packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
samba/backport-0031-CVE-2020-25722-s4-dsdb-pwd_hash-password_hash_bypass.patch
haochenstar 8378df4821 fix CVE-2020-25717,CVE-2020-25718,CVE-2020-25719,CVE-2020-25721,CVE-2020-25722,CVE-2016-2124,CVE-2021-3738 
(cherry picked from commit aee849c6c0708056f62f6445e3b5274d1cec6408)
2022-01-19 11:41:35 +08:00

71 lines
2.3 KiB
Diff
Raw Blame History

From b8424fad4234fa422436b5a704c017bd9d7e3913 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 20 Oct 2021 17:19:42 +1300
Subject: [PATCH 171/266] CVE-2020-25722 s4/dsdb/pwd_hash: password_hash_bypass
gets all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Conflict:NA
Reference:https://gitlab.com/samba-team/samba/-/commit/b8424fad4234fa422436b5a704c017bd9d7e3913
---
.../dsdb/samdb/ldb_modules/password_hash.c | 30 ++++++++++++-------
1 file changed, 20 insertions(+), 10 deletions(-)
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index bb437a3b982..5f033f9622b 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -201,6 +201,7 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r
struct ldb_message_element *nthe;
struct ldb_message_element *lmhe;
struct ldb_message_element *sce;
+ int ret;
switch (request->operation) {
case LDB_ADD:
@@ -214,17 +215,26 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r
}
/* nobody must touch password histories and 'supplementalCredentials' */
- nte = dsdb_get_single_valued_attr(msg, "unicodePwd",
- request->operation);
- lme = dsdb_get_single_valued_attr(msg, "dBCSPwd",
- request->operation);
- nthe = dsdb_get_single_valued_attr(msg, "ntPwdHistory",
- request->operation);
- lmhe = dsdb_get_single_valued_attr(msg, "lmPwdHistory",
- request->operation);
- sce = dsdb_get_single_valued_attr(msg, "supplementalCredentials",
- request->operation);
+#define GET_VALUES(el, attr) do { \
+ ret = dsdb_get_expected_new_values(request, \
+ msg, \
+ attr, \
+ &el, \
+ request->operation); \
+ \
+ if (ret != LDB_SUCCESS) { \
+ return ret; \
+ } \
+} while(0)
+
+ GET_VALUES(nte, "unicodePwd");
+ GET_VALUES(lme, "dBCSPwd");
+ GET_VALUES(nthe, "ntPwdHistory");
+ GET_VALUES(lmhe, "lmPwdHistory");
+ GET_VALUES(sce, "supplementalCredentials");
+
+#undef GET_VALUES
#define CHECK_HASH_ELEMENT(e, min, max) do {\
if (e && e->num_values) { \
unsigned int _count; \
--
2.23.0
Reference in New Issue View Git Blame Copy Permalink