From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 21 Sep 2021 11:13:52 +0000 (+0200)
Subject: CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to is_allowed_domain()
X-Git-Tag: samba-4.13.14~147
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b0031f531850e6cd4e674be45da54307f3e4360b;p=thirdparty%2Fsamba.git

CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to is_allowed_domain()

is_allowed_domain() is a central place we already use to
trigger NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, so
we can add additional logic there.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source3/lib/util_names.c b/source3/lib/util_names.c
index 630a25875c7..876035cbe29 100644
--- a/source3/lib/util_names.c
+++ b/source3/lib/util_names.c
@@ -200,5 +200,18 @@ bool is_allowed_domain(const char *domain_name)
 		}
 	}
 
-	return true;
+	if (lp_allow_trusted_domains()) {
+		return true;
+	}
+
+	if (strequal(lp_workgroup(), domain_name)) {
+		return true;
+	}
+
+	if (is_myname(domain_name)) {
+		return true;
+	}
+
+	DBG_NOTICE("Not trusted domain '%s'\n", domain_name);
+	return false;
 }