From 783a863a53e31e1a0e7c507fa841c43320ecae75 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 15 Feb 2018 14:40:59 +0100 Subject: [PATCH 03/13] CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for passwordAttr->num_values Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher --- source4/dsdb/samdb/ldb_modules/password_hash.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) Index: samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c =================================================================== --- samba-4.3.11+dfsg.orig/source4/dsdb/samdb/ldb_modules/password_hash.c 2018-03-06 16:46:38.333256918 +0100 +++ samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c 2018-03-06 16:46:38.329256885 +0100 @@ -3153,6 +3153,7 @@ static int password_hash_modify(struct l while ((passwordAttr = ldb_msg_find_element(msg, *l)) != NULL) { unsigned int mtype = LDB_FLAG_MOD_TYPE(passwordAttr->flags); + unsigned int nvalues = passwordAttr->num_values; if (mtype == LDB_FLAG_MOD_DELETE) { ++del_attr_cnt; @@ -3163,18 +3164,14 @@ static int password_hash_modify(struct l if (mtype == LDB_FLAG_MOD_REPLACE) { ++rep_attr_cnt; } - if ((passwordAttr->num_values != 1) && - (mtype == LDB_FLAG_MOD_ADD)) - { + if ((nvalues != 1) && (mtype == LDB_FLAG_MOD_ADD)) { talloc_free(ac); ldb_asprintf_errstring(ldb, "'%s' attribute must have exactly one value on add operations!", *l); return LDB_ERR_CONSTRAINT_VIOLATION; } - if ((passwordAttr->num_values > 1) && - (mtype == LDB_FLAG_MOD_DELETE)) - { + if ((nvalues > 1) && (mtype == LDB_FLAG_MOD_DELETE)) { talloc_free(ac); ldb_asprintf_errstring(ldb, "'%s' attribute must have zero or one value(s) on delete operations!",