git.samba.org / metze / samba / wip.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e43ee33)
winbindd: enforce valid SID in add_trusted_domain_from_tdc()
authorRalph Boehme <slow@samba.org>
Fri, 15 Dec 2017 20:09:15 +0000 (21:09 +0100)
committerKarolin Seeger <kseeger@samba.org>
Sat, 13 Jan 2018 11:55:06 +0000 (12:55 +0100)
It's the callers responsibility to ensure we get a valid SID. Adding
half-baked domains with only partially valid data is a recipe for
desaster.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
source3/winbindd/winbindd_util.c patch | blob | history

diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 62eff4a563fb2e33e7653e139fb8a4d67eceb03c..cac6ba5373d55528d28014a0a55f70780556faaf 100644 (file)
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -153,7 +153,8 @@ add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc)
        const struct dom_sid *sid = &tdc->sid;
 
        if (is_null_sid(sid)) {
-               sid = NULL;
+               DBG_ERR("Got null SID for domain [%s]\n", domain_name);
+               return NULL;
        }
 
        ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
@@ -187,24 +188,12 @@ add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc)
                        }
                }
 
-               if (sid != NULL) {
-                       if (dom_sid_equal(sid, &domain->sid)) {
-                               break;
-                       }
+               if (dom_sid_equal(sid, &domain->sid)) {
+                       break;
                }
        }
 
        if (domain != NULL) {
-               /*
-                * We found a match on domain->name or
-                * domain->alt_name. Possibly update the SID
-                * if the stored SID was the NULL SID
-                * and return the matching entry.
-                */
-               if ((sid != NULL)
-                   && dom_sid_equal(&domain->sid, &global_sid_NULL)) {
-                       sid_copy( &domain->sid, sid );
-               }
                return domain;
        }
 
@@ -244,12 +233,10 @@ add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc)
        domain->online = is_internal_domain(sid);
        domain->check_online_timeout = 0;
        domain->dc_probe_pid = (pid_t)-1;
-       if (sid != NULL) {
-               sid_copy(&domain->sid, sid);
-       }
        domain->domain_flags = tdc->trust_flags;
        domain->domain_type = tdc->trust_type;
        domain->domain_trust_attribs = tdc->trust_attribs;
+       sid_copy(&domain->sid, sid);
 
        /* Is this our primary domain ? */
        if (role == ROLE_DOMAIN_MEMBER) {
Work in progress branches