URL: https://github.com/SSSD/sssd/pull/449 Author: amitkumar50 Title: #449: cache: Check for max_id/min_id in cache_req Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/449/head:pr449 git checkout pr449
From 630b9fc87b5f12a8d3662abb899cfe84d0df60f0 Mon Sep 17 00:00:00 2001 From: amitkuma <amitk...@redhat.com> Date: Tue, 14 Nov 2017 16:44:06 +0530 Subject: [PATCH] cache: Check for max_id/min_id in cache_req The cache_req code doesn't check the min_id/max_id boundaries for requests by ID. Extending the .lookup_fn function in each plugin that searches by ID for a check that returns 0 if the entry is out of the range. Resolves: https://pagure.io/SSSD/sssd/issue/3569 --- src/db/sysdb_ops.c | 1 - src/db/sysdb_search.c | 1 - src/responder/common/cache_req/plugins/cache_req_group_by_id.c | 6 ++++++ src/responder/common/cache_req/plugins/cache_req_object_by_id.c | 5 +++++ src/responder/common/cache_req/plugins/cache_req_user_by_id.c | 5 +++++ 5 files changed, 16 insertions(+), 2 deletions(-) diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index 1539c41c9..a3c4c9033 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -4909,7 +4909,6 @@ errno_t sysdb_search_object_by_id(TALLOC_CTX *mem_ctx, if (filter == NULL) { return ENOMEM; } - ret = sysdb_search_object_attr(mem_ctx, domain, filter, attrs, true, res); talloc_free(filter); diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index 808396690..1806a614e 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -374,7 +374,6 @@ errno_t sysdb_getpwuid_with_views(TALLOC_CTX *mem_ctx, DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); return ENOMEM; } - /* If there are views we first have to search the overrides for matches */ if (DOM_HAS_VIEWS(domain)) { ret = sysdb_search_user_override_by_uid(tmp_ctx, domain, uid, diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c index 5ca64283a..e048e0289 100644 --- a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c +++ b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c @@ -64,6 +64,12 @@ cache_req_group_by_id_lookup(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, struct ldb_result **_result) { + if ((domain->id_max != 0 && data->id > domain->id_max) + || (data->id < domain->id_min)) { + DEBUG(SSSDBG_OP_FAILURE, "gid exceeds min/max boundaries\n"); + return EOK; + } + return sysdb_getgrgid_with_views(mem_ctx, domain, data->id, _result); } diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_id.c b/src/responder/common/cache_req/plugins/cache_req_object_by_id.c index 339bd4f5f..88482caf9 100644 --- a/src/responder/common/cache_req/plugins/cache_req_object_by_id.c +++ b/src/responder/common/cache_req/plugins/cache_req_object_by_id.c @@ -90,6 +90,11 @@ cache_req_object_by_id_lookup(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, struct ldb_result **_result) { + if ((domain->id_max != 0 && data->id > domain->id_max) + || (data->id < domain->id_min)) { + DEBUG(SSSDBG_OP_FAILURE, "id exceeded min/max boundaries\n"); + return EOK; + } return sysdb_search_object_by_id(mem_ctx, domain, data->id, data->attrs, _result); } diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_id.c b/src/responder/common/cache_req/plugins/cache_req_user_by_id.c index 913f9be5b..64fb9aeb1 100644 --- a/src/responder/common/cache_req/plugins/cache_req_user_by_id.c +++ b/src/responder/common/cache_req/plugins/cache_req_user_by_id.c @@ -64,6 +64,11 @@ cache_req_user_by_id_lookup(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, struct ldb_result **_result) { + if ((domain->id_max != 0 && data->id > domain->id_max) + || (data->id < domain->id_min)) { + DEBUG(SSSDBG_OP_FAILURE, "uid exceeds min/max boundaries\n"); + return EOK; + } return sysdb_getpwuid_with_views(mem_ctx, domain, data->id, _result); }
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
