s4-lsarpc: Restrict LookupSids3 to crypto connections only.

author: Andreas Schneider <asn@samba.org> 2012-06-29 16:42:16 +0200
committer: Andreas Schneider <asn@cryptomilk.org> 2012-07-06 10:00:58 +0200
commit: 997c780d24d8f59890ffe92c26107ff4f544a038 (patch)
tree: 1e43bc40c86011597ff39d3b44b1671ea29b7baf /source4/rpc_server/lsa
parent: 1a12bbd5d8a328ae91b8513a47e76c4e32607df4 (diff)
download: samba-997c780d24d8f59890ffe92c26107ff4f544a038.tar.gz
samba-997c780d24d8f59890ffe92c26107ff4f544a038.tar.bz2
samba-997c780d24d8f59890ffe92c26107ff4f544a038.zip
1 files changed, 10 insertions, 0 deletions
diff --git a/source4/rpc_server/lsa/lsa_lookup.c b/source4/rpc_server/lsa/lsa_lookup.c
index 0855b9dfce..b96adaa13d 100644
--- a/source4/rpc_server/lsa/lsa_lookup.c
+++ b/source4/rpc_server/lsa/lsa_lookup.c
@@ -663,10 +663,20 @@ NTSTATUS dcesrv_lsa_LookupSids3(struct dcesrv_call_state *dce_call,
 				TALLOC_CTX *mem_ctx,
 				struct lsa_LookupSids3 *r)
 {
+	struct dcerpc_auth *auth_info = dce_call->conn->auth_state.auth_info;
 	struct lsa_policy_state *policy_state;
 	struct lsa_LookupSids2 q;
 	NTSTATUS status;
 
+	/*
+	 * We don't have policy handles on this call. So this must be restricted
+	 * to crypto connections only.
+	 */
+	if (auth_info->auth_type != DCERPC_AUTH_TYPE_SCHANNEL ||
+	    auth_info->auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
+		DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
+	}
+
 	status = dcesrv_lsa_get_policy_state(dce_call, mem_ctx, &policy_state);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
author	Andreas Schneider <asn@samba.org>	2012-06-29 16:42:16 +0200
committer	Andreas Schneider <asn@cryptomilk.org>	2012-07-06 10:00:58 +0200
commit	997c780d24d8f59890ffe92c26107ff4f544a038 (patch)
tree	1e43bc40c86011597ff39d3b44b1671ea29b7baf /source4/rpc_server/lsa
parent	1a12bbd5d8a328ae91b8513a47e76c4e32607df4 (diff)
download	samba-997c780d24d8f59890ffe92c26107ff4f544a038.tar.gz samba-997c780d24d8f59890ffe92c26107ff4f544a038.tar.bz2 samba-997c780d24d8f59890ffe92c26107ff4f544a038.zip