From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 5 Aug 2021 12:24:25 +0000 (+0200)
Subject: CVE-2021-3738 s4:rpc_server/lsa: make use of dcesrv_samdb_connect_as_user() helper
X-Git-Tag: samba-4.13.14~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=79d62d83e23fe5969cb432262ab9addad59a3b8d;p=thirdparty%2Fsamba.git

CVE-2021-3738 s4:rpc_server/lsa: make use of dcesrv_samdb_connect_as_user() helper

This avoids a crash that's triggered by windows clients using
handles from OpenPolicy[2]() on across multiple connections within
an association group.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/rpc_server/lsa/lsa_init.c b/source4/rpc_server/lsa/lsa_init.c
index f33b61c4035..400c5093079 100644
--- a/source4/rpc_server/lsa/lsa_init.c
+++ b/source4/rpc_server/lsa/lsa_init.c
@@ -71,12 +71,7 @@ NTSTATUS dcesrv_lsa_get_policy_state(struct dcesrv_call_state *dce_call,
 	}
 
 	/* make sure the sam database is accessible */
-	state->sam_ldb = samdb_connect(state,
-				       dce_call->event_ctx,
-				       dce_call->conn->dce_ctx->lp_ctx,
-				       session_info,
-				       dce_call->conn->remote_address,
-				       0);
+	state->sam_ldb = dcesrv_samdb_connect_as_user(state, dce_call);
 	if (state->sam_ldb == NULL) {
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}