summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2011-02-01 14:47:05 +0100
committerStefan Metzmacher <metze@samba.org>2011-02-02 11:58:26 +0100
commit4507d2b9eb2ddabf8b101ed1c744981014298049 (patch)
treec7874173f6e922366233f1dd92cc1dd08acf0a0d
parenta4d4217dfa03bda9ace25bb4f54be5e94c09abbf (diff)
downloadsamba-4507d2b9eb2ddabf8b101ed1c744981014298049.tar.gz
samba-4507d2b9eb2ddabf8b101ed1c744981014298049.tar.bz2
samba-4507d2b9eb2ddabf8b101ed1c744981014298049.zip
s3:rpc_server/netlogon: add _netr_LogonSamLogon_check()
We need to check for invalid parameters before we check for access denied. metze
-rw-r--r--source3/rpc_server/srv_netlog_nt.c101
1 files changed, 87 insertions, 14 deletions
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index ff0f72b1a0..11fa9462da 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -1300,6 +1300,65 @@ NTSTATUS _netr_LogonSamLogoff(struct pipes_struct *p,
return status;
}
+static NTSTATUS _netr_LogonSamLogon_check(const struct netr_LogonSamLogonEx *r)
+{
+ switch (r->in.logon_level) {
+ case NetlogonInteractiveInformation:
+ case NetlogonServiceInformation:
+ case NetlogonInteractiveTransitiveInformation:
+ case NetlogonServiceTransitiveInformation:
+ if (r->in.logon->password == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ switch (r->in.validation_level) {
+ case NetlogonValidationSamInfo: /* 2 */
+ case NetlogonValidationSamInfo2: /* 3 */
+ case NetlogonValidationSamInfo4: /* 6 */
+ break;
+ default:
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
+
+ break;
+ case NetlogonNetworkInformation:
+ case NetlogonNetworkTransitiveInformation:
+ if (r->in.logon->network == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ switch (r->in.validation_level) {
+ case NetlogonValidationSamInfo: /* 2 */
+ case NetlogonValidationSamInfo2: /* 3 */
+ case NetlogonValidationSamInfo4: /* 6 */
+ break;
+ default:
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
+
+ break;
+
+ case NetlogonGenericInformation:
+ if (r->in.logon->generic == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ switch (r->in.validation_level) {
+ /* TODO: case NetlogonValidationGenericInfo: 4 */
+ case NetlogonValidationGenericInfo2: /* 5 */
+ break;
+ default:
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
+
+ break;
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ return NT_STATUS_OK;
+}
+
/*************************************************************************
_netr_LogonSamLogon_base
*************************************************************************/
@@ -1556,16 +1615,7 @@ NTSTATUS _netr_LogonSamLogonWithFlags(struct pipes_struct *p,
struct netr_LogonSamLogonEx r2;
struct netr_Authenticator return_authenticator;
- become_root();
- status = netr_creds_server_step_check(p, p->mem_ctx,
- r->in.computer_name,
- r->in.credential,
- &return_authenticator,
- &creds);
- unbecome_root();
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ *r->out.authoritative = true;
r2.in.server_name = r->in.server_name;
r2.in.computer_name = r->in.computer_name;
@@ -1577,6 +1627,22 @@ NTSTATUS _netr_LogonSamLogonWithFlags(struct pipes_struct *p,
r2.out.authoritative = r->out.authoritative;
r2.out.flags = r->out.flags;
+ status = _netr_LogonSamLogon_check(&r2);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ become_root();
+ status = netr_creds_server_step_check(p, p->mem_ctx,
+ r->in.computer_name,
+ r->in.credential,
+ &return_authenticator,
+ &creds);
+ unbecome_root();
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
status = _netr_LogonSamLogon_base(p, &r2, creds);
*r->out.return_authenticator = return_authenticator;
@@ -1624,10 +1690,9 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p,
NTSTATUS status;
struct netlogon_creds_CredentialState *creds = NULL;
- become_root();
- status = schannel_get_creds_state(p->mem_ctx, lp_private_dir(),
- r->in.computer_name, &creds);
- unbecome_root();
+ *r->out.authoritative = true;
+
+ status = _netr_LogonSamLogon_check(r);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -1639,6 +1704,14 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p,
return NT_STATUS_INVALID_PARAMETER;
}
+ become_root();
+ status = schannel_get_creds_state(p->mem_ctx, lp_private_dir(),
+ r->in.computer_name, &creds);
+ unbecome_root();
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
status = _netr_LogonSamLogon_base(p, r, creds);
TALLOC_FREE(creds);