CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the configured...

We already check the sid belongs to the domain, but checking the name
too feels better and make it easier to understand.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit bfd093648b4af51d104096c0cb3535e8706671e5)

diff --git a/source3/winbindd/idmap_nss.c b/source3/winbindd/idmap_nss.c
index da50e2b4aa7507a2dc4ac13d875fae0d3235f95f..2729a0de3f3133bc9316c6e12d84810460d91f9f 100644 (file)
--- a/source3/winbindd/idmap_nss.c
+++ b/source3/winbindd/idmap_nss.c
@@ -139,18 +139,21 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma
        for (i = 0; ids[i]; i++) {
                struct group *gr;
                enum lsa_SidType type;
-               const char *p = NULL;
+               const char *_domain = NULL;
+               const char *_name = NULL;
+               char *domain = NULL;
                char *name = NULL;
                bool ret;
 
                /* by default calls to winbindd are disabled
                   the following call will not recurse so this is safe */
                (void)winbind_on();
-               ret = winbind_lookup_sid(talloc_tos(), ids[i]->sid, NULL,
-                                        &p, &type);
+               ret = winbind_lookup_sid(talloc_tos(),
+                                        ids[i]->sid,
+                                        &_domain,
+                                        &_name,
+                                        &type);
                (void)winbind_off();
-               name = discard_const_p(char, p);
-
                if (!ret) {
                        /* TODO: how do we know if the name is really not mapped,
                         * or something just failed ? */
@@ -158,6 +161,18 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma
                        continue;
                }
 
+               domain = discard_const_p(char, _domain);
+               name = discard_const_p(char, _name);
+
+               if (!strequal(domain, dom->name)) {
+                       struct dom_sid_buf buf;
+                       DBG_ERR("DOMAIN[%s] ignoring SID[%s] belongs to %s [%s\\%s]\n",
+                               dom->name, dom_sid_str_buf(ids[i]->sid, &buf),
+                               sid_type_lookup(type), domain, name);
+                       ids[i]->status = ID_UNMAPPED;
+                       continue;
+               }
+
                switch (type) {
                case SID_NAME_USER: {
                        struct passwd *pw;
@@ -190,6 +205,7 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma
                        ids[i]->status = ID_UNKNOWN;
                        break;
                }
+               TALLOC_FREE(domain);
                TALLOC_FREE(name);
        }
        return NT_STATUS_OK;