CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check() wants one value

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 68304e3fcf55cf1ed885c6efc13fa16155b788c9..fbd163a66035a3f0ffe0730d37964a63b1a2366d 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -4320,6 +4320,9 @@ static int samldb_fsmo_role_owner_check(struct samldb_ctx *ac)
                /* we are not affected */
                return LDB_SUCCESS;
        }
+       if (el->num_values != 1) {
+               goto choose_error_code;
+       }
 
        /* Create a temporary message for fetching the "fSMORoleOwner" */
        tmp_msg = ldb_msg_new(ac->msg);
@@ -4336,11 +4339,7 @@ static int samldb_fsmo_role_owner_check(struct samldb_ctx *ac)
        if (res_dn == NULL) {
                ldb_set_errstring(ldb,
                                  "samldb: 'fSMORoleOwner' attributes have to reference 'nTDSDSA' entries!");
-               if (ac->req->operation == LDB_ADD) {
-                       return LDB_ERR_CONSTRAINT_VIOLATION;
-               } else {
-                       return LDB_ERR_UNWILLING_TO_PERFORM;
-               }
+               goto choose_error_code;
        }
 
        /* Fetched DN has to reference a "nTDSDSA" entry */
@@ -4360,6 +4359,14 @@ static int samldb_fsmo_role_owner_check(struct samldb_ctx *ac)
        talloc_free(res);
 
        return LDB_SUCCESS;
+
+choose_error_code:
+       /* this is just how it is */
+       if (ac->req->operation == LDB_ADD) {
+               return LDB_ERR_CONSTRAINT_VIOLATION;
+       } else {
+               return LDB_ERR_UNWILLING_TO_PERFORM;
+       }
 }
 
 /*