From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Thu, 23 Nov 2023 00:03:15 +0000 (+1300)
Subject: libcli/security: comparability check: claim members are of one type
X-Git-Tag: talloc-2.4.2~493
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2eb00c0bba5ed1abaa15c1511c6012da56a78604;p=thirdparty%2Fsamba.git

libcli/security: comparability check: claim members are of one type

We know from the way claims are defined, and from the code that checks
sortedness and sets the flag.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/libcli/security/conditional_ace.c b/libcli/security/conditional_ace.c
index 883eaf94027..319b3ed4217 100644
--- a/libcli/security/conditional_ace.c
+++ b/libcli/security/conditional_ace.c
@@ -1717,7 +1717,18 @@ static bool composite_is_comparable(const struct ace_condition_token *tok,
 	 */
 	size_t i;
 	const struct ace_condition_composite *rc = &comp->data.composite;
-	for (i = 0; i < rc->n_members; i++) {
+	size_t n = rc->n_members;
+
+	if ((comp->flags & CLAIM_SECURITY_ATTRIBUTE_UNIQUE_AND_SORTED) &&
+	    n > 1) {
+		/*
+		 * all members are known to be the same type, so we
+		 * can just check one.
+		 */
+		n = 1;
+	}
+
+	for (i = 0; i < n; i++) {
 		if (! tokens_are_comparable(NULL,
 					    tok,
 					    &rc->tokens[i])) {