s3: range-check idmap script output

Not doing so results in the id mapping succeeding once unchecked and later on being refused, because when reading from the tdb we do the checks.
author: Volker Lendecke <vl@samba.org> 2010-04-29 12:14:08 +0200
committer: Volker Lendecke <vl@samba.org> 2010-04-29 14:33:08 +0200
commit: ca860e4279a247a852f55d5226f916d1e956820a (patch)
tree: 80462e4ca48281f874c3c51d34a3baf01694c321 /source3/winbindd
parent: fcdba1b36ffc3cfdeac71863f26a1605d3b24fa5 (diff)
download: samba-ca860e4279a247a852f55d5226f916d1e956820a.tar.gz
samba-ca860e4279a247a852f55d5226f916d1e956820a.tar.bz2
samba-ca860e4279a247a852f55d5226f916d1e956820a.zip
1 files changed, 13 insertions, 0 deletions
diff --git a/source3/winbindd/idmap_tdb2.c b/source3/winbindd/idmap_tdb2.c
index 3e2021457a..0925b841ee 100644
--- a/source3/winbindd/idmap_tdb2.c
+++ b/source3/winbindd/idmap_tdb2.c
@@ -718,6 +718,19 @@ static NTSTATUS idmap_tdb2_sid_to_id(struct idmap_tdb2_context *ctx, struct id_m
 			goto done;
 		}
 
+		/* apply filters before returning result */
+		if ((ctx->filter_low_id
+		     && (map->xid.id < ctx->filter_low_id)) ||
+		    (ctx->filter_high_id
+		     && (map->xid.id > ctx->filter_high_id))) {
+			DEBUG(5, ("Script returned id (%u) out of range "
+				  "(%u - %u). Filtered!\n",
+				  map->xid.id,
+				  ctx->filter_low_id, ctx->filter_high_id));
+			ret = NT_STATUS_NONE_MAPPED;
+			goto done;
+		}
+
 		idstr = talloc_asprintf(tmp_ctx, "%cID %lu",
 					map->xid.type == ID_TYPE_UID?'U':'G',
 					(unsigned long)map->xid.id);
author	Volker Lendecke <vl@samba.org>	2010-04-29 12:14:08 +0200
committer	Volker Lendecke <vl@samba.org>	2010-04-29 14:33:08 +0200
commit	ca860e4279a247a852f55d5226f916d1e956820a (patch)
tree	80462e4ca48281f874c3c51d34a3baf01694c321 /source3/winbindd
parent	fcdba1b36ffc3cfdeac71863f26a1605d3b24fa5 (diff)
download	samba-ca860e4279a247a852f55d5226f916d1e956820a.tar.gz samba-ca860e4279a247a852f55d5226f916d1e956820a.tar.bz2 samba-ca860e4279a247a852f55d5226f916d1e956820a.zip