From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 22 Nov 2023 00:17:17 +0000 (+1300)
Subject: libcli/security: sddl_conditional_ace: remove check_resource_attr_type()
X-Git-Tag: talloc-2.4.2~550
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9ef71399cee31c56c3b390f5d53be930f290f6eb;p=thirdparty%2Fsamba.git

libcli/security: sddl_conditional_ace: remove check_resource_attr_type()

This is unneeded, as now all the checks are done in the relevant
parse_* functions.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/libcli/security/sddl_conditional_ace.c b/libcli/security/sddl_conditional_ace.c
index 34ae96d95b9..c3d7f6aee57 100644
--- a/libcli/security/sddl_conditional_ace.c
+++ b/libcli/security/sddl_conditional_ace.c
@@ -2854,94 +2854,6 @@ struct ace_condition_script * ace_conditions_compile_sddl(
 
 
 
-static bool check_resource_attr_type(struct ace_condition_token *tok, char c)
-{
-	/*
-	 * Check that a token matches the expected resource ace type (TU, TS,
-	 * etc).
-	 *
-	 * We're sticking to the [IUSDXB] codes rather than using converting
-	 * earlier to tok->type (whereby this whole thing becomes "if (tok->type
-	 * == type)") to enable bounds checks on the various integer types.
-	 */
-	switch(c) {
-	case 'I':
-		/* signed int */
-		if (tok->type != CONDITIONAL_ACE_TOKEN_INT64) {
-			goto wrong_type;
-		}
-		return true;
-	case 'U':
-		/* unsigned int, let's check the range */
-		if (tok->type != CONDITIONAL_ACE_TOKEN_INT64) {
-			goto wrong_type;
-		}
-		if (tok->data.int64.value < 0) {
-			DBG_WARNING(
-				"invalid resource ACE value for unsigned TU\n");
-			goto error;
-		}
-		return true;
-	case 'S':
-		/* unicode string */
-		if (tok->type != CONDITIONAL_ACE_TOKEN_UNICODE) {
-			goto wrong_type;
-		}
-		return true;
-	case 'D':
-		/* SID */
-		if (tok->type != CONDITIONAL_ACE_TOKEN_SID) {
-			goto wrong_type;
-		}
-		return true;
-	case 'X':
-		/* Octet string */
-		if (tok->type != CONDITIONAL_ACE_TOKEN_OCTET_STRING) {
-			if (tok->type == CONDITIONAL_ACE_TOKEN_INT64)  {
-				/*
-				 * Windows 2022 will also accept even
-				 * numbers of digits, like "1234"
-				 * instead of "#1234". Samba does not.
-				 *
-				 * Fixing this is complicated by the
-				 * fact that a leading '0' will have
-				 * cast the integer to octal, while an
-				 * A-F character will have caused it
-				 * to not parse as a literal at all.
-				 *
-				 * This behaviour is not mentioned in
-				 * MS-DTYP or elsewhere.
-				 */
-				DBG_WARNING("Octet sequence uses bare digits, "
-					    "please prefix a '#'\n");
-			}
-			goto wrong_type;
-		}
-		return true;
-	case 'B':
-		/* Boolean, meaning an int that is 0 or 1 */
-		if (tok->type != CONDITIONAL_ACE_TOKEN_INT64) {
-			goto wrong_type;
-		}
-		if (tok->data.int64.value != 0 &&
-		    tok->data.int64.value != 1) {
-			DBG_WARNING("invalid resource ACE value for boolean TB "
-				    "(should be 0 or 1).\n");
-			goto error;
-		}
-		return true;
-	default:
-		DBG_WARNING("Unknown resource ACE type T%c\n", c);
-		goto error;
-	};
-  wrong_type:
-	DBG_WARNING("resource ace type T%c doesn't match value\n", c);
-  error:
-	return false;
-}
-
-
-
 static bool parse_resource_attr_list(
 	struct ace_condition_sddl_compiler_context *comp,
 	char attr_type_char)
@@ -3064,13 +2976,6 @@ static bool parse_resource_attr_list(
 		if (*comp->target_len == 0) {
 			goto fail;
 		}
-
-		ok = check_resource_attr_type(
-			&comp->target[*comp->target_len - 1],
-			attr_type_char);
-		if (! ok) {
-			goto fail;
-		}
 	}
 	comp->target = old_target;
 	comp->target_len = old_target_len;