From 2b4f97249f35a2c4e1f0ece052afff443f9f1b60 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Fri, 10 Nov 2023 11:33:56 +1300
Subject: [PATCH] libcli/security:sddl_parse: add some top level error messages

the way we parse things, we can't really distinguish between complete
nonsense and an ACL that seems to end early because of bad flags. That
is, "D:ZZ(A;;;;;WD)" looks the same as "ZZ" to the parser. But at least
we can point to the right place in the string.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 libcli/security/sddl.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c
index 80db182ff9c..898725bd4cd 100644
--- a/libcli/security/sddl.c
+++ b/libcli/security/sddl.c
@@ -916,8 +916,12 @@ struct security_descriptor *sddl_decode_err_msg(TALLOC_CTX *mem_ctx, const char
 	while (*sddl) {
 		uint32_t flags;
 		char c = sddl[0];
-		if (sddl[1] != ':') goto failed;
-
+		if (sddl[1] != ':') {
+			*msg = talloc_strdup(mem_ctx,
+					     "expected '[OGDS]:' section start "
+					     "(or the previous section ended prematurely)");
+			goto failed;
+		}
 		sddl += 2;
 		switch (c) {
 		case 'D':
@@ -945,6 +949,7 @@ struct security_descriptor *sddl_decode_err_msg(TALLOC_CTX *mem_ctx, const char
 			if (sd->group_sid == NULL) goto failed;
 			break;
 		default:
+			*msg = talloc_strdup(mem_ctx, "unexpected character (expected [OGDS])");
 			goto failed;
 		}
 	}
-- 
2.47.3