From c91b81ecc9228be6db6817f876c19b6ba87da4f1 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 7 Feb 2023 09:29:51 +1300 Subject: CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more consistently It is better to explicitly abort than to dereference a NULL pointer or try to read data cast to the wrong type. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- source4/dsdb/samdb/ldb_modules/acl_read.c | 4 ++-- source4/dsdb/samdb/ldb_modules/acl_util.c | 2 +- source4/dsdb/samdb/ldb_modules/linked_attributes.c | 2 +- source4/dsdb/samdb/ldb_modules/password_hash.c | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index b221dcde445..16a1927183c 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -268,7 +268,7 @@ static int aclread_get_sd_from_ldb_message(struct aclread_context *ac, struct ldb_message_element *sd_element; struct ldb_context *ldb = ldb_module_get_ctx(ac->module); struct aclread_private *private_data - = talloc_get_type(ldb_module_get_private(ac->module), + = talloc_get_type_abort(ldb_module_get_private(ac->module), struct aclread_private); enum ndr_err_code ndr_err; @@ -568,7 +568,7 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) const struct dsdb_class *objectclass; bool suppress_result = false; - ac = talloc_get_type(req->context, struct aclread_context); + ac = talloc_get_type_abort(req->context, struct aclread_context); ldb = ldb_module_get_ctx(ac->module); if (!ares) { return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR ); diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c index 08a95c1c310..ebaac067b93 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_util.c +++ b/source4/dsdb/samdb/ldb_modules/acl_util.c @@ -298,7 +298,7 @@ uint32_t dsdb_request_sd_flags(struct ldb_request *req, bool *explicit) sd_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID); if (sd_control != NULL && sd_control->data != NULL) { - struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data; + struct ldb_sd_flags_control *sdctr = talloc_get_type_abort(sd_control->data, struct ldb_sd_flags_control); sd_flags = sdctr->secinfo_flags; diff --git a/source4/dsdb/samdb/ldb_modules/linked_attributes.c b/source4/dsdb/samdb/ldb_modules/linked_attributes.c index 5ef075f2037..317df9d3e0e 100644 --- a/source4/dsdb/samdb/ldb_modules/linked_attributes.c +++ b/source4/dsdb/samdb/ldb_modules/linked_attributes.c @@ -104,7 +104,7 @@ static int handle_verify_name_control(TALLOC_CTX *ctx, struct ldb_context *ldb, * If we are a GC let's remove the control, * if there is a specified GC check that is us. */ - struct ldb_verify_name_control *lvnc = (struct ldb_verify_name_control *)control->data; + struct ldb_verify_name_control *lvnc = talloc_get_type_abort(control->data, struct ldb_verify_name_control); if (samdb_is_gc(ldb)) { /* Because we can't easily talloc a struct ldb_dn*/ struct ldb_dn **dn = talloc_array(ctx, struct ldb_dn *, 1); diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index fb4deeae9f5..da49038d6fc 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -3887,7 +3887,7 @@ static void ph_apply_controls(struct ph_context *ac) ctrl = ldb_request_get_control(ac->req, DSDB_CONTROL_PASSWORD_CHANGE_OID); if (ctrl != NULL) { - ac->change = (struct dsdb_control_password_change *) ctrl->data; + ac->change = talloc_get_type_abort(ctrl->data, struct dsdb_control_password_change); /* Mark the "change" control as uncritical (done) */ ctrl->critical = false; -- cgit v1.2.1