From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Thu, 2 Nov 2023 02:41:33 +0000 (+1300)
Subject: libcli/security: conditional ACE sid parser no longer expects RA ACEs
X-Git-Tag: talloc-2.4.2~546
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=dc60891de9f1d4341b38e71c630c2fd70f900f11;p=thirdparty%2Fsamba.git

libcli/security: conditional ACE sid parser no longer expects RA ACEs

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/libcli/security/sddl_conditional_ace.c b/libcli/security/sddl_conditional_ace.c
index dbe7057c42b..4909f64b830 100644
--- a/libcli/security/sddl_conditional_ace.c
+++ b/libcli/security/sddl_conditional_ace.c
@@ -2041,43 +2041,20 @@ static bool parse_sid(struct ace_condition_sddl_compiler_context *comp)
 	const uint8_t *sidstr = NULL;
 	struct ace_condition_token token = {};
 	size_t end;
-	bool expecting_bare_sids =
-		comp->state & SDDL_FLAG_IS_RESOURCE_ATTR_ACE ? true : false;
-
-	if ((comp->state & SDDL_FLAG_EXPECTING_LITERAL) == 0) {
-		comp_error(comp, "did not expect a SID here");
+	if (comp->length - comp->offset < 7) {
+		/* minimum: "SID(AA)" */
+		comp_error(comp, "no room for a complete SID");
 		return false;
 	}
-	if (expecting_bare_sids) {
-		/*
-		 *  This flag is set for a resource ACE which doesn't have the
-		 *  SID() wrapper around the SID string, and not for a
-		 *  conditional ACE, which must have the "SID(...)".
-		 *
-		 * The resource ACE doesn't need this because there is no
-		 * ambiguity with local attribute names, besides which the
-		 * type has already been specified earlier in the ACE.
-		 */
-		if (comp->length - comp->offset < 2){
-			comp_error(comp, "no room for a complete SID");
-			return false;
-		}
+	/* conditional ACE SID string */
+	if (comp->sddl[comp->offset    ] != 'S' ||
+	    comp->sddl[comp->offset + 1] != 'I' ||
+	    comp->sddl[comp->offset + 2] != 'D' ||
+	    comp->sddl[comp->offset + 3] != '(') {
+		comp_error(comp, "malformed SID() constructor");
+		return false;
 	} else {
-		if (comp->length - comp->offset < 7){
-			/* minimum: "SID(AA)" */
-			comp_error(comp, "no room for a complete SID");
-			return false;
-		}
-		/* conditional ACE SID string */
-		if (comp->sddl[comp->offset    ] != 'S' ||
-		    comp->sddl[comp->offset + 1] != 'I' ||
-		    comp->sddl[comp->offset + 2] != 'D' ||
-		    comp->sddl[comp->offset + 3] != '(') {
-			comp_error(comp, "malformed SID() constructor");
-			return false;
-		} else {
-			comp->offset += 4;
-		}
+		comp->offset += 4;
 	}
 
 	sidstr = comp->sddl + comp->offset;
@@ -2096,19 +2073,16 @@ static bool parse_sid(struct ace_condition_sddl_compiler_context *comp)
 		return false;
 	}
 	comp->offset = end;
-	if (expecting_bare_sids) {
-		/* no trailing ')' in a resource attribute ACE */
-	} else {
-		/*
-		 * offset is now at the end of the SID, but we need to account
-		 * for the ')'.
-		 */
-		if (comp->sddl[comp->offset] != ')') {
-			comp_error(comp, "expected ')' to follow SID");
-			return false;
-		}
-		comp->offset++;
+	/*
+	 * offset is now at the end of the SID, but we need to account
+	 * for the ')'.
+	 */
+	if (comp->sddl[comp->offset] != ')') {
+		comp_error(comp, "expected ')' to follow SID");
+		return false;
 	}
+	comp->offset++;
+
 	token.type = CONDITIONAL_ACE_TOKEN_SID;
 	token.data.sid.sid = *sid;
 	return write_sddl_token(comp, token);