CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more consistently

It is better to explicitly abort than to dereference a NULL pointer or
try to read data cast to the wrong type.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index b221dcde445bb8c3d0b56b8221141bba63ad4370..16a1927183c1ab9a60621271810e199c153f195f 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -268,7 +268,7 @@ static int aclread_get_sd_from_ldb_message(struct aclread_context *ac,
        struct ldb_message_element *sd_element;
        struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
        struct aclread_private *private_data
-               = talloc_get_type(ldb_module_get_private(ac->module),
+               = talloc_get_type_abort(ldb_module_get_private(ac->module),
                                  struct aclread_private);
        enum ndr_err_code ndr_err;
 
@@ -568,7 +568,7 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
        const struct dsdb_class *objectclass;
        bool suppress_result = false;
 
-       ac = talloc_get_type(req->context, struct aclread_context);
+       ac = talloc_get_type_abort(req->context, struct aclread_context);
        ldb = ldb_module_get_ctx(ac->module);
        if (!ares) {
                return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR );

diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c
index 08a95c1c310e2b41fa5f786f0c235e60b2ee4963..ebaac067b93235d9c0f57aa45d028169b5a5379d 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl_util.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_util.c
@@ -298,7 +298,7 @@ uint32_t dsdb_request_sd_flags(struct ldb_request *req, bool *explicit)
 
        sd_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID);
        if (sd_control != NULL && sd_control->data != NULL) {
-               struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data;
+               struct ldb_sd_flags_control *sdctr = talloc_get_type_abort(sd_control->data, struct ldb_sd_flags_control);
 
                sd_flags = sdctr->secinfo_flags;
 

diff --git a/source4/dsdb/samdb/ldb_modules/linked_attributes.c b/source4/dsdb/samdb/ldb_modules/linked_attributes.c
index 5ef075f20371ee182a5ac09b3523f066474487b3..317df9d3e0e3f3ac3c72e24e40860c9bb6c9e9be 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/linked_attributes.c
+++ b/source4/dsdb/samdb/ldb_modules/linked_attributes.c
@@ -104,7 +104,7 @@ static int handle_verify_name_control(TALLOC_CTX *ctx, struct ldb_context *ldb,
         * If we are a GC let's remove the control,
         * if there is a specified GC check that is us.
         */
-       struct ldb_verify_name_control *lvnc = (struct ldb_verify_name_control *)control->data;
+       struct ldb_verify_name_control *lvnc = talloc_get_type_abort(control->data, struct ldb_verify_name_control);
        if (samdb_is_gc(ldb)) {
                /* Because we can't easily talloc a struct ldb_dn*/
                struct ldb_dn **dn = talloc_array(ctx, struct ldb_dn *, 1);

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index fb4deeae9f598e4a6f0da31bdedd735e015a9b57..da49038d6fccdfd36a4b2013e29e15326bde314e 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -3887,7 +3887,7 @@ static void ph_apply_controls(struct ph_context *ac)
        ctrl = ldb_request_get_control(ac->req,
                                       DSDB_CONTROL_PASSWORD_CHANGE_OID);
        if (ctrl != NULL) {
-               ac->change = (struct dsdb_control_password_change *) ctrl->data;
+               ac->change = talloc_get_type_abort(ctrl->data, struct dsdb_control_password_change);
 
                /* Mark the "change" control as uncritical (done) */
                ctrl->critical = false;