s4-auth Remove special case for account_sid from auth_serversupplied_info

This makes everything reference a server_info->sids list, which is now
a struct dom_sid *, not a struct dom_sid **.  This is in keeping with
the other sid lists in the security_token etc.

In the process, I also tidy up the talloc tree (move more structures
under their logical parents) and check for some possible overflows in
situations with a pathological number of sids.

Andrew Bartlett

3 files changed, 29 insertions, 41 deletions

diff --git a/source4/dsdb/common/util_groups.c b/source4/dsdb/common/util_groups.c
index d41305577c..b5aecbafe9 100644
--- a/source4/dsdb/common/util_groups.c
+++ b/source4/dsdb/common/util_groups.c
@@ -27,14 +27,14 @@
 #include "dsdb/common/util.h"
 
 /* This function tests if a SID structure "sids" contains the SID "sid" */
-static bool sids_contains_sid(const struct dom_sid **sids,
+static bool sids_contains_sid(const struct dom_sid *sids,
 			      const unsigned int num_sids,
 			      const struct dom_sid *sid)
 {
 	unsigned int i;
 
 	for (i = 0; i < num_sids; i++) {
-		if (dom_sid_equal(sids[i], sid))
+		if (dom_sid_equal(&sids[i], sid))
 			return true;
 	}
 	return false;
@@ -56,7 +56,7 @@ static bool sids_contains_sid(const struct dom_sid **sids,
  */
 NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
 				   struct ldb_val *dn_val, const bool only_childs, const char *filter,
-				   TALLOC_CTX *res_sids_ctx, struct dom_sid ***res_sids,
+				   TALLOC_CTX *res_sids_ctx, struct dom_sid **res_sids,
 				   unsigned int *num_res_sids)
 {
 	const char * const attrs[] = { "memberOf", NULL };
@@ -114,7 +114,7 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
 				     DSDB_SEARCH_SHOW_EXTENDED_DN);
 	} else {
 		/* This is an O(n^2) linear search */
-		already_there = sids_contains_sid((const struct dom_sid**) *res_sids,
+		already_there = sids_contains_sid(*res_sids,
 						  *num_res_sids, &sid);
 		if (already_there) {
 			talloc_free(tmp_ctx);
@@ -148,10 +148,9 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
 	/* We only apply this test once we know the SID matches the filter */
 	if (!only_childs) {
 		*res_sids = talloc_realloc(res_sids_ctx, *res_sids,
-			struct dom_sid *, *num_res_sids + 1);
+			struct dom_sid, *num_res_sids + 1);
 		NT_STATUS_HAVE_NO_MEMORY_AND_FREE(*res_sids, tmp_ctx);
-		(*res_sids)[*num_res_sids] = dom_sid_dup(*res_sids, &sid);
-		NT_STATUS_HAVE_NO_MEMORY_AND_FREE((*res_sids)[*num_res_sids], tmp_ctx);
+		(*res_sids)[*num_res_sids] = sid;
 		++(*num_res_sids);
 	}
 
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index ae61089198..1df56e8fe0 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -149,7 +149,7 @@ static int construct_token_groups(struct ldb_module *module,
 	const char *account_sid_string;
 	const char *account_sid_dn;
 	DATA_BLOB account_sid_blob;
-	struct dom_sid **groupSIDs = NULL;
+	struct dom_sid *groupSIDs = NULL;
 	unsigned int num_groupSIDs = 0;
 
 	struct dom_sid *domain_sid;
@@ -254,7 +254,7 @@ static int construct_token_groups(struct ldb_module *module,
 	}
 
 	for (i=0; i < num_groupSIDs; i++) {
-		ret = samdb_msg_add_dom_sid(ldb, msg, msg, "tokenGroups", groupSIDs[i]);
+		ret = samdb_msg_add_dom_sid(ldb, msg, msg, "tokenGroups", &groupSIDs[i]);
 		if (ret) {
 			talloc_free(tmp_ctx);
 			return ret;
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 11913fbbce..53be12cd52 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -144,10 +144,8 @@ struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx,
 ****************************************************************************/
 NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, 
 			       struct loadparm_context *lp_ctx,
-			       struct dom_sid *user_sid,
-			       struct dom_sid *group_sid, 
-			       unsigned int n_groupSIDs,
-			       struct dom_sid **groupSIDs, 
+			       unsigned int num_sids,
+			       struct dom_sid *sids,
 			       uint32_t session_info_flags,
 			       struct security_token **token)
 {
@@ -158,22 +156,32 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
 	ptoken = security_token_initialise(mem_ctx);
 	NT_STATUS_HAVE_NO_MEMORY(ptoken);
 
-	ptoken->sids = talloc_array(ptoken, struct dom_sid, n_groupSIDs + 6 /* over-allocate */);
+	ptoken->sids = talloc_array(ptoken, struct dom_sid, num_sids + 6 /* over-allocate */);
 	NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
 
-	ptoken->num_sids = 1;
+	ptoken->num_sids = 0;
 
-	ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1);
-	NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
+	for (i = 0; i < num_sids; i++) {
+		size_t check_sid_idx;
+		for (check_sid_idx = 0;
+		     check_sid_idx < ptoken->num_sids;
+		     check_sid_idx++) {
+			if (dom_sid_equal(&ptoken->sids[check_sid_idx], &sids[i])) {
+				break;
+			}
+		}
 
-	ptoken->sids[PRIMARY_USER_SID_INDEX] = *user_sid;
-	if (!dom_sid_equal(user_sid, group_sid)) {
-		ptoken->sids[PRIMARY_GROUP_SID_INDEX] = *group_sid;
-		ptoken->num_sids++;
+		if (check_sid_idx == ptoken->num_sids) {
+			ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1);
+			NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
+
+			ptoken->sids[ptoken->num_sids] = sids[i];
+			ptoken->num_sids++;
+		}
 	}
 
 	/*
-	 * Finally add the "standard" SIDs.
+	 * Finally add the "standard" sids.
 	 * The only difference between guest and "anonymous"
 	 * is the addition of Authenticated_Users.
 	 */
@@ -203,25 +211,6 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
 		ptoken->num_sids++;
 	}
 
-	for (i = 0; i < n_groupSIDs; i++) {
-		size_t check_sid_idx;
-		for (check_sid_idx = 1; 
-		     check_sid_idx < ptoken->num_sids; 
-		     check_sid_idx++) {
-			if (dom_sid_equal(&ptoken->sids[check_sid_idx], groupSIDs[i])) {
-				break;
-			}
-		}
-
-		if (check_sid_idx == ptoken->num_sids) {
-			ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1);
-			NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
-
-			ptoken->sids[ptoken->num_sids] = *groupSIDs[i];
-			ptoken->num_sids++;
-		}
-	}
-
 	/* The caller may have requested simple privilages, for example if there isn't a local DB */
 	if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) {
 		/* Shortcuts to prevent recursion and avoid lookups */