From: Stefan Metzmacher Date: Fri, 11 Sep 2020 11:52:17 +0000 (+0200) Subject: CVE-2020-25717 wb_queryuser: avoid idmap_child() and use idmap_child_handle() instead X-Git-Tag: samba-4.13.14~262 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d4c9be23183f85dbdc3d88d483d31fdd6452ab38;p=thirdparty%2Fsamba.git CVE-2020-25717 wb_queryuser: avoid idmap_child() and use idmap_child_handle() instead This is the only aspect we need here. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539 Signed-off-by: Stefan Metzmacher Reviewed-by: Gary Lockyer BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 (cherry picked from commit 7dbe5b4897448aa71b5a8a2175850b4010316b88) --- diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c index 2eb61406fc5..2e36643454b 100644 --- a/source3/winbindd/wb_queryuser.c +++ b/source3/winbindd/wb_queryuser.c @@ -77,7 +77,7 @@ static void wb_queryuser_got_uid(struct tevent_req *subreq) req, struct wb_queryuser_state); struct wbint_userinfo *info = state->info; struct netr_SamInfo3 *info3; - struct winbindd_child *child; + struct dcerpc_binding_handle *child_binding_handle = NULL; struct unixid xid; NTSTATUS status; @@ -138,10 +138,9 @@ static void wb_queryuser_got_uid(struct tevent_req *subreq) return; } - child = idmap_child(); - + child_binding_handle = idmap_child_handle(); subreq = dcerpc_wbint_GetNssInfo_send( - state, state->ev, child->binding_handle, info); + state, state->ev, child_binding_handle, info); if (tevent_req_nomem(subreq, req)) { return; } @@ -156,7 +155,7 @@ static void wb_queryuser_got_domain(struct tevent_req *subreq) req, struct wb_queryuser_state); struct wbint_userinfo *info = state->info; enum lsa_SidType type; - struct winbindd_child *child; + struct dcerpc_binding_handle *child_binding_handle = NULL; NTSTATUS status; status = wb_lookupsid_recv(subreq, state, &type, @@ -186,10 +185,9 @@ static void wb_queryuser_got_domain(struct tevent_req *subreq) return; } - child = idmap_child(); - + child_binding_handle = idmap_child_handle(); subreq = dcerpc_wbint_GetNssInfo_send( - state, state->ev, child->binding_handle, info); + state, state->ev, child_binding_handle, info); if (tevent_req_nomem(subreq, req)) { return; } @@ -270,7 +268,7 @@ static void wb_queryuser_got_dc(struct tevent_req *subreq) req, struct wb_queryuser_state); struct wbint_userinfo *info = state->info; struct netr_DsRGetDCNameInfo *dcinfo; - struct winbindd_child *child; + struct dcerpc_binding_handle *child_binding_handle = NULL; NTSTATUS status; status = wb_dsgetdcname_recv(subreq, state, &dcinfo); @@ -286,10 +284,9 @@ static void wb_queryuser_got_dc(struct tevent_req *subreq) return; } - child = idmap_child(); - + child_binding_handle = idmap_child_handle(); subreq = dcerpc_wbint_GetNssInfo_send( - state, state->ev, child->binding_handle, info); + state, state->ev, child_binding_handle, info); if (tevent_req_nomem(subreq, req)) { return; }