From: Douglas Bagnall Date: Wed, 22 Nov 2023 01:54:25 +0000 (+1300) Subject: libcli/security: int wire claims drop uniqueness check X-Git-Tag: talloc-2.4.2~507 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=08096fd5b40b0759ab086f2c657cca26ce3f9369;p=thirdparty%2Fsamba.git libcli/security: int wire claims drop uniqueness check And we allocate all the values together as an array, because we might as well. This and the next couple of commits might look like steps backwards, and they are, but they allow us to get a run-up to leap over a big fence. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- diff --git a/libcli/security/claims-conversions.c b/libcli/security/claims-conversions.c index 1835feba426..6d984da944d 100644 --- a/libcli/security/claims-conversions.c +++ b/libcli/security/claims-conversions.c @@ -771,6 +771,7 @@ NTSTATUS token_claims_to_claims_v1(TALLOC_CTX *mem_ctx, { const struct CLAIM_INT64 *values = &claim_entry->values.claim_int64; uint32_t k; + int64_t *claim_values_int64 = NULL; n_values = values->value_count; value_type = CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64; @@ -782,31 +783,17 @@ NTSTATUS token_claims_to_claims_v1(TALLOC_CTX *mem_ctx, talloc_free(claims); return NT_STATUS_NO_MEMORY; } + claim_values_int64 = talloc_array(claims, + int64_t, + n_values); + if (claim_values_int64 == NULL) { + talloc_free(claims); + return NT_STATUS_NO_MEMORY; + } for (k = 0; k < n_values; ++k) { - int64_t *value = NULL; - uint32_t m; - - /* - * Ensure that there are no duplicate - * values (very inefficiently, in - * O(n²)). - */ - for (m = 0; m < k; ++m) { - if (values->values[m] == values->values[k]) { - talloc_free(claims); - return NT_STATUS_INVALID_PARAMETER; - } - } - - value = talloc(claims, int64_t); - if (value == NULL) { - talloc_free(claims); - return NT_STATUS_NO_MEMORY; - } - - *value = values->values[k]; - claim_values[k].int_value = value; + claim_values_int64[k] = values->values[k]; + claim_values[k].int_value = &claim_values_int64[k]; } break; @@ -816,6 +803,7 @@ NTSTATUS token_claims_to_claims_v1(TALLOC_CTX *mem_ctx, { const struct CLAIM_UINT64 *values = &claim_entry->values.claim_uint64; uint32_t k; + uint64_t *claim_values_uint64 = NULL; n_values = values->value_count; value_type = (claim_entry->type == CLAIM_TYPE_UINT64) @@ -830,30 +818,17 @@ NTSTATUS token_claims_to_claims_v1(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - for (k = 0; k < n_values; ++k) { - uint64_t *value = NULL; - uint32_t m; - - /* - * Ensure that there are no duplicate - * values (very inefficiently, in - * O(n²)). - */ - for (m = 0; m < k; ++m) { - if (values->values[m] == values->values[k]) { - talloc_free(claims); - return NT_STATUS_INVALID_PARAMETER; - } - } - - value = talloc(claims, uint64_t); - if (value == NULL) { - talloc_free(claims); - return NT_STATUS_NO_MEMORY; - } + claim_values_uint64 = talloc_array(claims, + uint64_t, + n_values); + if (claim_values_uint64 == NULL) { + talloc_free(claims); + return NT_STATUS_NO_MEMORY; + } - *value = values->values[k]; - claim_values[k].uint_value = value; + for (k = 0; k < n_values; ++k) { + claim_values_uint64[k] = values->values[k]; + claim_values[k].uint_value = &claim_values_uint64[k]; } break; diff --git a/selftest/knownfail.d/krb5-conditional-aces b/selftest/knownfail.d/krb5-conditional-aces new file mode 100644 index 00000000000..f2a7db49323 --- /dev/null +++ b/selftest/knownfail.d/krb5-conditional-aces @@ -0,0 +1,6 @@ +^samba.tests.krb5.conditional_ace_tests.+ConditionalAceTests.test_pac_claim_cmp__1_a_1_42_42_42___a_equals_a_\(ad_dc\) +^samba.tests.krb5.conditional_ace_tests.+ConditionalAceTests.test_pac_claim_cmp__1_a_2_42_42___a_equals_a_\(ad_dc\) +^samba.tests.krb5.conditional_ace_tests.+ConditionalAceTests.test_pac_claim_cmp__1_a_6_0_0___a_equals_a_\(ad_dc\) +^samba.tests.krb5.conditional_ace_tests.+ConditionalAceTests.test_pac_claim_cmp__1_false_booleans_6_0_0___false_booleans_\(ad_dc\) +^samba.tests.krb5.conditional_ace_tests.+ConditionalAceTests.test_pac_claim_cmp__1_zero_ints_1_0_0___zero_ints_\(ad_dc\) +^samba.tests.krb5.conditional_ace_tests.+ConditionalAceTests.test_pac_claim_cmp__1_zero_uints_2_0_0___zero_uints_\(ad_dc\)