summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVolker Lendecke <vl@samba.org>2009-09-27 12:47:24 +0200
committerVolker Lendecke <vl@samba.org>2009-09-28 17:54:20 +0200
commitdc8538b405c506c7a84682b2bb984dc01a05b8f9 (patch)
treed7a7d0c332cf19e4e80091ffd622e1629b298223
parentf18d0b036c00ff24f082855a4fbb28681c39de70 (diff)
downloadsamba-dc8538b405c506c7a84682b2bb984dc01a05b8f9.tar.gz
samba-dc8538b405c506c7a84682b2bb984dc01a05b8f9.tar.bz2
samba-dc8538b405c506c7a84682b2bb984dc01a05b8f9.zip
s3:winbind: Make check_info3_in_group, sanitize its memory handling
-rw-r--r--source3/winbindd/winbindd_pam.c36
-rw-r--r--source3/winbindd/winbindd_proto.h2
2 files changed, 23 insertions, 15 deletions
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 5e0bc9d00d..b58a9dae15 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -231,9 +231,8 @@ static NTSTATUS append_afs_token(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
-static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
- struct netr_SamInfo3 *info3,
- const char *group_sid)
+NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
+ const char *group_sid)
/**
* Check whether a user belongs to a group or list of groups.
*
@@ -253,7 +252,7 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
DOM_SID sid;
size_t i;
struct nt_user_token *token;
- TALLOC_CTX *frame = NULL;
+ TALLOC_CTX *frame = talloc_stackframe();
NTSTATUS status;
/* Parse the 'required group' SID */
@@ -263,8 +262,10 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
- if (!(token = TALLOC_ZERO_P(mem_ctx, struct nt_user_token))) {
+ token = talloc_zero(talloc_tos(), struct nt_user_token);
+ if (token == NULL) {
DEBUG(0, ("talloc failed\n"));
+ TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
}
@@ -273,8 +274,7 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
p = group_sid;
- frame = talloc_stackframe();
- while (next_token_talloc(frame, &p, &req_sid, ",")) {
+ while (next_token_talloc(talloc_tos(), &p, &req_sid, ",")) {
if (!string_to_sid(&sid, req_sid)) {
DEBUG(0, ("check_info3_in_group: could not parse %s "
"as a SID!", req_sid));
@@ -282,7 +282,7 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_PARAMETER;
}
- status = add_sid_to_array(mem_ctx, &sid,
+ status = add_sid_to_array(talloc_tos(), &sid,
&require_membership_of_sid,
&num_require_membership_of_sid);
if (!NT_STATUS_IS_OK(status)) {
@@ -292,13 +292,12 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
}
}
- TALLOC_FREE(frame);
-
- status = sid_array_from_info3(mem_ctx, info3,
+ status = sid_array_from_info3(talloc_tos(), info3,
&token->user_sids,
&token->num_sids,
true, false);
if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(frame);
return status;
}
@@ -308,6 +307,7 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
token))) {
DEBUG(3, ("could not add aliases: %s\n",
nt_errstr(status)));
+ TALLOC_FREE(frame);
return status;
}
@@ -319,12 +319,14 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
if (nt_token_check_sid(&require_membership_of_sid[i],
token)) {
DEBUG(10, ("Access ok\n"));
+ TALLOC_FREE(frame);
return NT_STATUS_OK;
}
}
/* Do not distinguish this error from a wrong username/pw */
+ TALLOC_FREE(frame);
return NT_STATUS_LOGON_FAILURE;
}
@@ -1628,8 +1630,10 @@ process_result:
/* Check if the user is in the right group */
- if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, info3,
- state->request->data.auth.require_membership_of_sid))) {
+ result = check_info3_in_group(
+ info3,
+ state->request->data.auth.require_membership_of_sid);
+ if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
state->request->data.auth.user,
state->request->data.auth.require_membership_of_sid));
@@ -1952,8 +1956,10 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
/* Check if the user is in the right group */
- if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, info3,
- state->request->data.auth_crap.require_membership_of_sid))) {
+ result = check_info3_in_group(
+ info3,
+ state->request->data.auth_crap.require_membership_of_sid);
+ if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("User %s is not in the required group (%s), so "
"crap authentication is rejected\n",
state->request->data.auth_crap.user,
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index dc5650165b..307225877f 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -497,6 +497,8 @@ void ndr_print_winbindd_domain(struct ndr_print *ndr,
bool check_request_flags(uint32_t flags);
struct winbindd_domain *find_auth_domain(uint8_t flags,
const char *domain_name);
+NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
+ const char *group_sid);
NTSTATUS append_auth_data(struct winbindd_cli_state *state,
struct netr_SamInfo3 *info3,
const char *name_domain,