From: Andreas Schneider <asn@samba.org>
Date: Tue, 24 May 2022 07:54:18 +0000 (+0200)
Subject: CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw() helper function
X-Git-Tag: samba-4.17.0rc1~286
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=23a03911a7fd65d4c2f0e6f2c7da646d079b2923;p=thirdparty%2Fsamba.git

CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw() helper function

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 95cbf90d3f5..ab6cbc73f95 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -917,6 +917,14 @@ static int principal_comp_strcmp(krb5_context context,
 					 component, string, false);
 }
 
+static bool is_kadmin_changepw(krb5_context context,
+			       krb5_const_principal principal)
+{
+	return krb5_princ_size(context, principal) == 2 &&
+		(principal_comp_strcmp(context, principal, 0, "kadmin") == 0) &&
+		(principal_comp_strcmp(context, principal, 1, "changepw") == 0);
+}
+
 /*
  * Construct an hdb_entry from a directory entry.
  */
@@ -1221,11 +1229,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 		 * 'change password', as otherwise we could get into
 		 * trouble, and not enforce the password expirty.
 		 * Instead, only do it when request is for the kpasswd service */
-		if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER
-		    && krb5_princ_size(context, principal) == 2
-		    && (principal_comp_strcmp(context, principal, 0, "kadmin") == 0)
-		    && (principal_comp_strcmp(context, principal, 1, "changepw") == 0)
-		    && lpcfg_is_my_domain_or_realm(lp_ctx, realm)) {
+		if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER &&
+		    is_kadmin_changepw(context, principal) &&
+		    lpcfg_is_my_domain_or_realm(lp_ctx, realm)) {
 			entry->flags.change_pw = 1;
 		}