diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2016-05-06 15:02:19 +0200 |
|---|---|---|
| committer | Lukas Slebodnik <lslebodn@redhat.com> | 2016-07-01 11:09:28 +0200 |
| commit | d68d2b8ca6ded8662408817dffc3aa2a58dd844c (patch) | |
| tree | b77d766d5d6e8889958f15159f1f6c54ffd8eb2d | |
| parent | afec2ab750a453c592397f6775ec091e894d89b9 (diff) | |
| download | sssd-d68d2b8ca6ded8662408817dffc3aa2a58dd844c.tar.gz sssd-d68d2b8ca6ded8662408817dffc3aa2a58dd844c.tar.xz sssd-d68d2b8ca6ded8662408817dffc3aa2a58dd844c.zip | |
IPA: Handle requests for netgroups from trusted domains gracefully
In ipa_account_info_handler we first check if the request is for a user
from a trusted domain and go that way for all request types. In
contrast, in the ipa_account_info_done we first check if the requested
object is a netgroup. If both are true, we first start a subdomain
lookup send but then call netgroup lookup recv, which results in talloc
type mismatch and crashes sssd_be.
Resolves:
https://fedorahosted.org/sssd/ticket/3007
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
| -rw-r--r-- | src/providers/ipa/ipa_id.c | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c index 29e22982c..dff4b2358 100644 --- a/src/providers/ipa/ipa_id.c +++ b/src/providers/ipa/ipa_id.c @@ -115,21 +115,27 @@ void ipa_account_info_handler(struct be_req *breq) return sdap_handler_done(breq, DP_ERR_OK, EOK, "Success"); } - if (strcasecmp(ar->domain, be_ctx->domain->name) != 0) { - /* if domain names do not match, this is a subdomain case - * subdomain lookups are handled differently on the server - * and the client - */ - req = ipa_subdomain_account_send(breq, be_ctx->ev, ipa_ctx, breq, ar); - - } else if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_NETGROUP) { + if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_NETGROUP) { /* netgroups are handled by a separate request function */ if (ar->filter_type != BE_FILTER_NAME) { return sdap_handler_done(breq, DP_ERR_FATAL, EINVAL, "Invalid filter type"); } + + if ((strcasecmp(ar->domain, be_ctx->domain->name) != 0)) { + return sdap_handler_done(breq, DP_ERR_OK, EOK, + "netgroups in subdomains are " + "not handled\n"); + } + req = ipa_id_get_netgroup_send(breq, be_ctx->ev, ipa_ctx, ar->filter_value); + } else if (strcasecmp(ar->domain, be_ctx->domain->name) != 0) { + /* if domain names do not match, this is a subdomain case + * subdomain lookups are handled differently on the server + * and the client + */ + req = ipa_subdomain_account_send(breq, be_ctx->ev, ipa_ctx, breq, ar); } else { /* any account request is handled by sdap, * any invalid request is caught there. */ |