CVE-2020-25720 s4/dsdb/util: Add functions for dsHeuristics 28, 29

These are the newly-added AttributeAuthorizationOnLDAPAdd and
BlockOwnerImplicitRights.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/libds/common/flags.h b/libds/common/flags.h
index 75e04b0c488bfb245f76d7db95b34f4c97556a2d..bee1016b294dd71b40616e09af06a33de36aa592 100644 (file)
--- a/libds/common/flags.h
+++ b/libds/common/flags.h
@@ -258,6 +258,8 @@
 #define DS_HR_KVNOEMUW2K                          0x00000011
 
 #define DS_HR_TWENTIETH_CHAR                      0x00000014
+#define DS_HR_ATTR_AUTHZ_ON_LDAP_ADD              0x0000001C
+#define DS_HR_BLOCK_OWNER_IMPLICIT_RIGHTS         0x0000001D
 #define DS_HR_THIRTIETH_CHAR                      0x0000001E
 #define DS_HR_FOURTIETH_CHAR                      0x00000028
 #define DS_HR_FIFTIETH_CHAR                       0x00000032

diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
index 9e00aedd09eb002663a3b00e4cfe3e8732a514db..c2949f0734dc046ea122ab27235632c78127cfef 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
@@ -1433,6 +1433,46 @@ bool dsdb_do_list_object(struct ldb_module *module,
        return result;
 }
 
+bool dsdb_attribute_authz_on_ldap_add(struct ldb_module *module,
+                                     TALLOC_CTX *mem_ctx,
+                                     struct ldb_request *parent)
+{
+       TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+       bool result = false;
+       const struct ldb_val *hr_val = dsdb_module_find_dsheuristics(module,
+                                                                    tmp_ctx,
+                                                                    parent);
+       if (hr_val != NULL && hr_val->length >= DS_HR_ATTR_AUTHZ_ON_LDAP_ADD) {
+               uint8_t val = hr_val->data[DS_HR_ATTR_AUTHZ_ON_LDAP_ADD - 1];
+               if (val != '0' && val != '2') {
+                       result = true;
+               }
+       }
+
+       talloc_free(tmp_ctx);
+       return result;
+}
+
+bool dsdb_block_owner_implicit_rights(struct ldb_module *module,
+                                     TALLOC_CTX *mem_ctx,
+                                     struct ldb_request *parent)
+{
+       TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+       bool result = false;
+       const struct ldb_val *hr_val = dsdb_module_find_dsheuristics(module,
+                                                                    tmp_ctx,
+                                                                    parent);
+       if (hr_val != NULL && hr_val->length >= DS_HR_BLOCK_OWNER_IMPLICIT_RIGHTS) {
+               uint8_t val = hr_val->data[DS_HR_BLOCK_OWNER_IMPLICIT_RIGHTS - 1];
+               if (val != '0' && val != '2') {
+                       result = true;
+               }
+       }
+
+       talloc_free(tmp_ctx);
+       return result;
+}
+
 /*
   show the chain of requests, useful for debugging async requests
  */