From: Douglas Bagnall Date: Thu, 24 Aug 2023 03:08:13 +0000 (+1200) Subject: libcli/security: find SDDL coda for RA and conditional ACEs X-Git-Tag: tevent-0.16.0~481 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=672fc0a1abbf65eca63337e75296a828c79aaabf;p=thirdparty%2Fsamba.git libcli/security: find SDDL coda for RA and conditional ACEs Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c index 6da0a612efb..c7f13e9b9a1 100644 --- a/libcli/security/sddl.c +++ b/libcli/security/sddl.c @@ -481,6 +481,7 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx, size_t len; size_t count = 0; char *str = *sddl_copy; + bool has_extra_data = false; ZERO_STRUCTP(ace); if (*str != '(') { @@ -488,7 +489,7 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx, } str++; /* - * First we split apart the 6 tokens. + * First we split apart the 6 (or 7) tokens. * * 0. ace type * 1. ace flags @@ -497,6 +498,7 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx, * 4. inherit guid * 5. sid * + * 6/extra_data rare optional extra data */ tok[0] = str; while (*str != '\0') { @@ -507,11 +509,13 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx, tok[count] = str; if (count == 6) { /* - * When we get conditional or resource ACEs, - * this will set a flag and break; - * for now we just... + * this looks like a conditional ACE + * or resource ACE, but we can't say + * for sure until we look at the ACE + * type (tok[0]), after the loop. */ - return false; + has_extra_data = true; + break; } continue; } @@ -546,6 +550,11 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx, ace->type = v; + if (has_extra_data) { + DBG_WARNING("ACE has trailing section which is not yet supported"); + return false; + } + /* ace flags */ if (!sddl_map_flags(ace_flags, tok[1], &v, NULL, false)) { return false;