git.ipfire.org Git - thirdparty/samba.git/commit

author	Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
	Tue, 9 Apr 2024 22:54:31 +0000 (10:54 +1200)
committer	Jule Anger <janger@samba.org>
	Mon, 10 Jun 2024 13:25:17 +0000 (13:25 +0000)
commit	108f687cf222c6a7235d006bedd31214acc99962
tree	eea9cb2acfbe639c4f234d26ba1544cc42c3dd0e	tree
parent	5bf176b56924f6c309978ae8cc812787bc19228c	commit \| diff

ldb-samba: ldif-handlers: make ldif_comparison_objectSid() accurate

This function compares blobs that might be SID strings or might be SID
structures. Until now, if they were both (seemingly) strings, they were
compared as strings, otherwise if either was a string it was converted to
a structure blob, then the blobs were compared. This had two big problems:

1. There is variety in the way a SID can be stringified. For example,
   "s-1-02-3" means the same SID as "S-1-2-3", but those wouldn't compare
   equal.

2. SID comparison was crazily non-transitive. Consider the three values
     a = "S-1-2-3-4-5",
     b = "S-1-9-1",
     c = SID("S-1-11-1"), where c is a struct and the others are string.

   then we had,
     a < b, because the 5th character '2' < '9'.
     a > c, because when converted to a structure, the number of sub-auths
            is the first varying byte. a has 3, c has 0.
     b < c, because after the sub-auth count comes the id_auth value
            (big-endian, which doesn't matter in this case).

That made the function unreliable for sorting, AND for simple equality
tests. Also it leaked.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6722e80d1b3a252a1ed714be4a35185cd99971e3)