CLDAP: Fix domain handling in netlogon requests

1. Stop using getdomainname() as it is often not properly initialized
2. The code using getdomainname() was not working anyway it was trying to
look at the function call output in hostname which is always empty at that
point.
3. Always check the requested domain matches our own, we cannot reply to
anything else anyway.

Pre-requisite to fix: https://fedorahosted.org/freeipa/ticket/3639

Signed-off-by: Simo Sorce <simo@redhat.com>

1 files changed, 39 insertions, 28 deletions

diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
index 180a067ff..dda933d6d 100644
--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
+++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
@@ -215,14 +215,14 @@ int ipa_cldap_netlogon(struct ipa_cldap_ctx *ctx,
                        struct berval *reply)
 {
     char hostname[MAXHOSTNAMELEN + 1]; /* NOTE: lenght hardcoded in kernel */
-    char domname[MAXHOSTNAMELEN + 1]; /* NOTE: lenght hardcoded in kernel */
+    char *host = NULL;
     char *domain = NULL;
     char *guid = NULL;
     char *sid = NULL;
     char *name = NULL;
     uint32_t ntver = 0;
     uint32_t t;
-    char *p;
+    char *dot;
     int ret;
     int len;
     int i;
@@ -295,22 +295,43 @@ int ipa_cldap_netlogon(struct ipa_cldap_ctx *ctx,
         goto done;
     }
 
-    /* If no domain is provide the client is asking for our own domain,
-     * read our own domain name from the system */
-    if (!domain) {
-        ret = getdomainname(domname, MAXHOSTNAMELEN);
-        if (ret == -1) {
-            ret = errno;
+    /* TODO: get our own domain at plugin initialization, and avoid
+     * gethostname() */
+    ret = gethostname(hostname, MAXHOSTNAMELEN);
+    if (ret == -1) {
+        ret = errno;
+        goto done;
+    }
+    /* Make double sure it is terminated */
+    hostname[MAXHOSTNAMELEN] = '\0';
+    dot = strchr(hostname, '.');
+    if (!dot) {
+        /* this name is not fully qualified, therefore invalid */
+        ret = EINVAL;
+        goto done;
+    }
+    *dot = '\0';
+
+    /* this is the unqualified host name */
+    host = strdup(hostname);
+    if (!host) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    /* If a domain is provided, check it is our own.
+     * If no domain is provided the client is asking for our own domain. */
+    if (domain) {
+        ret = strcasecmp(domain, dot + 1);
+        if (ret != 0) {
+            ret = EINVAL;
             goto done;
         }
-        domname[MAXHOSTNAMELEN] = '\0';
-        p = strchr(hostname, '.');
-        if (p) {
-            domain = strdup(p + 1);
-            if (!domain) {
-                ret = ENOMEM;
-                goto done;
-            }
+    } else {
+        domain = strdup(dot + 1);
+        if (!domain) {
+            ret = ENOMEM;
+            goto done;
         }
     }
 
@@ -325,22 +346,12 @@ int ipa_cldap_netlogon(struct ipa_cldap_ctx *ctx,
         goto done;
     }
 
-    ret = gethostname(hostname, MAXHOSTNAMELEN);
-    if (ret == -1) {
-        ret = errno;
-        goto done;
-    }
-    hostname[MAXHOSTNAMELEN] = '\0';
-    p = strchr(hostname, '.');
-    if (p) {
-        *p = '\0';
-    }
-
-    ret = ipa_cldap_encode_netlogon(hostname, domain,
+    ret = ipa_cldap_encode_netlogon(host, domain,
                                     guid, sid, name,
                                     ntver, reply);
 
 done:
+    free(host);
     free(domain);
     free(guid);
     free(sid);