From 7f86b26a35e86139b991d42b61321cbc8fa68416 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 26 Aug 2008 10:27:00 +1000
Subject: [PATCH] Only allow the trust in the correct direction (per the
 flags). (This used to be commit 2c7195429411d68bc66f4100659c622df4f5a20a)

---
 source4/kdc/hdb-ldb.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index 95c60e2c78c..ef3a0bcb8ac 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -45,6 +45,7 @@
 #include "dsdb/samdb/samdb.h"
 #include "librpc/ndr/libndr.h"
 #include "librpc/gen_ndr/ndr_drsblobs.h"
+#include "librpc/gen_ndr/lsa.h"
 #include "libcli/auth/libcli_auth.h"
 #include "param/param.h"
 #include "events/events.h"
@@ -56,9 +57,9 @@ enum hdb_ldb_ent_type
   HDB_LDB_ENT_TYPE_KRBTGT, HDB_LDB_ENT_TYPE_TRUST, HDB_LDB_ENT_TYPE_ANY };
 
 enum trust_direction {
-	INBOUND,
-	OUTBOUND,
-	UNKNOWN
+	UNKNOWN = 0,
+	INBOUND = LSA_TRUST_DIRECTION_INBOUND, 
+	OUTBOUND = LSA_TRUST_DIRECTION_OUTBOUND
 };
 
 static const char *realm_ref_attrs[] = {
@@ -751,6 +752,11 @@ static krb5_error_code LDB_trust_message2entry(krb5_context context, HDB *db,
 		password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
 	}
 
+	if (!password_val || !(trust_direction_flags & direction)) {
+		ret = ENOENT;
+		goto out;
+	}
+
 	ndr_err = ndr_pull_struct_blob_all(password_val, mem_ctx, private->iconv_convenience, &password_blob,
 					   (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-- 
2.34.1