The branch, master has been updated
via a2d47e989e9 libcli: Speed up sddl_decode_ace()
via b65a4b9c90e libcli: Remove a special case
via 37e7203b0d1 libcli: Simplify sddl_decode_err_msg()
via 4def2a698d6 libcli: README.Coding for dom_sid routines
via e4f57feed07 lib: Simplify security_descriptor_initialise() with a
struct init
from 963d54c8ee2 libcli: Fix a signed/unsigned comparison warning
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a2d47e989e963a1ce2ca04bef379bf4544e9f93c
Author: Volker Lendecke <[email protected]>
Date: Wed Nov 27 17:42:34 2024 +0100
libcli: Speed up sddl_decode_ace()
Factor out talloc-less sddl_transition_decode_sid()
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
Autobuild-User(master): Volker Lendecke <[email protected]>
Autobuild-Date(master): Tue Dec 3 09:03:01 UTC 2024 on atb-devel-224
commit b65a4b9c90e43f2f9a8acfe0b4ed4e9cad5c489d
Author: Volker Lendecke <[email protected]>
Date: Wed Nov 27 16:40:03 2024 +0100
libcli: Remove a special case
dom_sid_parse_endp does accept the lowercase "s" in "s-1-1-0".
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit 37e7203b0d1409e1d0a3383fbb3baaddd1b3cf43
Author: Volker Lendecke <[email protected]>
Date: Wed Nov 27 12:37:21 2024 +0100
libcli: Simplify sddl_decode_err_msg()
We have security_descriptor_initialise() for this
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit 4def2a698d65875db42177a20feb90edecbcfdf6
Author: Volker Lendecke <[email protected]>
Date: Tue Nov 26 18:02:34 2024 +0100
libcli: README.Coding for dom_sid routines
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit e4f57feed07a82276363bd7a77682887b542545d
Author: Volker Lendecke <[email protected]>
Date: Tue Nov 26 14:42:39 2024 +0100
lib: Simplify security_descriptor_initialise() with a struct init
Rely no the default NULL init.
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
libcli/security/dom_sid.c | 28 +++++---
libcli/security/sddl.c | 118 ++++++++++++++++++----------------
libcli/security/security_descriptor.c | 21 +++---
3 files changed, 92 insertions(+), 75 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/security/dom_sid.c b/libcli/security/dom_sid.c
index 21012b70884..04ac6e4cf53 100644
--- a/libcli/security/dom_sid.c
+++ b/libcli/security/dom_sid.c
@@ -39,20 +39,27 @@ int dom_sid_compare_auth(const struct dom_sid *sid1,
{
int i;
- if (sid1 == sid2)
+ if (sid1 == sid2) {
return 0;
- if (!sid1)
+ }
+
+ if (sid1 == NULL) {
return -1;
- if (!sid2)
+ }
+
+ if (sid2 == NULL) {
return 1;
+ }
- if (sid1->sid_rev_num != sid2->sid_rev_num)
+ if (sid1->sid_rev_num != sid2->sid_rev_num) {
return NUMERIC_CMP(sid1->sid_rev_num, sid2->sid_rev_num);
+ }
- for (i = 0; i < 6; i++)
+ for (i = 0; i < 6; i++) {
if (sid1->id_auth[i] != sid2->id_auth[i]) {
return NUMERIC_CMP(sid1->id_auth[i], sid2->id_auth[i]);
}
+ }
return 0;
}
@@ -65,12 +72,17 @@ int dom_sid_compare(const struct dom_sid *sid1, const
struct dom_sid *sid2)
{
int i;
- if (sid1 == sid2)
+ if (sid1 == sid2) {
return 0;
- if (!sid1)
+ }
+
+ if (sid1 == NULL) {
return -1;
- if (!sid2)
+ }
+
+ if (sid2 == NULL) {
return 1;
+ }
/* Compare most likely different rids, first: i.e start at end */
if (sid1->num_auths != sid2->num_auths) {
diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c
index c0fddb72e5f..215321adb61 100644
--- a/libcli/security/sddl.c
+++ b/libcli/security/sddl.c
@@ -201,21 +201,21 @@ static const struct {
decode a SID
It can either be a special 2 letter code, or in S-* format
*/
-static struct dom_sid *sddl_transition_decode_sid(TALLOC_CTX *mem_ctx, const
char **sddlp,
- struct sddl_transition_state
*state)
+static bool sddl_transition_decode_sid(const char **sddlp,
+ struct sddl_transition_state *state,
+ struct dom_sid *sid)
{
const char *sddl = (*sddlp);
size_t i;
/* see if its in the numeric format */
if (strncasecmp(sddl, "S-", 2) == 0) {
- struct dom_sid *sid = NULL;
- char *sid_str = NULL;
- const char *end = NULL;
- bool ok;
size_t len = strspn(sddl + 2, "-0123456789ABCDEFabcdefxX") + 2;
if (len < 5) { /* S-1-x */
- return NULL;
+ return false;
+ }
+ if (len > DOM_SID_STR_BUFLEN) { /* Invalid SID */
+ return false;
}
if (sddl[len - 1] == 'D' && sddl[len] == ':') {
/*
@@ -226,38 +226,28 @@ static struct dom_sid
*sddl_transition_decode_sid(TALLOC_CTX *mem_ctx, const cha
len--;
}
- sid_str = talloc_strndup(mem_ctx, sddl, len);
- if (sid_str == NULL) {
- return NULL;
- }
- if (sid_str[0] == 's') {
- /*
- * In SDDL, but not in the dom_sid parsers, a
- * lowercase "s-1-1-0" is accepted.
- */
- sid_str[0] = 'S';
- }
- sid = talloc(mem_ctx, struct dom_sid);
- if (sid == NULL) {
- TALLOC_FREE(sid_str);
- return NULL;
- };
- ok = dom_sid_parse_endp(sid_str, sid, &end);
- if (!ok) {
- DBG_WARNING("could not parse SID '%s'\n", sid_str);
- TALLOC_FREE(sid_str);
- TALLOC_FREE(sid);
- return NULL;
- }
- if (end - sid_str != len) {
- DBG_WARNING("trailing junk after SID '%s'\n", sid_str);
- TALLOC_FREE(sid_str);
- TALLOC_FREE(sid);
- return NULL;
+ {
+ const char *end = NULL;
+ char sid_str[DOM_SID_STR_BUFLEN + 1];
+ bool ok;
+
+ memcpy(sid_str, sddl, len);
+ sid_str[len] = '\0';
+
+ ok = dom_sid_parse_endp(sid_str, sid, &end);
+ if (!ok) {
+ DBG_WARNING("could not parse SID '%s'\n",
+ sid_str);
+ return false;
+ }
+ if (sid_str + len != end) {
+ DBG_WARNING("trailing junk after SID '%s'\n",
+ sid_str);
+ return false;
+ }
}
- TALLOC_FREE(sid_str);
(*sddlp) += len;
- return sid;
+ return true;
}
/* now check for one of the special codes */
@@ -266,28 +256,46 @@ static struct dom_sid
*sddl_transition_decode_sid(TALLOC_CTX *mem_ctx, const cha
}
if (i == ARRAY_SIZE(sid_codes)) {
DEBUG(1,("Unknown sddl sid code '%2.2s'\n", sddl));
- return NULL;
+ return false;
}
(*sddlp) += 2;
if (sid_codes[i].machine_rid != 0) {
- return dom_sid_add_rid(mem_ctx, state->machine_sid,
- sid_codes[i].machine_rid);
+ return sid_compose(sid,
+ state->machine_sid,
+ sid_codes[i].machine_rid);
}
if (sid_codes[i].domain_rid != 0) {
- return dom_sid_add_rid(mem_ctx, state->domain_sid,
- sid_codes[i].domain_rid);
+ return sid_compose(sid,
+ state->domain_sid,
+ sid_codes[i].domain_rid);
}
if (sid_codes[i].forest_rid != 0) {
- return dom_sid_add_rid(mem_ctx, state->forest_sid,
- sid_codes[i].forest_rid);
+ return sid_compose(sid,
+ state->forest_sid,
+ sid_codes[i].forest_rid);
}
- return dom_sid_parse_talloc(mem_ctx, sid_codes[i].sid);
+ return dom_sid_parse(sid_codes[i].sid, sid);
+}
+
+static struct dom_sid *sddl_transition_decode_sid_talloc(
+ TALLOC_CTX *mem_ctx,
+ const char **sddlp,
+ struct sddl_transition_state *state)
+{
+ struct dom_sid sid;
+ bool ok;
+
+ ok = sddl_transition_decode_sid(sddlp, state, &sid);
+ if (!ok) {
+ return NULL;
+ }
+ return dom_sid_dup(mem_ctx, &sid);
}
struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
@@ -303,7 +311,8 @@ struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const
char **sddlp,
.domain_sid = domain_sid,
.forest_sid = domain_sid,
};
- return sddl_transition_decode_sid(mem_ctx, sddlp, &state);
+
+ return sddl_transition_decode_sid_talloc(mem_ctx, sddlp, &state);
}
@@ -528,7 +537,6 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx,
const char *tok[7];
const char *s;
uint32_t v;
- struct dom_sid *sid;
bool ok;
size_t len;
size_t count = 0;
@@ -682,16 +690,14 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx,
/* trustee */
s = tok[5];
- sid = sddl_transition_decode_sid(mem_ctx, &s, state);
- if (sid == NULL) {
+ ok = sddl_transition_decode_sid(&s, state, &ace->trustee);
+ if (!ok) {
*msg = talloc_strdup(
mem_ctx,
"could not parse trustee SID");
*msg_offset = tok[5] - *sddl_copy;
return false;
}
- ace->trustee = *sid;
- talloc_free(sid);
if (*s != '\0') {
*msg = talloc_strdup(
mem_ctx,
@@ -923,12 +929,10 @@ struct security_descriptor
*sddl_decode_err_msg(TALLOC_CTX *mem_ctx, const char
*msg = NULL;
*msg_offset = 0;
- sd = talloc_zero(mem_ctx, struct security_descriptor);
+ sd = security_descriptor_initialise(mem_ctx);
if (sd == NULL) {
return NULL;
}
- sd->revision = SECURITY_DESCRIPTOR_REVISION_1;
- sd->type = SEC_DESC_SELF_RELATIVE;
while (*sddl) {
uint32_t flags;
@@ -957,12 +961,14 @@ struct security_descriptor
*sddl_decode_err_msg(TALLOC_CTX *mem_ctx, const char
break;
case 'O':
if (sd->owner_sid != NULL) goto failed;
- sd->owner_sid = sddl_transition_decode_sid(sd, &sddl,
&state);
+ sd->owner_sid = sddl_transition_decode_sid_talloc(
+ sd, &sddl, &state);
if (sd->owner_sid == NULL) goto failed;
break;
case 'G':
if (sd->group_sid != NULL) goto failed;
- sd->group_sid = sddl_transition_decode_sid(sd, &sddl,
&state);
+ sd->group_sid = sddl_transition_decode_sid_talloc(
+ sd, &sddl, &state);
if (sd->group_sid == NULL) goto failed;
break;
default:
diff --git a/libcli/security/security_descriptor.c
b/libcli/security/security_descriptor.c
index c550d6ed751..a7159e7da7e 100644
--- a/libcli/security/security_descriptor.c
+++ b/libcli/security/security_descriptor.c
@@ -34,18 +34,17 @@ struct security_descriptor
*security_descriptor_initialise(TALLOC_CTX *mem_ctx)
if (!sd) {
return NULL;
}
+ *sd = (struct security_descriptor){
+ .revision = SD_REVISION,
- sd->revision = SD_REVISION;
- /* we mark as self relative, even though it isn't while it remains
- a pointer in memory because this simplifies the ndr code later.
- All SDs that we store/emit are in fact SELF_RELATIVE
- */
- sd->type = SEC_DESC_SELF_RELATIVE;
-
- sd->owner_sid = NULL;
- sd->group_sid = NULL;
- sd->sacl = NULL;
- sd->dacl = NULL;
+ /*
+ * we mark as self relative, even though it isn't
+ * while it remains a pointer in memory because this
+ * simplifies the ndr code later. All SDs that we
+ * store/emit are in fact SELF_RELATIVE
+ */
+ .type = SEC_DESC_SELF_RELATIVE,
+ };
return sd;
}
--
Samba Shared Repository
