From e223ce4a930d5c90d9effe37ac324ec159b35c9b Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 22 Nov 2023 16:38:13 +1300
Subject: [PATCH] libcli/security: add_claim_to_token() re-sorts/checks claims

This function is used in tests and fuzzing.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 libcli/security/claims-conversions.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/libcli/security/claims-conversions.c b/libcli/security/claims-conversions.c
index 214249270d0..770795e29e7 100644
--- a/libcli/security/claims-conversions.c
+++ b/libcli/security/claims-conversions.c
@@ -693,6 +693,7 @@ bool add_claim_to_token(TALLOC_CTX *mem_ctx,
 			const char *claim_type)
 {
 	struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 *tmp = NULL;
+	NTSTATUS status;
 	uint32_t *n = NULL;
 	bool ok;
 	struct CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 **list = NULL;
@@ -722,8 +723,19 @@ bool add_claim_to_token(TALLOC_CTX *mem_ctx,
 
 	ok = claim_v1_copy(mem_ctx, &tmp[*n], claim);
 	if (! ok ) {
+		TALLOC_FREE(tmp);
+		return false;
+	}
+
+	status = claim_v1_check_and_sort(tmp, &tmp[*n],
+					 claim->flags & CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_WARNING("resource attribute claim sort failed with %s\n",
+			    nt_errstr(status));
+		TALLOC_FREE(tmp);
 		return false;
 	}
+
 	(*n)++;
 	*list = tmp;
 	return true;
-- 
2.47.3