diff options
author | Volker Lendecke <vl@samba.org> | 2010-04-29 12:14:08 +0200 |
---|---|---|
committer | Volker Lendecke <vl@samba.org> | 2010-04-29 14:33:08 +0200 |
commit | ca860e4279a247a852f55d5226f916d1e956820a (patch) | |
tree | 80462e4ca48281f874c3c51d34a3baf01694c321 | |
parent | fcdba1b36ffc3cfdeac71863f26a1605d3b24fa5 (diff) | |
download | samba-ca860e4279a247a852f55d5226f916d1e956820a.tar.gz samba-ca860e4279a247a852f55d5226f916d1e956820a.tar.bz2 samba-ca860e4279a247a852f55d5226f916d1e956820a.zip |
s3: range-check idmap script output
Not doing so results in the id mapping succeeding once unchecked and later on
being refused, because when reading from the tdb we do the checks.
-rw-r--r-- | source3/winbindd/idmap_tdb2.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/source3/winbindd/idmap_tdb2.c b/source3/winbindd/idmap_tdb2.c index 3e2021457a..0925b841ee 100644 --- a/source3/winbindd/idmap_tdb2.c +++ b/source3/winbindd/idmap_tdb2.c @@ -718,6 +718,19 @@ static NTSTATUS idmap_tdb2_sid_to_id(struct idmap_tdb2_context *ctx, struct id_m goto done; } + /* apply filters before returning result */ + if ((ctx->filter_low_id + && (map->xid.id < ctx->filter_low_id)) || + (ctx->filter_high_id + && (map->xid.id > ctx->filter_high_id))) { + DEBUG(5, ("Script returned id (%u) out of range " + "(%u - %u). Filtered!\n", + map->xid.id, + ctx->filter_low_id, ctx->filter_high_id)); + ret = NT_STATUS_NONE_MAPPED; + goto done; + } + idstr = talloc_asprintf(tmp_ctx, "%cID %lu", map->xid.type == ID_TYPE_UID?'U':'G', (unsigned long)map->xid.id); |