From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 10 Sep 2020 13:49:34 +0000 (+0200)
Subject: CVE-2020-25717 wb_sids2xids: avoid idmap_child() and use idmap_child_handle() instead
X-Git-Tag: samba-4.13.14~260
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=39da0df37c4d7a618f070c4216dbd7eae91f489a;p=thirdparty%2Fsamba.git

CVE-2020-25717 wb_sids2xids: avoid idmap_child() and use idmap_child_handle() instead

This is the only aspect we need here.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

(cherry picked from commit 1694de1ae6ce63377d0afc47e84e55e4745905d7)
---

diff --git a/source3/winbindd/wb_sids2xids.c b/source3/winbindd/wb_sids2xids.c
index ff2135b4b50..b47856520ea 100644
--- a/source3/winbindd/wb_sids2xids.c
+++ b/source3/winbindd/wb_sids2xids.c
@@ -238,8 +238,6 @@ static void wb_sids2xids_lookupsids_done(struct tevent_req *subreq)
 	TALLOC_FREE(names);
 	TALLOC_FREE(domains);
 
-	child_binding_handle = idmap_child_handle();
-
 	state->dom_ids = wb_sids2xids_extract_for_domain_index(
 		state, &state->ids, state->dom_index);
 	if (tevent_req_nomem(state->dom_ids, req)) {
@@ -252,6 +250,7 @@ static void wb_sids2xids_lookupsids_done(struct tevent_req *subreq)
 		.max_size = 1
 	};
 
+	child_binding_handle = idmap_child_handle();
 	subreq = dcerpc_wbint_Sids2UnixIDs_send(
 		state, state->ev, child_binding_handle, &state->idmap_dom,
 		state->dom_ids);
@@ -290,8 +289,7 @@ static void wb_sids2xids_done(struct tevent_req *subreq)
 	struct wb_sids2xids_state *state = tevent_req_data(
 		req, struct wb_sids2xids_state);
 	NTSTATUS status, result;
-	struct winbindd_child *child;
-
+	struct dcerpc_binding_handle *child_binding_handle = NULL;
 	struct wbint_TransIDArray *src, *dst;
 	uint32_t i, src_idx;
 
@@ -352,8 +350,6 @@ static void wb_sids2xids_done(struct tevent_req *subreq)
 		return;
 	}
 
-	child = idmap_child();
-
 	state->dom_ids = wb_sids2xids_extract_for_domain_index(
 		state, &state->ids, state->dom_index);
 	if (tevent_req_nomem(state->dom_ids, req)) {
@@ -366,8 +362,9 @@ static void wb_sids2xids_done(struct tevent_req *subreq)
 		.max_size = 1
 	};
 
+	child_binding_handle = idmap_child_handle();
 	subreq = dcerpc_wbint_Sids2UnixIDs_send(
-		state, state->ev, child->binding_handle, &state->idmap_dom,
+		state, state->ev, child_binding_handle, &state->idmap_dom,
 		state->dom_ids);
 	if (tevent_req_nomem(subreq, req)) {
 		return;
@@ -381,7 +378,7 @@ static void wb_sids2xids_gotdc(struct tevent_req *subreq)
 		subreq, struct tevent_req);
 	struct wb_sids2xids_state *state = tevent_req_data(
 		req, struct wb_sids2xids_state);
-	struct winbindd_child *child = idmap_child();
+	struct dcerpc_binding_handle *child_binding_handle = NULL;
 	struct netr_DsRGetDCNameInfo *dcinfo;
 	NTSTATUS status;
 
@@ -404,8 +401,9 @@ static void wb_sids2xids_gotdc(struct tevent_req *subreq)
 		}
 	}
 
+	child_binding_handle = idmap_child_handle();
 	subreq = dcerpc_wbint_Sids2UnixIDs_send(
-		state, state->ev, child->binding_handle, &state->idmap_dom,
+		state, state->ev, child_binding_handle, &state->idmap_dom,
 		state->dom_ids);
 	if (tevent_req_nomem(subreq, req)) {
 		return;