[PATCH 2/3] s3-auth: Pass mem_ctx to auth_check_ntlm_password().
Andreas Schneider
asn at samba.org
Tue Feb 18 06:50:58 MST 2014
Coverity-Id: 1168009
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598
Signed-off-by: Andreas Schneider <asn at samba.org>
---
source3/auth/auth.c | 50 ++++++++++++++++++-----------
source3/auth/auth_ntlmssp.c | 6 ++--
source3/auth/proto.h | 8 +++--
source3/rpc_server/netlogon/srv_netlog_nt.c | 6 ++--
source3/torture/pdbtest.c | 5 ++-
5 files changed, 48 insertions(+), 27 deletions(-)
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 0fc8b63..7718142 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -160,18 +160,19 @@ static bool check_domain_match(const char *user, const char *domain)
*
**/
-NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
- const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info)
+NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
+ const struct auth_context *auth_context,
+ const struct auth_usersupplied_info *user_info,
+ struct auth_serversupplied_info **pserver_info)
{
/* if all the modules say 'not for me' this is reasonable */
NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
const char *unix_username;
auth_methods *auth_method;
- TALLOC_CTX *mem_ctx;
- if (!user_info || !auth_context || !server_info)
+ if (user_info == NULL || auth_context == NULL || pserver_info == NULL) {
return NT_STATUS_LOGON_FAILURE;
+ }
DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
@@ -205,17 +206,27 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
return NT_STATUS_LOGON_FAILURE;
for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) {
+ struct auth_serversupplied_info *server_info;
+ TALLOC_CTX *tmp_ctx;
NTSTATUS result;
- mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name,
- user_info->mapped.domain_name, user_info->client.account_name);
+ tmp_ctx = talloc_named(mem_ctx,
+ 0,
+ "%s authentication for user %s\\%s",
+ auth_method->name,
+ user_info->mapped.domain_name,
+ user_info->client.account_name);
- result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
+ result = auth_method->auth(auth_context,
+ auth_method->private_data,
+ tmp_ctx,
+ user_info,
+ &server_info);
/* check if the module did anything */
if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) {
DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name));
- talloc_destroy(mem_ctx);
+ TALLOC_FREE(tmp_ctx);
continue;
}
@@ -229,19 +240,20 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
auth_method->name, user_info->client.account_name, nt_errstr(nt_status)));
}
- talloc_destroy(mem_ctx);
-
- if ( NT_STATUS_IS_OK(nt_status))
- {
- break;
+ if (NT_STATUS_IS_OK(nt_status)) {
+ *pserver_info = talloc_steal(mem_ctx, server_info);
+ TALLOC_FREE(tmp_ctx);
+ break;
}
+
+ TALLOC_FREE(tmp_ctx);
}
/* successful authentication */
if (NT_STATUS_IS_OK(nt_status)) {
- unix_username = (*server_info)->unix_name;
- if (!(*server_info)->guest) {
+ unix_username = (*pserver_info)->unix_name;
+ if (!(*pserver_info)->guest) {
const char *rhost;
if (tsocket_address_is_inet(user_info->remote_host, "ip")) {
@@ -270,9 +282,9 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
}
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG((*server_info)->guest ? 5 : 2,
+ DEBUG((*pserver_info)->guest ? 5 : 2,
("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n",
- (*server_info)->guest ? "guest " : "",
+ (*pserver_info)->guest ? "guest " : "",
user_info->client.account_name,
user_info->mapped.account_name,
unix_username));
@@ -286,7 +298,7 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n",
user_info->client.account_name, user_info->mapped.account_name,
nt_errstr(nt_status)));
- ZERO_STRUCTP(server_info);
+ ZERO_STRUCTP(pserver_info);
return nt_status;
}
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index f99bd44..cb7726c 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -134,8 +134,10 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
mapped_user_info->flags = user_info->flags;
- nt_status = auth_check_ntlm_password(auth_context,
- mapped_user_info, &server_info);
+ nt_status = auth_check_ntlm_password(mem_ctx,
+ auth_context,
+ mapped_user_info,
+ &server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n",
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index eac3e54..15b1ba0 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -65,6 +65,8 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
* struct. When the return is other than NT_STATUS_OK the contents
* of that structure is undefined.
*
+ * @param mem_ctx The memory context to use to allocate server_info
+ *
* @param user_info Contains the user supplied components, including the passwords.
* Must be created with make_user_info() or one of its wrappers.
*
@@ -79,9 +81,9 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
*
**/
-
-NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
- const struct auth_usersupplied_info *user_info,
+NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
+ const struct auth_context *auth_context,
+ const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **server_info);
/* The following definitions come from auth/auth_builtin.c */
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index e3e7a3e..f600f74 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1646,8 +1646,10 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
} /* end switch */
if ( NT_STATUS_IS_OK(status) ) {
- status = auth_check_ntlm_password(auth_context,
- user_info, &server_info);
+ status = auth_check_ntlm_password(p->mem_ctx,
+ auth_context,
+ user_info,
+ &server_info);
}
TALLOC_FREE(auth_context);
diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c
index df2c326..990917f 100644
--- a/source3/torture/pdbtest.c
+++ b/source3/torture/pdbtest.c
@@ -304,7 +304,10 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
return False;
}
- status = auth_check_ntlm_password(auth_context, user_info, &server_info);
+ status = auth_check_ntlm_password(mem_ctx,
+ auth_context,
+ user_info,
+ &server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to test authentication with auth module: %s\n", nt_errstr(status)));
--
1.8.5.2
More information about the samba-technical
mailing list