From: Andreas Schneider Date: Mon, 25 Jun 2012 16:45:35 +0000 (+0200) Subject: s3-lsarpc: Restrict the transport for ncacn_np functions. X-Git-Url: http://git.samba.org/?p=mat%2Fsamba.git;a=commitdiff_plain;h=bbf70e793c7bbb16a0b147a514a9431b13c40e9c s3-lsarpc: Restrict the transport for ncacn_np functions. See MS-LAT, section 2.1 Transport. --- diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c index 6225820a2d..8ffcd13474 100644 --- a/source3/rpc_server/lsa/srv_lsa_nt.c +++ b/source3/rpc_server/lsa/srv_lsa_nt.c @@ -436,6 +436,11 @@ NTSTATUS _lsa_OpenPolicy2(struct pipes_struct *p, uint32 acc_granted; NTSTATUS status; + if (p->transport != NCACN_NP && p->transport != NCALRPC) { + p->fault_state = DCERPC_FAULT_ACCESS_DENIED; + return NT_STATUS_ACCESS_DENIED; + } + /* Work out max allowed. */ map_max_allowed_access(p->session_info->security_token, p->session_info->unix_token, @@ -481,6 +486,8 @@ NTSTATUS _lsa_OpenPolicy(struct pipes_struct *p, { struct lsa_OpenPolicy2 o; + /* _lsa_OpenPolicy2 will check if this is a NCACN_NP connection */ + o.in.system_name = NULL; /* should be ignored */ o.in.attr = r->in.attr; o.in.access_mask = r->in.access_mask; @@ -957,6 +964,11 @@ NTSTATUS _lsa_LookupSids(struct pipes_struct *p, struct lsa_TranslatedName2 *names = NULL; int i; + if (p->transport != NCACN_NP && p->transport != NCALRPC) { + p->fault_state = DCERPC_FAULT_ACCESS_DENIED; + return NT_STATUS_ACCESS_DENIED; + } + if ((r->in.level < 1) || (r->in.level > 6)) { return NT_STATUS_INVALID_PARAMETER; } @@ -1037,6 +1049,11 @@ NTSTATUS _lsa_LookupSids2(struct pipes_struct *p, struct lsa_TranslatedName2 *names = NULL; bool check_policy = true; + if (p->transport != NCACN_NP && p->transport != NCALRPC) { + p->fault_state = DCERPC_FAULT_ACCESS_DENIED; + return NT_STATUS_ACCESS_DENIED; + } + switch (p->opnum) { case NDR_LSA_LOOKUPSIDS3: check_policy = false; @@ -1164,6 +1181,11 @@ NTSTATUS _lsa_LookupNames(struct pipes_struct *p, uint32 mapped_count = 0; int flags = 0; + if (p->transport != NCACN_NP && p->transport != NCALRPC) { + p->fault_state = DCERPC_FAULT_ACCESS_DENIED; + return NT_STATUS_ACCESS_DENIED; + } + if (num_entries > MAX_LOOKUP_SIDS) { num_entries = MAX_LOOKUP_SIDS; DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n", @@ -1239,6 +1261,11 @@ NTSTATUS _lsa_LookupNames2(struct pipes_struct *p, struct lsa_TransSidArray *sid_array = NULL; uint32_t i; + if (p->transport != NCACN_NP && p->transport != NCALRPC) { + p->fault_state = DCERPC_FAULT_ACCESS_DENIED; + return NT_STATUS_ACCESS_DENIED; + } + sid_array = talloc_zero(p->mem_ctx, struct lsa_TransSidArray); if (!sid_array) { return NT_STATUS_NO_MEMORY; @@ -1295,6 +1322,11 @@ NTSTATUS _lsa_LookupNames3(struct pipes_struct *p, int flags = 0; bool check_policy = true; + if (p->transport != NCACN_NP && p->transport != NCALRPC) { + p->fault_state = DCERPC_FAULT_ACCESS_DENIED; + return NT_STATUS_ACCESS_DENIED; + } + switch (p->opnum) { case NDR_LSA_LOOKUPNAMES4: check_policy = false; @@ -1406,6 +1438,11 @@ NTSTATUS _lsa_LookupNames4(struct pipes_struct *p, NTSTATUS _lsa_Close(struct pipes_struct *p, struct lsa_Close *r) { + if (p->transport != NCACN_NP && p->transport != NCALRPC) { + p->fault_state = DCERPC_FAULT_ACCESS_DENIED; + return NT_STATUS_ACCESS_DENIED; + } + if (!find_policy_by_hnd(p, r->in.handle, NULL)) { return NT_STATUS_INVALID_HANDLE; } @@ -2666,6 +2703,11 @@ NTSTATUS _lsa_GetUserName(struct pipes_struct *p, struct lsa_String *account_name = NULL; struct lsa_String *authority_name = NULL; + if (p->transport != NCACN_NP && p->transport != NCALRPC) { + p->fault_state = DCERPC_FAULT_ACCESS_DENIED; + return NT_STATUS_ACCESS_DENIED; + } + if (r->in.account_name && *r->in.account_name) { return NT_STATUS_INVALID_PARAMETER;