[PATCH 2/3] s3-auth: Pass mem_ctx to auth_check_ntlm_password().

Andreas Schneider asn at samba.org
Tue Feb 18 06:50:58 MST 2014


Coverity-Id: 1168009
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598

Signed-off-by: Andreas Schneider <asn at samba.org>
---
 source3/auth/auth.c                         | 50 ++++++++++++++++++-----------
 source3/auth/auth_ntlmssp.c                 |  6 ++--
 source3/auth/proto.h                        |  8 +++--
 source3/rpc_server/netlogon/srv_netlog_nt.c |  6 ++--
 source3/torture/pdbtest.c                   |  5 ++-
 5 files changed, 48 insertions(+), 27 deletions(-)

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 0fc8b63..7718142 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -160,18 +160,19 @@ static bool check_domain_match(const char *user, const char *domain)
  *
  **/
 
-NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
-				  const struct auth_usersupplied_info *user_info, 
-				  struct auth_serversupplied_info **server_info)
+NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
+				  const struct auth_context *auth_context,
+				  const struct auth_usersupplied_info *user_info,
+				  struct auth_serversupplied_info **pserver_info)
 {
 	/* if all the modules say 'not for me' this is reasonable */
 	NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
 	const char *unix_username;
 	auth_methods *auth_method;
-	TALLOC_CTX *mem_ctx;
 
-	if (!user_info || !auth_context || !server_info)
+	if (user_info == NULL || auth_context == NULL || pserver_info == NULL) {
 		return NT_STATUS_LOGON_FAILURE;
+	}
 
 	DEBUG(3, ("check_ntlm_password:  Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", 
 		  user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
@@ -205,17 +206,27 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
 		return NT_STATUS_LOGON_FAILURE;
 
 	for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) {
+		struct auth_serversupplied_info *server_info;
+		TALLOC_CTX *tmp_ctx;
 		NTSTATUS result;
 
-		mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name,
-				      user_info->mapped.domain_name, user_info->client.account_name);
+		tmp_ctx = talloc_named(mem_ctx,
+				       0,
+				       "%s authentication for user %s\\%s",
+				       auth_method->name,
+				       user_info->mapped.domain_name,
+				       user_info->client.account_name);
 
-		result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
+		result = auth_method->auth(auth_context,
+					   auth_method->private_data,
+					   tmp_ctx,
+					   user_info,
+					   &server_info);
 
 		/* check if the module did anything */
 		if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) {
 			DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name));
-			talloc_destroy(mem_ctx);
+			TALLOC_FREE(tmp_ctx);
 			continue;
 		}
 
@@ -229,19 +240,20 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
 				  auth_method->name, user_info->client.account_name, nt_errstr(nt_status)));
 		}
 
-		talloc_destroy(mem_ctx);
-
-		if ( NT_STATUS_IS_OK(nt_status))
-		{
-				break;			
+		if (NT_STATUS_IS_OK(nt_status)) {
+			*pserver_info = talloc_steal(mem_ctx, server_info);
+			TALLOC_FREE(tmp_ctx);
+			break;
 		}
+
+		TALLOC_FREE(tmp_ctx);
 	}
 
 	/* successful authentication */
 
 	if (NT_STATUS_IS_OK(nt_status)) {
-		unix_username = (*server_info)->unix_name;
-		if (!(*server_info)->guest) {
+		unix_username = (*pserver_info)->unix_name;
+		if (!(*pserver_info)->guest) {
 			const char *rhost;
 
 			if (tsocket_address_is_inet(user_info->remote_host, "ip")) {
@@ -270,9 +282,9 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
 		}
 
 		if (NT_STATUS_IS_OK(nt_status)) {
-			DEBUG((*server_info)->guest ? 5 : 2, 
+			DEBUG((*pserver_info)->guest ? 5 : 2,
 			      ("check_ntlm_password:  %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n",
-			       (*server_info)->guest ? "guest " : "",
+			       (*pserver_info)->guest ? "guest " : "",
 			       user_info->client.account_name,
 			       user_info->mapped.account_name,
 			       unix_username));
@@ -286,7 +298,7 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
 	DEBUG(2, ("check_ntlm_password:  Authentication for user [%s] -> [%s] FAILED with error %s\n",
 		  user_info->client.account_name, user_info->mapped.account_name,
 		  nt_errstr(nt_status)));
-	ZERO_STRUCTP(server_info);
+	ZERO_STRUCTP(pserver_info);
 
 	return nt_status;
 }
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index f99bd44..cb7726c 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -134,8 +134,10 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
 
 	mapped_user_info->flags = user_info->flags;
 
-	nt_status = auth_check_ntlm_password(auth_context,
-					     mapped_user_info, &server_info);
+	nt_status = auth_check_ntlm_password(mem_ctx,
+					     auth_context,
+					     mapped_user_info,
+					     &server_info);
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n",
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index eac3e54..15b1ba0 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -65,6 +65,8 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
  * struct.  When the return is other than NT_STATUS_OK the contents 
  * of that structure is undefined.
  *
+ * @param mem_ctx   The memory context to use to allocate server_info
+ *
  * @param user_info Contains the user supplied components, including the passwords.
  *                  Must be created with make_user_info() or one of its wrappers.
  *
@@ -79,9 +81,9 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
  * @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
  *
  **/
-
-NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
-				  const struct auth_usersupplied_info *user_info, 
+NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
+				  const struct auth_context *auth_context,
+				  const struct auth_usersupplied_info *user_info,
 				  struct auth_serversupplied_info **server_info);
 
 /* The following definitions come from auth/auth_builtin.c  */
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index e3e7a3e..f600f74 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1646,8 +1646,10 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
 	} /* end switch */
 
 	if ( NT_STATUS_IS_OK(status) ) {
-		status = auth_check_ntlm_password(auth_context,
-			user_info, &server_info);
+		status = auth_check_ntlm_password(p->mem_ctx,
+						  auth_context,
+						  user_info,
+						  &server_info);
 	}
 
 	TALLOC_FREE(auth_context);
diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c
index df2c326..990917f 100644
--- a/source3/torture/pdbtest.c
+++ b/source3/torture/pdbtest.c
@@ -304,7 +304,10 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
 		return False;
 	}
 	
-	status = auth_check_ntlm_password(auth_context, user_info, &server_info);
+	status = auth_check_ntlm_password(mem_ctx,
+					  auth_context,
+					  user_info,
+					  &server_info);
 
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0, ("Failed to test authentication with auth module: %s\n", nt_errstr(status)));
-- 
1.8.5.2




More information about the samba-technical mailing list