git.ipfire.org Git - thirdparty/samba.git/commit

author	Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
	Wed, 20 Oct 2021 04:09:21 +0000 (17:09 +1300)
committer	Jule Anger <janger@samba.org>
	Mon, 8 Nov 2021 09:52:11 +0000 (10:52 +0100)
commit	208bbf8cfda200deaeddfad77e4b43d54e692ba5
tree	24ed7e6603b951573d7dbbfc3046fbff2d8056e8	tree
parent	3a4095aec5eb592d4968465930f7fd7e1435e19f	commit \| diff

CVE-2020-25722 s4/dsdb modules: add dsdb_get_expected_new_values()

This function collects a superset of all the new values for the specified
attribute that could result from an ldb add or modify message.

In most cases -- where there is a single add or modify -- the exact set
of added values is returned, and this is done reasonably efficiently
using the existing element. Where it gets complicated is when there are
multiple elements for the same attribute in a message. Anything added
before a replace or delete will be included in these results but may not
end up in the database if the message runs its course. Examples:

   sequence           result
1. ADD                the element is returned (exact)
2. REPLACE            the element is returned (exact)
3. ADD, ADD           both elements are concatenated together (exact)
4. ADD, REPLACE       both elements are concatenated together (superset)
5. REPLACE, ADD       both elements are concatenated together (exact)
6. ADD, DEL, ADD      adds are concatenated together (superset)
7. REPLACE, REPLACE   both concatenated (superset)
8. DEL, ADD           last element is returned (exact)

Why this? In the past we have treated dsdb_get_single_valued_attr() as if
it returned the complete set of possible database changes, when in fact it
only returned the last non-delete. That is, it could have missed values
in examples 3-7 above.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>