CVE-2020-25722 s4/dsdb/samldb _user_account_control_change() always add final value

dsdb_get_single_valued_attr() was finding the last non-delete element for
userAccountControl and changing its value to the computed value.
Unfortunately, the last non-delete element might not be the last element,
and a subsequent delete might remove it.

Instead we just add a replace on the end.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index b84ef4c26d5efd04e16b3db752f1654e7b694a41..1410e5bc5e6cd488886f0142bb2ae2cada69f0c7 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -3008,9 +3008,12 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac)
                        return ldb_module_oom(ac->module);
                }
 
-               /* Overwrite "userAccountControl" correctly */
-               el = dsdb_get_single_valued_attr(ac->msg, "userAccountControl",
-                                                ac->req->operation);
+               ret = ldb_msg_add_empty(ac->msg,
+                                       "userAccountControl",
+                                       LDB_FLAG_MOD_REPLACE,
+                                       &el);
+               el->values = talloc(ac->msg, struct ldb_val);
+               el->num_values = 1;
                el->values[0].data = (uint8_t *) tempstr;
                el->values[0].length = strlen(tempstr);
        } else {