s4:rpc_server/netlogon: check auth_level for validation level 6 already in dcesrv_net...
authorStefan Metzmacher <metze@samba.org>
Fri, 21 Jul 2017 05:39:11 +0000 (07:39 +0200)
committerAndreas Schneider <asn@cryptomilk.org>
Mon, 7 Aug 2017 13:20:03 +0000 (15:20 +0200)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
source4/rpc_server/netlogon/dcerpc_netlogon.c

index 2ed0840..a9917b8 100644 (file)
@@ -849,7 +849,8 @@ static WERROR dcesrv_netr_LogonUasLogoff(struct dcesrv_call_state *dce_call, TAL
 }
 
 
-static NTSTATUS dcesrv_netr_LogonSamLogon_check(const struct netr_LogonSamLogonEx *r)
+static NTSTATUS dcesrv_netr_LogonSamLogon_check(struct dcesrv_call_state *dce_call,
+                                               const struct netr_LogonSamLogonEx *r)
 {
        switch (r->in.logon_level) {
        case NetlogonInteractiveInformation:
@@ -905,6 +906,17 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_check(const struct netr_LogonSamLogonE
                return NT_STATUS_INVALID_PARAMETER;
        }
 
+       switch (r->in.validation_level) {
+       case NetlogonValidationSamInfo4: /* 6 */
+               if (dce_call->conn->auth_state.auth_level < DCERPC_AUTH_LEVEL_PRIVACY) {
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
+               break;
+
+       default:
+               break;
+       }
+
        return NT_STATUS_OK;
 }
 
@@ -1138,10 +1150,6 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
                break;
 
        case 6:
-               if (dce_call->conn->auth_state.auth_level < DCERPC_AUTH_LEVEL_PRIVACY) {
-                       return NT_STATUS_INVALID_PARAMETER;
-               }
-
                nt_status = auth_convert_user_info_dc_saminfo6(mem_ctx,
                                                               user_info_dc,
                                                               &sam6);
@@ -1172,7 +1180,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call,
 
        *r->out.authoritative = 1;
 
-       nt_status = dcesrv_netr_LogonSamLogon_check(r);
+       nt_status = dcesrv_netr_LogonSamLogon_check(dce_call, r);
        if (!NT_STATUS_IS_OK(nt_status)) {
                return nt_status;
        }
@@ -1217,7 +1225,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce
 
        *r->out.authoritative = 1;
 
-       nt_status = dcesrv_netr_LogonSamLogon_check(&r2);
+       nt_status = dcesrv_netr_LogonSamLogon_check(dce_call, &r2);
        if (!NT_STATUS_IS_OK(nt_status)) {
                return nt_status;
        }