From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 16 Mar 2023 09:03:44 +0000 (+0100)
Subject: CVE-2023-4154 libcli/security: add security_descriptor_[s|d]acl_insert() helpers
X-Git-Tag: samba-4.17.12~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3de5d8a01163bfa70464d7532069ed467e4ffd10;p=thirdparty%2Fsamba.git

CVE-2023-4154 libcli/security: add security_descriptor_[s|d]acl_insert() helpers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

(cherry picked from commit 2c02378029fff6636b8f19e45af78b265f2210ed)
---

diff --git a/libcli/security/security_descriptor.c b/libcli/security/security_descriptor.c
index 8657c797364..08f2cf19ee8 100644
--- a/libcli/security/security_descriptor.c
+++ b/libcli/security/security_descriptor.c
@@ -343,6 +343,20 @@ NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
 	return security_descriptor_acl_add(sd, true, ace, -1);
 }
 
+/*
+  insert an ACE at a given index to the SACL of a security_descriptor
+
+  idx can be negative, which means it's related to the new size from the
+  end, so -1 means the ace is appended at the end.
+*/
+
+NTSTATUS security_descriptor_sacl_insert(struct security_descriptor *sd,
+					 const struct security_ace *ace,
+					 ssize_t idx)
+{
+	return security_descriptor_acl_add(sd, true, ace, idx);
+}
+
 /*
   add an ACE to the DACL of a security_descriptor
 */
@@ -353,6 +367,20 @@ NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
 	return security_descriptor_acl_add(sd, false, ace, -1);
 }
 
+/*
+  insert an ACE at a given index to the DACL of a security_descriptor
+
+  idx can be negative, which means it's related to the new size from the
+  end, so -1 means the ace is appended at the end.
+*/
+
+NTSTATUS security_descriptor_dacl_insert(struct security_descriptor *sd,
+					 const struct security_ace *ace,
+					 ssize_t idx)
+{
+	return security_descriptor_acl_add(sd, false, ace, idx);
+}
+
 /*
   delete the ACE corresponding to the given trustee in an ACL of a
   security_descriptor
diff --git a/libcli/security/security_descriptor.h b/libcli/security/security_descriptor.h
index 46545321d15..354bc17e925 100644
--- a/libcli/security/security_descriptor.h
+++ b/libcli/security/security_descriptor.h
@@ -33,8 +33,14 @@ NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx,
 					struct security_descriptor **_csd);
 NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
 				      const struct security_ace *ace);
+NTSTATUS security_descriptor_sacl_insert(struct security_descriptor *sd,
+					 const struct security_ace *ace,
+					 ssize_t idx);
 NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
 				      const struct security_ace *ace);
+NTSTATUS security_descriptor_dacl_insert(struct security_descriptor *sd,
+					 const struct security_ace *ace,
+					 ssize_t idx);
 NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd,
 				      const struct dom_sid *trustee);
 NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd,