From c64b48b2b2652d6a8241105d570904219a98d226 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 2 Mar 2023 16:31:17 +1300
Subject: [PATCH] CVE-2023-0614 dsdb: Add DSDB_MARK_REQ_UNTRUSTED

This will allow our dsdb helper search functions to mark the new
request as untrusted, forcing read ACL evaluation (per current behaviour).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

[abartlet@samba.org adapted due to Samba 4.16 and lower
 not having the patches for CVE-2022-32743]
---
 source4/dsdb/common/util.c | 4 ++++
 source4/dsdb/common/util.h | 1 +
 2 files changed, 5 insertions(+)

diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 1436cd7bfec..c261aee3e59 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -4606,6 +4606,10 @@ int dsdb_request_add_controls(struct ldb_request *req, uint32_t dsdb_flags)
 		}
 	}
 
+	if (dsdb_flags & DSDB_MARK_REQ_UNTRUSTED) {
+		ldb_req_mark_untrusted(req);
+	}
+
 	return LDB_SUCCESS;
 }
 
diff --git a/source4/dsdb/common/util.h b/source4/dsdb/common/util.h
index e1854644d53..5bb96d60b3c 100644
--- a/source4/dsdb/common/util.h
+++ b/source4/dsdb/common/util.h
@@ -43,6 +43,7 @@
 #define DSDB_MODIFY_PARTIAL_REPLICA	      0x04000
 #define DSDB_PASSWORD_BYPASS_LAST_SET         0x08000
 #define DSDB_REPLMD_VANISH_LINKS              0x10000
+#define DSDB_MARK_REQ_UNTRUSTED               0x20000
 
 bool is_attr_in_list(const char * const * attrs, const char *attr);
 
-- 
2.47.2