1 Star 0 Fork 49

yangl777/samba

forked from src-openEuler/samba 
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
克隆/下载
backport-0010-CVE-2023-4154.patch 3.37 KB
一键复制 编辑 原始数据 按行查看 历史
From 7ebf51dd8b57b5932bb6f923d513e3f84c653567 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 16 Mar 2023 10:00:11 +0100
Subject: [PATCH 15/28] CVE-2023-4154 libcli/security: prepare
security_descriptor_acl_add() to place the ace at a position
Often it is important to insert an ace at a specific position in the
ACL. As a default we still append by default by using -1, which is the
generic version of passing the number of existing aces.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit c3cb915a67aff6739b72b86d7d139609df309ada)
Conflict: NA
Reference: https://download.samba.org/pub/samba/patches/security/samba-4.18.8-security-2023-10-10.patch
[PATCH 15/28] CVE-2023-4154 libcli/security: prepare
security_descriptor_acl_add() to place the ace at a position
---
libcli/security/security_descriptor.c | 27 ++++++++++++++++++++-------
1 file changed, 20 insertions(+), 7 deletions(-)
diff --git a/libcli/security/security_descriptor.c b/libcli/security/security_descriptor.c
index 23d436dbaeb..bc38a405e1e 100644
--- a/libcli/security/security_descriptor.c
+++ b/libcli/security/security_descriptor.c
@@ -268,9 +268,11 @@ NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx,
static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
bool add_to_sacl,
- const struct security_ace *ace)
+ const struct security_ace *ace,
+ ssize_t _idx)
{
struct security_acl *acl = NULL;
+ ssize_t idx;
if (add_to_sacl) {
acl = sd->sacl;
@@ -289,15 +291,28 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
acl->aces = NULL;
}
+ if (_idx < 0) {
+ idx = (acl->num_aces + 1) + _idx;
+ } else {
+ idx = _idx;
+ }
+
+ if (idx < 0) {
+ return NT_STATUS_ARRAY_BOUNDS_EXCEEDED;
+ } else if (idx > acl->num_aces) {
+ return NT_STATUS_ARRAY_BOUNDS_EXCEEDED;
+ }
+
acl->aces = talloc_realloc(acl, acl->aces,
struct security_ace, acl->num_aces+1);
if (acl->aces == NULL) {
return NT_STATUS_NO_MEMORY;
}
- acl->aces[acl->num_aces] = *ace;
+ ARRAY_INSERT_ELEMENT(acl->aces, acl->num_aces, *ace, idx);
+ acl->num_aces++;
- switch (acl->aces[acl->num_aces].type) {
+ switch (acl->aces[idx].type) {
case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
@@ -308,8 +323,6 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
break;
}
- acl->num_aces++;
-
if (add_to_sacl) {
sd->sacl = acl;
sd->type |= SEC_DESC_SACL_PRESENT;
@@ -328,7 +341,7 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
const struct security_ace *ace)
{
- return security_descriptor_acl_add(sd, true, ace);
+ return security_descriptor_acl_add(sd, true, ace, -1);
}
/*
@@ -338,7 +351,7 @@ NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
const struct security_ace *ace)
{
- return security_descriptor_acl_add(sd, false, ace);
+ return security_descriptor_acl_add(sd, false, ace, -1);
}
/*
--
2.34.1
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/yangl777/samba.git
git@gitee.com:yangl777/samba.git
yangl777
samba
samba
master

搜索帮助