From: Ralph Boehme Date: Fri, 15 Dec 2017 20:09:15 +0000 (+0100) Subject: winbindd: enforce valid SID in add_trusted_domain_from_tdc() X-Git-Tag: samba-4.8.0rc1~66 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c7c06fd23813a61fdb10745e3ee2838206319bdd;p=thirdparty%2Fsamba.git winbindd: enforce valid SID in add_trusted_domain_from_tdc() It's the callers responsibility to ensure we get a valid SID. Adding half-baked domains with only partially valid data is a recipe for desaster. Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher --- diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 62eff4a563f..cac6ba5373d 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -153,7 +153,8 @@ add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc) const struct dom_sid *sid = &tdc->sid; if (is_null_sid(sid)) { - sid = NULL; + DBG_ERR("Got null SID for domain [%s]\n", domain_name); + return NULL; } ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL); @@ -187,24 +188,12 @@ add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc) } } - if (sid != NULL) { - if (dom_sid_equal(sid, &domain->sid)) { - break; - } + if (dom_sid_equal(sid, &domain->sid)) { + break; } } if (domain != NULL) { - /* - * We found a match on domain->name or - * domain->alt_name. Possibly update the SID - * if the stored SID was the NULL SID - * and return the matching entry. - */ - if ((sid != NULL) - && dom_sid_equal(&domain->sid, &global_sid_NULL)) { - sid_copy( &domain->sid, sid ); - } return domain; } @@ -244,12 +233,10 @@ add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc) domain->online = is_internal_domain(sid); domain->check_online_timeout = 0; domain->dc_probe_pid = (pid_t)-1; - if (sid != NULL) { - sid_copy(&domain->sid, sid); - } domain->domain_flags = tdc->trust_flags; domain->domain_type = tdc->trust_type; domain->domain_trust_attribs = tdc->trust_attribs; + sid_copy(&domain->sid, sid); /* Is this our primary domain ? */ if (role == ROLE_DOMAIN_MEMBER) {