From: Stefan Metzmacher Date: Fri, 12 Nov 2021 14:27:58 +0000 (+0100) Subject: CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the configured... X-Git-Tag: samba-4.13.15~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a6eddc3bd7a032e1fd3921cd7ea213b5c48f2eab;p=thirdparty%2Fsamba.git CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the configured domain We already check the sid belongs to the domain, but checking the name too feels better and make it easier to understand. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit bfd093648b4af51d104096c0cb3535e8706671e5) --- diff --git a/source3/winbindd/idmap_nss.c b/source3/winbindd/idmap_nss.c index da50e2b4aa7..2729a0de3f3 100644 --- a/source3/winbindd/idmap_nss.c +++ b/source3/winbindd/idmap_nss.c @@ -139,18 +139,21 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma for (i = 0; ids[i]; i++) { struct group *gr; enum lsa_SidType type; - const char *p = NULL; + const char *_domain = NULL; + const char *_name = NULL; + char *domain = NULL; char *name = NULL; bool ret; /* by default calls to winbindd are disabled the following call will not recurse so this is safe */ (void)winbind_on(); - ret = winbind_lookup_sid(talloc_tos(), ids[i]->sid, NULL, - &p, &type); + ret = winbind_lookup_sid(talloc_tos(), + ids[i]->sid, + &_domain, + &_name, + &type); (void)winbind_off(); - name = discard_const_p(char, p); - if (!ret) { /* TODO: how do we know if the name is really not mapped, * or something just failed ? */ @@ -158,6 +161,18 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma continue; } + domain = discard_const_p(char, _domain); + name = discard_const_p(char, _name); + + if (!strequal(domain, dom->name)) { + struct dom_sid_buf buf; + DBG_ERR("DOMAIN[%s] ignoring SID[%s] belongs to %s [%s\\%s]\n", + dom->name, dom_sid_str_buf(ids[i]->sid, &buf), + sid_type_lookup(type), domain, name); + ids[i]->status = ID_UNMAPPED; + continue; + } + switch (type) { case SID_NAME_USER: { struct passwd *pw; @@ -190,6 +205,7 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma ids[i]->status = ID_UNKNOWN; break; } + TALLOC_FREE(domain); TALLOC_FREE(name); } return NT_STATUS_OK;