Only allow the trust in the correct direction (per the flags).

1 files changed, 9 insertions, 3 deletions

diff --git a/source/kdc/hdb-ldb.c b/source/kdc/hdb-ldb.c
index 95c60e2c78c..ef3a0bcb8ac 100644
--- a/source/kdc/hdb-ldb.c
+++ b/source/kdc/hdb-ldb.c
@@ -45,6 +45,7 @@
 #include "dsdb/samdb/samdb.h"
 #include "librpc/ndr/libndr.h"
 #include "librpc/gen_ndr/ndr_drsblobs.h"
+#include "librpc/gen_ndr/lsa.h"
 #include "libcli/auth/libcli_auth.h"
 #include "param/param.h"
 #include "events/events.h"
@@ -56,9 +57,9 @@ enum hdb_ldb_ent_type
   HDB_LDB_ENT_TYPE_KRBTGT, HDB_LDB_ENT_TYPE_TRUST, HDB_LDB_ENT_TYPE_ANY };
 
 enum trust_direction {
-	INBOUND,
-	OUTBOUND,
-	UNKNOWN
+	UNKNOWN = 0,
+	INBOUND = LSA_TRUST_DIRECTION_INBOUND, 
+	OUTBOUND = LSA_TRUST_DIRECTION_OUTBOUND
 };
 
 static const char *realm_ref_attrs[] = {
@@ -751,6 +752,11 @@ static krb5_error_code LDB_trust_message2entry(krb5_context context, HDB *db,
 		password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
 	}
 
+	if (!password_val || !(trust_direction_flags & direction)) {
+		ret = ENOENT;
+		goto out;
+	}
+
 	ndr_err = ndr_pull_struct_blob_all(password_val, mem_ctx, private->iconv_convenience, &password_blob,
 					   (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {