diff options
author | Stefan Metzmacher <metze@samba.org> | 2021-11-12 15:27:58 +0100 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2021-11-17 14:35:14 +0000 |
commit | a6eddc3bd7a032e1fd3921cd7ea213b5c48f2eab (patch) | |
tree | 461c379503eee196f22cb3b729964b08c2a772ae | |
parent | fadf49634500a08392f0625db4062d993ccb0b0a (diff) | |
download | samba-a6eddc3bd7a032e1fd3921cd7ea213b5c48f2eab.tar.gz |
CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the configured domain
We already check the sid belongs to the domain, but checking the name
too feels better and make it easier to understand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit bfd093648b4af51d104096c0cb3535e8706671e5)
-rw-r--r-- | source3/winbindd/idmap_nss.c | 26 |
1 files changed, 21 insertions, 5 deletions
diff --git a/source3/winbindd/idmap_nss.c b/source3/winbindd/idmap_nss.c index da50e2b4aa7..2729a0de3f3 100644 --- a/source3/winbindd/idmap_nss.c +++ b/source3/winbindd/idmap_nss.c @@ -139,18 +139,21 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma for (i = 0; ids[i]; i++) { struct group *gr; enum lsa_SidType type; - const char *p = NULL; + const char *_domain = NULL; + const char *_name = NULL; + char *domain = NULL; char *name = NULL; bool ret; /* by default calls to winbindd are disabled the following call will not recurse so this is safe */ (void)winbind_on(); - ret = winbind_lookup_sid(talloc_tos(), ids[i]->sid, NULL, - &p, &type); + ret = winbind_lookup_sid(talloc_tos(), + ids[i]->sid, + &_domain, + &_name, + &type); (void)winbind_off(); - name = discard_const_p(char, p); - if (!ret) { /* TODO: how do we know if the name is really not mapped, * or something just failed ? */ @@ -158,6 +161,18 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma continue; } + domain = discard_const_p(char, _domain); + name = discard_const_p(char, _name); + + if (!strequal(domain, dom->name)) { + struct dom_sid_buf buf; + DBG_ERR("DOMAIN[%s] ignoring SID[%s] belongs to %s [%s\\%s]\n", + dom->name, dom_sid_str_buf(ids[i]->sid, &buf), + sid_type_lookup(type), domain, name); + ids[i]->status = ID_UNMAPPED; + continue; + } + switch (type) { case SID_NAME_USER: { struct passwd *pw; @@ -190,6 +205,7 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma ids[i]->status = ID_UNKNOWN; break; } + TALLOC_FREE(domain); TALLOC_FREE(name); } return NT_STATUS_OK; |