From: Ralph Boehme Date: Thu, 15 Feb 2018 09:56:06 +0000 (+0100) Subject: CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for LDB_FLAG_MOD_TYPE X-Git-Tag: samba-4.5.16~13 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7eabe3d477fd9c439ad160f42f537f404019b420;p=thirdparty%2Fsamba.git CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for LDB_FLAG_MOD_TYPE Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher --- diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index e5bee6fae53..dfe2a0ef9f7 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -3921,17 +3921,20 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r } while ((passwordAttr = ldb_msg_find_element(msg, *l)) != NULL) { - if (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_DELETE) { + unsigned int mtype = LDB_FLAG_MOD_TYPE(passwordAttr->flags); + + if (mtype == LDB_FLAG_MOD_DELETE) { ++del_attr_cnt; } - if (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_ADD) { + if (mtype == LDB_FLAG_MOD_ADD) { ++add_attr_cnt; } - if (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_REPLACE) { + if (mtype == LDB_FLAG_MOD_REPLACE) { ++rep_attr_cnt; } if ((passwordAttr->num_values != 1) && - (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_ADD)) { + (mtype == LDB_FLAG_MOD_ADD)) + { talloc_free(ac); ldb_asprintf_errstring(ldb, "'%s' attribute must have exactly one value on add operations!", @@ -3939,7 +3942,8 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r return LDB_ERR_CONSTRAINT_VIOLATION; } if ((passwordAttr->num_values > 1) && - (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_DELETE)) { + (mtype == LDB_FLAG_MOD_DELETE)) + { talloc_free(ac); ldb_asprintf_errstring(ldb, "'%s' attribute must have zero or one value(s) on delete operations!",