samba/CVE-2018-1057-3.patch

From 783a863a53e31e1a0e7c507fa841c43320ecae75 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Thu, 15 Feb 2018 14:40:59 +0100
Subject: [PATCH 03/13] CVE-2018-1057: s4:dsdb/password_hash: add a helper
 variable for passwordAttr->num_values

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source4/dsdb/samdb/ldb_modules/password_hash.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

Index: samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c
===================================================================
--- samba-4.3.11+dfsg.orig/source4/dsdb/samdb/ldb_modules/password_hash.c	2018-03-06 16:46:38.333256918 +0100
+++ samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c	2018-03-06 16:46:38.329256885 +0100
@@ -3153,6 +3153,7 @@ static int password_hash_modify(struct l
 
 		while ((passwordAttr = ldb_msg_find_element(msg, *l)) != NULL) {
 			unsigned int mtype = LDB_FLAG_MOD_TYPE(passwordAttr->flags);
+			unsigned int nvalues = passwordAttr->num_values;
 
 			if (mtype == LDB_FLAG_MOD_DELETE) {
 				++del_attr_cnt;
@@ -3163,18 +3164,14 @@ static int password_hash_modify(struct l
 			if (mtype == LDB_FLAG_MOD_REPLACE) {
 				++rep_attr_cnt;
 			}
-			if ((passwordAttr->num_values != 1) &&
-			    (mtype == LDB_FLAG_MOD_ADD))
-			{
+			if ((nvalues != 1) && (mtype == LDB_FLAG_MOD_ADD)) {
 				talloc_free(ac);
 				ldb_asprintf_errstring(ldb,
 						       "'%s' attribute must have exactly one value on add operations!",
 						       *l);
 				return LDB_ERR_CONSTRAINT_VIOLATION;
 			}
-			if ((passwordAttr->num_values > 1) &&
-			    (mtype == LDB_FLAG_MOD_DELETE))
-			{
+			if ((nvalues > 1) && (mtype == LDB_FLAG_MOD_DELETE)) {
 				talloc_free(ac);
 				ldb_asprintf_errstring(ldb,
 						       "'%s' attribute must have zero or one value(s) on delete operations!",