From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Thu, 9 Jan 2025 03:14:05 +0000 (+1300)
Subject: ndr: fix coda logic around in ndr_pull_security_ace()
X-Git-Tag: samba-4.20.8~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f3d65a377add30263a4d6cc71feecdfc4eb6009c;p=thirdparty%2Fsamba.git

ndr: fix coda logic around in ndr_pull_security_ace()

Sometimes an access allowed object ACE has unneeded trailing bytes,
like this:

                      aces: struct security_ace
                          type                     : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5)
                          flags                    : 0x00 (0)
                                 0: SEC_ACE_FLAG_OBJECT_INHERIT
                                 0: SEC_ACE_FLAG_CONTAINER_INHERIT
                                 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
                                 0: SEC_ACE_FLAG_INHERIT_ONLY
                                 0: SEC_ACE_FLAG_INHERITED_ACE
                              0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
                                 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
                                 0: SEC_ACE_FLAG_FAILED_ACCESS
                          size                     : 0x0048 (72)
                          access_mask              : 0x00000100 (256)
                          object                   : union security_ace_object_ctr(case 1)
                          object: struct security_ace_object
                              flags                    : 0x00000001 (1)
                                     1: SEC_ACE_OBJECT_TYPE_PRESENT
                                     0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
                              type                     : union security_ace_object_type(case 1)
                              type                     : edacfd8f-ffb3-11d1-b41d-00a0c968f939
                              inherited_type           : union security_ace_object_inherited_type(case 0)
                          trustee                  : S-1-3-0
                          coda                     : union security_ace_coda(case 5)
                          ignored                  : DATA_BLOB length=32
  [0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
  [0010] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........

which we need to pull in order to ignore.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15738

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Feb 13 15:15:40 UTC 2025 on atb-devel-224

(cherry picked from commit 67b09b481b06080d3f46878d60095f188ff18fb8)
[bugzilla link added in backport]
---

diff --git a/librpc/ndr/ndr_sec_helper.c b/librpc/ndr/ndr_sec_helper.c
index 1a156b01d40..1ac6e66cfe5 100644
--- a/librpc/ndr/ndr_sec_helper.c
+++ b/librpc/ndr/ndr_sec_helper.c
@@ -104,6 +104,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_ace(struct ndr_pull *ndr, ndr_flags
 {
 	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
 	if (ndr_flags & NDR_SCALARS) {
+		ssize_t sub_size;
 		NDR_CHECK(ndr_pull_align(ndr, 5));
 		NDR_CHECK(ndr_pull_security_ace_type(ndr, NDR_SCALARS, &r->type));
 		NDR_CHECK(ndr_pull_security_ace_flags(ndr, NDR_SCALARS, &r->flags));
@@ -111,12 +112,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_ace(struct ndr_pull *ndr, ndr_flags
 		NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->access_mask));
 		NDR_CHECK(ndr_maybe_pull_security_ace_object_ctr(ndr, NDR_SCALARS, r));
 		NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->trustee));
-		if (!sec_ace_has_extra_blob(r->type)) {
+		sub_size = ndr_subcontext_size_of_ace_coda(r, r->size, ndr->flags);
+		if (sub_size == 0 && !sec_ace_has_extra_blob(r->type)) {
 			r->coda.ignored.data = NULL;
 			r->coda.ignored.length = 0;
 		} else {
 			struct ndr_pull *_ndr_coda;
-			ssize_t sub_size = ndr_subcontext_size_of_ace_coda(r, r->size, ndr->flags);
 			NDR_CHECK(ndr_pull_subcontext_start(ndr, &_ndr_coda, 0, sub_size));
 			NDR_CHECK(ndr_pull_set_switch_value(_ndr_coda, &r->coda, r->type));
 			NDR_CHECK(ndr_pull_security_ace_coda(_ndr_coda, NDR_SCALARS|NDR_BUFFERS, &r->coda));
diff --git a/selftest/knownfail.d/ndr.sd b/selftest/knownfail.d/ndr.sd
deleted file mode 100644
index fd936a46a5b..00000000000
--- a/selftest/knownfail.d/ndr.sd
+++ /dev/null
@@ -1,3 +0,0 @@
-samba.tests.ndr.sd.samba.tests.ndr.sd.SDTestCase.test_sd_sd_04_object_ace_with_trailing_zeros
-samba.tests.ndr.sd.samba.tests.ndr.sd.SDTestCase.test_sd_sd_07_object_ace_with_trailing_zeros
-samba.tests.ndr.sd.samba.tests.ndr.sd.SDTestCase.test_sd_sd_10_object_ace_with_trailing_zeros