From 18cbf559addfeb77ad83b81e23431295a3e5c6ae Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 6 May 2016 15:02:19 +0200 Subject: [PATCH] IPA: Handle requests for netgroups from trusted domains gracefully In ipa_account_info_handler we first check if the request is for a user from a trusted domain and go that way for all request types. In contrast, in the ipa_account_info_done we first check if the requested object is a netgroup. If both are true, we first start a subdomain lookup send but then call netgroup lookup recv, which results in talloc type mismatch and crashes sssd_be. Resolves: https://fedorahosted.org/sssd/ticket/3007 --- src/providers/ipa/ipa_id.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c index 29e22982c415220c931f0422e10cd06dfa1a195b..dff4b23580d8c7502a1fbe9c57d21b8c555883be 100644 --- a/src/providers/ipa/ipa_id.c +++ b/src/providers/ipa/ipa_id.c @@ -115,21 +115,27 @@ void ipa_account_info_handler(struct be_req *breq) return sdap_handler_done(breq, DP_ERR_OK, EOK, "Success"); } - if (strcasecmp(ar->domain, be_ctx->domain->name) != 0) { - /* if domain names do not match, this is a subdomain case - * subdomain lookups are handled differently on the server - * and the client - */ - req = ipa_subdomain_account_send(breq, be_ctx->ev, ipa_ctx, breq, ar); - - } else if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_NETGROUP) { + if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_NETGROUP) { /* netgroups are handled by a separate request function */ if (ar->filter_type != BE_FILTER_NAME) { return sdap_handler_done(breq, DP_ERR_FATAL, EINVAL, "Invalid filter type"); } + + if ((strcasecmp(ar->domain, be_ctx->domain->name) != 0)) { + return sdap_handler_done(breq, DP_ERR_OK, EOK, + "netgroups in subdomains are " + "not handled\n"); + } + req = ipa_id_get_netgroup_send(breq, be_ctx->ev, ipa_ctx, ar->filter_value); + } else if (strcasecmp(ar->domain, be_ctx->domain->name) != 0) { + /* if domain names do not match, this is a subdomain case + * subdomain lookups are handled differently on the server + * and the client + */ + req = ipa_subdomain_account_send(breq, be_ctx->ev, ipa_ctx, breq, ar); } else { /* any account request is handled by sdap, * any invalid request is caught there. */ -- 2.4.11