diff options
author | Volker Lendecke <vl@samba.org> | 2009-09-27 12:47:24 +0200 |
---|---|---|
committer | Volker Lendecke <vl@samba.org> | 2009-09-28 17:54:20 +0200 |
commit | dc8538b405c506c7a84682b2bb984dc01a05b8f9 (patch) | |
tree | d7a7d0c332cf19e4e80091ffd622e1629b298223 | |
parent | f18d0b036c00ff24f082855a4fbb28681c39de70 (diff) | |
download | samba-dc8538b405c506c7a84682b2bb984dc01a05b8f9.tar.gz samba-dc8538b405c506c7a84682b2bb984dc01a05b8f9.tar.bz2 samba-dc8538b405c506c7a84682b2bb984dc01a05b8f9.zip |
s3:winbind: Make check_info3_in_group, sanitize its memory handling
-rw-r--r-- | source3/winbindd/winbindd_pam.c | 36 | ||||
-rw-r--r-- | source3/winbindd/winbindd_proto.h | 2 |
2 files changed, 23 insertions, 15 deletions
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 5e0bc9d00d..b58a9dae15 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -231,9 +231,8 @@ static NTSTATUS append_afs_token(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } -static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx, - struct netr_SamInfo3 *info3, - const char *group_sid) +NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3, + const char *group_sid) /** * Check whether a user belongs to a group or list of groups. * @@ -253,7 +252,7 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx, DOM_SID sid; size_t i; struct nt_user_token *token; - TALLOC_CTX *frame = NULL; + TALLOC_CTX *frame = talloc_stackframe(); NTSTATUS status; /* Parse the 'required group' SID */ @@ -263,8 +262,10 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } - if (!(token = TALLOC_ZERO_P(mem_ctx, struct nt_user_token))) { + token = talloc_zero(talloc_tos(), struct nt_user_token); + if (token == NULL) { DEBUG(0, ("talloc failed\n")); + TALLOC_FREE(frame); return NT_STATUS_NO_MEMORY; } @@ -273,8 +274,7 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx, p = group_sid; - frame = talloc_stackframe(); - while (next_token_talloc(frame, &p, &req_sid, ",")) { + while (next_token_talloc(talloc_tos(), &p, &req_sid, ",")) { if (!string_to_sid(&sid, req_sid)) { DEBUG(0, ("check_info3_in_group: could not parse %s " "as a SID!", req_sid)); @@ -282,7 +282,7 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } - status = add_sid_to_array(mem_ctx, &sid, + status = add_sid_to_array(talloc_tos(), &sid, &require_membership_of_sid, &num_require_membership_of_sid); if (!NT_STATUS_IS_OK(status)) { @@ -292,13 +292,12 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx, } } - TALLOC_FREE(frame); - - status = sid_array_from_info3(mem_ctx, info3, + status = sid_array_from_info3(talloc_tos(), info3, &token->user_sids, &token->num_sids, true, false); if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); return status; } @@ -308,6 +307,7 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx, token))) { DEBUG(3, ("could not add aliases: %s\n", nt_errstr(status))); + TALLOC_FREE(frame); return status; } @@ -319,12 +319,14 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx, if (nt_token_check_sid(&require_membership_of_sid[i], token)) { DEBUG(10, ("Access ok\n")); + TALLOC_FREE(frame); return NT_STATUS_OK; } } /* Do not distinguish this error from a wrong username/pw */ + TALLOC_FREE(frame); return NT_STATUS_LOGON_FAILURE; } @@ -1628,8 +1630,10 @@ process_result: /* Check if the user is in the right group */ - if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, info3, - state->request->data.auth.require_membership_of_sid))) { + result = check_info3_in_group( + info3, + state->request->data.auth.require_membership_of_sid); + if (!NT_STATUS_IS_OK(result)) { DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n", state->request->data.auth.user, state->request->data.auth.require_membership_of_sid)); @@ -1952,8 +1956,10 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, /* Check if the user is in the right group */ - if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, info3, - state->request->data.auth_crap.require_membership_of_sid))) { + result = check_info3_in_group( + info3, + state->request->data.auth_crap.require_membership_of_sid); + if (!NT_STATUS_IS_OK(result)) { DEBUG(3, ("User %s is not in the required group (%s), so " "crap authentication is rejected\n", state->request->data.auth_crap.user, diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index dc5650165b..307225877f 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -497,6 +497,8 @@ void ndr_print_winbindd_domain(struct ndr_print *ndr, bool check_request_flags(uint32_t flags); struct winbindd_domain *find_auth_domain(uint8_t flags, const char *domain_name); +NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3, + const char *group_sid); NTSTATUS append_auth_data(struct winbindd_cli_state *state, struct netr_SamInfo3 *info3, const char *name_domain, |