CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw() helper function

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
[jsutton@samba.org Adapted entry to entry_ex->entry]

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 5752ffb821c0e3e0cf4162d0533812e6828a4531..45159e6e64d0db0e8358760c8f6d651969b7de11 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -816,6 +816,14 @@ static int principal_comp_strcmp(krb5_context context,
                                         component, string, false);
 }
 
+static bool is_kadmin_changepw(krb5_context context,
+                              krb5_const_principal principal)
+{
+       return krb5_princ_size(context, principal) == 2 &&
+               (principal_comp_strcmp(context, principal, 0, "kadmin") == 0) &&
+               (principal_comp_strcmp(context, principal, 1, "changepw") == 0);
+}
+
 /*
  * Construct an hdb_entry from a directory entry.
  */
@@ -1110,11 +1118,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
                 * 'change password', as otherwise we could get into
                 * trouble, and not enforce the password expirty.
                 * Instead, only do it when request is for the kpasswd service */
-               if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER
-                   && krb5_princ_size(context, principal) == 2
-                   && (principal_comp_strcmp(context, principal, 0, "kadmin") == 0)
-                   && (principal_comp_strcmp(context, principal, 1, "changepw") == 0)
-                   && lpcfg_is_my_domain_or_realm(lp_ctx, realm)) {
+               if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER &&
+                   is_kadmin_changepw(context, principal) &&
+                   lpcfg_is_my_domain_or_realm(lp_ctx, realm)) {
                        entry_ex->entry.flags.change_pw = 1;
                }