]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
projects / thirdparty / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f545142)
CVE-2022-32743 dsdb/modules/acl: Account for sAMAccountName without $
authorJoseph Sutton <josephsutton@catalyst.net.nz>
Tue, 7 Jun 2022 05:37:34 +0000 (17:37 +1200)
committerDouglas Bagnall <dbagnall@samba.org>
Thu, 28 Jul 2022 22:47:37 +0000 (22:47 +0000)
If we have an account without a trailing $, we should ensure the
servicePrincipalName matches the entire sAMAccountName. We should not
allow a match against the sAMAccountName prefix of length
strlen(samAccountName) - 1, as that could conflict with a different
account.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
source4/dsdb/samdb/ldb_modules/acl.c patch | blob | blame | history

diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index a26d0bab1bdbea10393ae0bd396a367be1efdf99..82f6ec31770ff94ac1e0b57ec3f0fe098c13e8c6 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -543,6 +543,7 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
        char *instanceName;
        char *serviceType;
        char *serviceName;
+       size_t account_name_len;
        const char *forest_name = samdb_forest_name(ldb, mem_ctx);
        const char *base_domain = samdb_default_domain_name(ldb, mem_ctx);
        struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
@@ -616,11 +617,18 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
                        }
                }
        }
+
+       account_name_len = strlen(samAccountName);
+       if (account_name_len && samAccountName[account_name_len - 1] == '$') {
+               /* Account for the '$' character. */
+               --account_name_len;
+       }
+
        /* instanceName can be samAccountName without $ or dnsHostName
         * or "ntds_guid._msdcs.forest_domain for DC objects */
-       if (strlen(instanceName) == (strlen(samAccountName) - 1)
+       if (strlen(instanceName) == account_name_len
            && strncasecmp(instanceName, samAccountName,
-                          strlen(samAccountName) - 1) == 0) {
+                          account_name_len) == 0) {
                goto success;
        }
        if ((dnsHostName != NULL) &&
Mirror of https://github.com/samba-team/samba.git