From: Stefan Metzmacher Date: Thu, 16 Mar 2023 09:00:11 +0000 (+0100) Subject: CVE-2023-4154 libcli/security: prepare security_descriptor_acl_add() to place the... X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8b1f1c9f90fd66c333ce1effab8ab78165266bd5;p=thirdparty%2Fsamba.git CVE-2023-4154 libcli/security: prepare security_descriptor_acl_add() to place the ace at a position Often it is important to insert an ace at a specific position in the ACL. As a default we still append by default by using -1, which is the generic version of passing the number of existing aces. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall (cherry picked from commit c3cb915a67aff6739b72b86d7d139609df309ada) --- diff --git a/libcli/security/security_descriptor.c b/libcli/security/security_descriptor.c index 64c2d027876..8657c797364 100644 --- a/libcli/security/security_descriptor.c +++ b/libcli/security/security_descriptor.c @@ -267,9 +267,11 @@ NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx, static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd, bool add_to_sacl, - const struct security_ace *ace) + const struct security_ace *ace, + ssize_t _idx) { struct security_acl *acl = NULL; + ssize_t idx; if (add_to_sacl) { acl = sd->sacl; @@ -288,15 +290,28 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd, acl->aces = NULL; } + if (_idx < 0) { + idx = (acl->num_aces + 1) + _idx; + } else { + idx = _idx; + } + + if (idx < 0) { + return NT_STATUS_ARRAY_BOUNDS_EXCEEDED; + } else if (idx > acl->num_aces) { + return NT_STATUS_ARRAY_BOUNDS_EXCEEDED; + } + acl->aces = talloc_realloc(acl, acl->aces, struct security_ace, acl->num_aces+1); if (acl->aces == NULL) { return NT_STATUS_NO_MEMORY; } - acl->aces[acl->num_aces] = *ace; + ARRAY_INSERT_ELEMENT(acl->aces, acl->num_aces, *ace, idx); + acl->num_aces++; - switch (acl->aces[acl->num_aces].type) { + switch (acl->aces[idx].type) { case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: @@ -307,8 +322,6 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd, break; } - acl->num_aces++; - if (add_to_sacl) { sd->sacl = acl; sd->type |= SEC_DESC_SACL_PRESENT; @@ -327,7 +340,7 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd, NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd, const struct security_ace *ace) { - return security_descriptor_acl_add(sd, true, ace); + return security_descriptor_acl_add(sd, true, ace, -1); } /* @@ -337,7 +350,7 @@ NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd, NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd, const struct security_ace *ace) { - return security_descriptor_acl_add(sd, false, ace); + return security_descriptor_acl_add(sd, false, ace, -1); } /*