From ca860e4279a247a852f55d5226f916d1e956820a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 29 Apr 2010 12:14:08 +0200 Subject: s3: range-check idmap script output Not doing so results in the id mapping succeeding once unchecked and later on being refused, because when reading from the tdb we do the checks. --- source3/winbindd/idmap_tdb2.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'source3') diff --git a/source3/winbindd/idmap_tdb2.c b/source3/winbindd/idmap_tdb2.c index 3e2021457a..0925b841ee 100644 --- a/source3/winbindd/idmap_tdb2.c +++ b/source3/winbindd/idmap_tdb2.c @@ -718,6 +718,19 @@ static NTSTATUS idmap_tdb2_sid_to_id(struct idmap_tdb2_context *ctx, struct id_m goto done; } + /* apply filters before returning result */ + if ((ctx->filter_low_id + && (map->xid.id < ctx->filter_low_id)) || + (ctx->filter_high_id + && (map->xid.id > ctx->filter_high_id))) { + DEBUG(5, ("Script returned id (%u) out of range " + "(%u - %u). Filtered!\n", + map->xid.id, + ctx->filter_low_id, ctx->filter_high_id)); + ret = NT_STATUS_NONE_MAPPED; + goto done; + } + idstr = talloc_asprintf(tmp_ctx, "%cID %lu", map->xid.type == ID_TYPE_UID?'U':'G', (unsigned long)map->xid.id); -- cgit