From c4fc0b49f05f56174dc904a19d9e4dfc6d3ef523 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 12 Dec 2008 19:52:06 +0100 Subject: Manually marshall dom_sid, so we can use a fixed size array for dom_sid.sub_auths rather than a dynamically allocated one. This makes it possible to use the same DCE/RPC object code for Samba 3 and Samba 4's DCE/RPC parsers and allows copying sids more easily (since they no longer contain any pointers). The cost of having additional manual marshalling code is limited (~35 additional lines of C code). --- source4/libcli/security/dom_sid.c | 17 +------------ source4/libcli/security/sddl.c | 1 - source4/libcli/security/security_descriptor.c | 20 --------------- source4/librpc/idl/dom_sid.idl | 8 ++---- source4/librpc/ndr/ndr_dom_sid.c | 35 +++++++++++++++++++++++++-- source4/torture/unix/whoami.c | 5 ---- 6 files changed, 36 insertions(+), 50 deletions(-) diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index 1a7519e362..d8a83f2abb 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -122,11 +122,6 @@ struct dom_sid *dom_sid_parse_talloc(TALLOC_CTX *mem_ctx, const char *sidstr) return NULL; } - ret->sub_auths = talloc_array(ret, uint32_t, num_sub_auths); - if (!ret->sub_auths) { - return NULL; - } - ret->sid_rev_num = rev; ret->id_auth[0] = 0; ret->id_auth[1] = 0; @@ -183,11 +178,6 @@ struct dom_sid *dom_sid_dup(TALLOC_CTX *mem_ctx, const struct dom_sid *dom_sid) return NULL; } - ret->sub_auths = talloc_array(ret, uint32_t, dom_sid->num_auths); - if (!ret->sub_auths) { - return NULL; - } - ret->sid_rev_num = dom_sid->sid_rev_num; ret->id_auth[0] = dom_sid->id_auth[0]; ret->id_auth[1] = dom_sid->id_auth[1]; @@ -206,7 +196,7 @@ struct dom_sid *dom_sid_dup(TALLOC_CTX *mem_ctx, const struct dom_sid *dom_sid) /* add a rid to a domain dom_sid to make a full dom_sid. This function - returns a new sid in the suppplied memory context + returns a new sid in the supplied memory context */ struct dom_sid *dom_sid_add_rid(TALLOC_CTX *mem_ctx, const struct dom_sid *domain_sid, @@ -219,11 +209,6 @@ struct dom_sid *dom_sid_add_rid(TALLOC_CTX *mem_ctx, *sid = *domain_sid; - sid->sub_auths = talloc_array(sid, uint32_t, sid->num_auths+1); - if (!sid->sub_auths) { - return NULL; - } - memcpy(sid->sub_auths, domain_sid->sub_auths, sid->num_auths*sizeof(uint32_t)); sid->sub_auths[sid->num_auths] = rid; sid->num_auths++; diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index 09522f182a..a8d893f085 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -249,7 +249,6 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char return false; } ace->trustee = *sid; - talloc_steal(mem_ctx, sid->sub_auths); talloc_free(sid); return true; diff --git a/source4/libcli/security/security_descriptor.c b/source4/libcli/security/security_descriptor.c index 882284dd9b..2bce8e8b08 100644 --- a/source4/libcli/security/security_descriptor.c +++ b/source4/libcli/security/security_descriptor.c @@ -65,18 +65,6 @@ static struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx, goto failed; } - /* remapping array in trustee dom_sid from old acl to new acl */ - - for (i = 0; i < oacl->num_aces; i++) { - nacl->aces[i].trustee.sub_auths = - (uint32_t *)talloc_memdup(nacl->aces, nacl->aces[i].trustee.sub_auths, - sizeof(uint32_t) * nacl->aces[i].trustee.num_auths); - - if ((nacl->aces[i].trustee.sub_auths == NULL) && (nacl->aces[i].trustee.num_auths > 0)) { - goto failed; - } - } - nacl->revision = oacl->revision; nacl->size = oacl->size; nacl->num_aces = oacl->num_aces; @@ -175,14 +163,6 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd, } acl->aces[acl->num_aces] = *ace; - acl->aces[acl->num_aces].trustee.sub_auths = - (uint32_t *)talloc_memdup(acl->aces, - acl->aces[acl->num_aces].trustee.sub_auths, - sizeof(uint32_t) * - acl->aces[acl->num_aces].trustee.num_auths); - if (acl->aces[acl->num_aces].trustee.sub_auths == NULL) { - return NT_STATUS_NO_MEMORY; - } switch (acl->aces[acl->num_aces].type) { case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: diff --git a/source4/librpc/idl/dom_sid.idl b/source4/librpc/idl/dom_sid.idl index 1fc8ee2165..40712fc371 100644 --- a/source4/librpc/idl/dom_sid.idl +++ b/source4/librpc/idl/dom_sid.idl @@ -22,13 +22,11 @@ cpp_quote("#define dom_sid0 dom_sid") ] interface dom_sid { - /* a domain SID. Note that unlike Samba3 this contains a pointer, - so you can't copy them using assignment */ - typedef [public,gensize,noprint,nosize] struct { + typedef [public,gensize,noprint,nosize,nopull,nopush] struct { uint8 sid_rev_num; /**< SID revision number */ [range(0,15)] int8 num_auths; /**< Number of sub-authorities */ uint8 id_auth[6]; /**< Identifier Authority */ - uint32 sub_auths[num_auths]; + uint32 sub_auths[15]; } dom_sid; /* id used to identify a endpoint, possibly in a cluster */ @@ -37,6 +35,4 @@ interface dom_sid uint32 id2; uint32 node; } server_id; - } - diff --git a/source4/librpc/ndr/ndr_dom_sid.c b/source4/librpc/ndr/ndr_dom_sid.c index b986231b4f..9b2118f56a 100644 --- a/source4/librpc/ndr/ndr_dom_sid.c +++ b/source4/librpc/ndr/ndr_dom_sid.c @@ -137,8 +137,7 @@ enum ndr_err_code ndr_pull_dom_sid28(struct ndr_pull *ndr, int ndr_flags, struct /* handle a w2k bug which send random data in the buffer */ ZERO_STRUCTP(sid); } else if (sid->num_auths == 0 && sid->sub_auths) { - talloc_free(sid->sub_auths); - sid->sub_auths = NULL; + ZERO_STRUCT(sid->sub_auths); } return NDR_ERR_SUCCESS; @@ -215,3 +214,35 @@ enum ndr_err_code ndr_push_dom_sid0(struct ndr_push *ndr, int ndr_flags, const s return ndr_push_dom_sid(ndr, ndr_flags, sid); } +_PUBLIC_ enum ndr_err_code ndr_push_dom_sid(struct ndr_push *ndr, int ndr_flags, const struct dom_sid *r) +{ + uint32_t cntr_sub_auths_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_push_align(ndr, 4)); + NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, r->sid_rev_num)); + NDR_CHECK(ndr_push_int8(ndr, NDR_SCALARS, r->num_auths)); + NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->id_auth, 6)); + for (cntr_sub_auths_0 = 0; cntr_sub_auths_0 < r->num_auths; cntr_sub_auths_0++) { + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->sub_auths[cntr_sub_auths_0])); + } + } + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ enum ndr_err_code ndr_pull_dom_sid(struct ndr_pull *ndr, int ndr_flags, struct dom_sid *r) +{ + uint32_t cntr_sub_auths_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->sid_rev_num)); + NDR_CHECK(ndr_pull_int8(ndr, NDR_SCALARS, &r->num_auths)); + if (r->num_auths < 0 || r->num_auths > 15) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } + NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->id_auth, 6)); + for (cntr_sub_auths_0 = 0; cntr_sub_auths_0 < r->num_auths; cntr_sub_auths_0++) { + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->sub_auths[cntr_sub_auths_0])); + } + } + return NDR_ERR_SUCCESS; +} diff --git a/source4/torture/unix/whoami.c b/source4/torture/unix/whoami.c index 5e5a5e81cd..b72b9fcb09 100644 --- a/source4/torture/unix/whoami.c +++ b/source4/torture/unix/whoami.c @@ -127,11 +127,6 @@ static bool sid_parse(void *mem_ctx, torture_assert(torture, (*psid)->num_auths <= 15, "invalid sub_auth value"); - (*psid)->sub_auths = talloc_array(mem_ctx, uint32_t, - (*psid)->num_auths); - torture_assert(torture, (*psid)->sub_auths != NULL, - "out of memory"); - for (i = 0; i < (*psid)->num_auths; i++) { (*psid)->sub_auths[i] = IVAL(data->data, *offset); (*offset) += 4; -- cgit