_session_info = NULL;
+
+	call_session_info = dcesrv_call_session_info(dce_call);
+
+	return dcesrv_samdb_connect_session_info(mem_ctx, dce_call,
+						 call_session_info, NULL);
 }
--
1.8.3.1