CVE-2020-25722 s4/dsdb/pwd_hash: password_hash_bypass gets all values

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index bb437a3b98261a1b0c10606cd94308b037d2c4a1..5f033f9622b2c48fce21a803ba9bcb8392df5ff5 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -201,6 +201,7 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r
        struct ldb_message_element *nthe;
        struct ldb_message_element *lmhe;
        struct ldb_message_element *sce;
+       int ret;
 
        switch (request->operation) {
        case LDB_ADD:
@@ -214,17 +215,26 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r
        }
 
        /* nobody must touch password histories and 'supplementalCredentials' */
-       nte = dsdb_get_single_valued_attr(msg, "unicodePwd",
-                                         request->operation);
-       lme = dsdb_get_single_valued_attr(msg, "dBCSPwd",
-                                         request->operation);
-       nthe = dsdb_get_single_valued_attr(msg, "ntPwdHistory",
-                                          request->operation);
-       lmhe = dsdb_get_single_valued_attr(msg, "lmPwdHistory",
-                                          request->operation);
-       sce = dsdb_get_single_valued_attr(msg, "supplementalCredentials",
-                                         request->operation);
 
+#define GET_VALUES(el, attr) do {  \
+       ret = dsdb_get_expected_new_values(request,             \
+                                          msg,                 \
+                                          attr,                \
+                                          &el,                 \
+                                          request->operation); \
+                                                               \
+       if (ret != LDB_SUCCESS) {                               \
+               return ret;                                     \
+       }                                                       \
+} while(0)
+
+       GET_VALUES(nte, "unicodePwd");
+       GET_VALUES(lme, "dBCSPwd");
+       GET_VALUES(nthe, "ntPwdHistory");
+       GET_VALUES(lmhe, "lmPwdHistory");
+       GET_VALUES(sce, "supplementalCredentials");
+
+#undef GET_VALUES
 #define CHECK_HASH_ELEMENT(e, min, max) do {\
        if (e && e->num_values) { \
                unsigned int _count; \