s3: range-check idmap script output

Not doing so results in the id mapping succeeding once unchecked and later on
being refused, because when reading from the tdb we do the checks.

diff --git a/source3/winbindd/idmap_tdb2.c b/source3/winbindd/idmap_tdb2.c
index 3e2021457a906d7978ae0bc499b0d7600e83a2cc..0925b841ee227be36208b9d50e3406124b8d1989 100644 (file)
--- a/source3/winbindd/idmap_tdb2.c
+++ b/source3/winbindd/idmap_tdb2.c
@@ -718,6 +718,19 @@ static NTSTATUS idmap_tdb2_sid_to_id(struct idmap_tdb2_context *ctx, struct id_m
                        goto done;
                }
 
+               /* apply filters before returning result */
+               if ((ctx->filter_low_id
+                    && (map->xid.id < ctx->filter_low_id)) ||
+                   (ctx->filter_high_id
+                    && (map->xid.id > ctx->filter_high_id))) {
+                       DEBUG(5, ("Script returned id (%u) out of range "
+                                 "(%u - %u). Filtered!\n",
+                                 map->xid.id,
+                                 ctx->filter_low_id, ctx->filter_high_id));
+                       ret = NT_STATUS_NONE_MAPPED;
+                       goto done;
+               }
+
                idstr = talloc_asprintf(tmp_ctx, "%cID %lu",
                                        map->xid.type == ID_TYPE_UID?'U':'G',
                                        (unsigned long)map->xid.id);