aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRalph Boehme <slow@samba.org>2018-02-15 23:11:38 +0100
committerKarolin Seeger <kseeger@samba.org>2018-03-12 10:05:43 +0100
commit8300e8e8c5f94fd1873cd856bdd83f89cb771de1 (patch)
treedd5bfd186293cc42650e33197cf9bda2bbf87568
parentc1de637a37121d0e28d502d8b2ef507e7e8dd57f (diff)
downloadsamba-8300e8e8c5f94fd1873cd856bdd83f89cb771de1.tar.gz
samba-8300e8e8c5f94fd1873cd856bdd83f89cb771de1.tar.xz
samba-8300e8e8c5f94fd1873cd856bdd83f89cb771de1.zip
CVE-2018-1057: s4:dsdb/acl: changing dBCSPwd is only allowed with a control
This is not strictly needed to fig bug 13272, but it makes sense to also fix this while fixing the overall ACL checking logic. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
-rw-r--r--source4/dsdb/samdb/ldb_modules/acl.c11
1 files changed, 10 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 9b4be7b6909..d750362c47f 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -971,7 +971,7 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
struct ldb_message *msg;
struct ldb_control *c = NULL;
const char *passwordAttrs[] = { "userPassword", "clearTextPassword",
- "unicodePwd", "dBCSPwd", NULL }, **l;
+ "unicodePwd", NULL }, **l;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
struct dsdb_control_password_acl_validation *pav = NULL;
@@ -1031,6 +1031,15 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
goto checked;
}
+ el = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
+ if (el != NULL) {
+ /*
+ * dBCSPwd is only allowed with a control.
+ */
+ talloc_free(tmp_ctx);
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+
msg = ldb_msg_copy_shallow(tmp_ctx, req->op.mod.message);
if (msg == NULL) {
return ldb_module_oom(module);