3.1.4.10 Data Validation

  • Article

Data types defined in section 2.2 are subject to a set of validation rules, in addition to any already noted. For structures that contain other structures or sets of other structures, the validation for those structures MUST be enforced when validating the containing structure. All constraints in the following tables MUST be satisfied; on failure, an error NTSTATUS code MUST be returned.

Data type

Validations

LSA_UNICODE_STRING

RPC_UNICODE_STRING

LSAPR_CR_CIPHER_VALUE

  • Length MUST be a multiple of 2.<114>

  • Length MUST be less than or equal to MaximumLength.

  • If Length is not 0, Buffer MUST NOT be NULL.

  • The Buffer field MUST NOT contain any NULL Unicode characters in the first Length bytes.<115>

RPC_SID

  • Revision MUST be 1.

  • SubAuthorityCount MUST be less than or equal to 15.

Additionally, if the security identifier (SID) is a domain SID:

  • IdentifierAuthority MUST be {0,0,0,0,0,5}.

  • SubAuthorityCount MUST be greater than 3.

  • SubAuthority[0] MUST be 0x15.

LSAPR_SR_SECURITY_DESCRIPTOR

LSAPR_LUID_AND_ATTRIBUTES

  • Luid.HighPart SHOULD NOT be 0.<116>

  • Luid.LowPart SHOULD be less than or equal to 35.<117>

  • Attributes SHOULD have only combinations of bits (0x00000001 & 0x00000002) set.<118>

LSAPR_PRIVILEGE_SET

  • If PrivilegeCount is not 0, Privilege MUST NOT be NULL.

  • Each Privilege MUST pass validation for LSAPR_LUID_AND_ATTRIBUTES.

  • There MUST be no duplicate elements in the Privilege array.

LSAPR_OBJECT_ATTRIBUTES

RootDirectory MUST be NULL.

ACCESS_MASK

SHOULD conform to the defined bits for ACCESS_MASK.

POLICY_INFORMATION_CLASS

MUST be greater than or equal to one and MUST be less than the PolicyLastEntry enumeration value (section 2.2.4.1).

POLICY_AUDIT_LOG_INFO

No additional validation.

LSAPR_POLICY_AUDIT_EVENTS_INFO

  • MaximumAuditEventCount MUST NOT be 0.

  • MaximumAuditEventCount MUST be less than or equal to 8.

  • EventAuditingOptions MUST NOT be NULL.

  • EventAuditingOptions and 0xFFFFFFF8 MUST be 0.

LSAPR_POLICY_ACCOUNT_DOM_INFO

  • DomainName MUST satisfy RPC_UNICODE_STRING validations.

  • DomainSid MUST satisfy RPC_SID validations, including those for domain SIDs.

LSAPR_POLICY_PRIMARY_DOM_INFO

  • Name MUST satisfy RPC_UNICODE_STRING validations.

  • Name.Length MUST be less than or equal 30.

  • SID MUST either be NULL or satisfy RPC_SID validations, including those for domain SIDs.

LSAPR_POLICY_DNS_DOMAIN_INFO

  • Name MUST pass RPC_UNICODE_STRING validations.

  • Name.Length MUST be less than or equal to 30.

  • DnsDomainName MUST satisfy RPC_UNICODE_STRING validations.

  • DnsForestName MUST satisfy RPC_UNICODE_STRING validations.

  • SID MUST either be NULL or satisfy RPC_SID validations, including those for domain SID.

LSAPR_POLICY_PD_ACCOUNT_INFO

Name MUST satisfy RPC_UNICODE_STRING validations.

POLICY_LSA_SERVER_ROLE_INFO

LsaServerRole MUST be 2 OR 3.

LSAPR_POLICY_MACHINE_ACCT_INFO

§ Rid MUST be 0 or greater than 0x000003E7.

§ If Rid is 0, Sid MUST be NULL.

§ If Rid is not 0, Sid MUST NOT be NULL. In this case, Rid MUST equal the last sub-authority of Sid.

§ If Sid is not NULL, it MUST satisfy RPC_SID validations, including those for domain SID.

LSAPR_CR_CIPHER_VALUE

MaximumLength MUST be greater than or equal to Length.

LSAPR_POLICY_REPLICA_SRCE_INFO

  • ReplicaSource MUST satisfy RPC_UNICODE_STRING validation.

  • ReplicaAccountName must satisfy RPC_UNICODE_STRING validation.

POLICY_MODIFICATION_INFO

ModifiedId MUST not be 0.

POLICY_AUDIT_FULL_SET_INFO

No validation.

LSAPR_POLICY_DOMAIN_EFS_INFO

If InfoLength is not 0, EfsBlob MUST NOT be NULL.

TRUSTED_INFORMATION_CLASS

MUST be greater than or equal to 1 and less than or equal to 13.

LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION

  • If IncomingAuthInfos is not 0, IncomingAuthenticationInformation MUST NOT be NULL.

  • IncomingAuthInfos MUST be 0 or 1.

  • If OutgoingAuthInfos is not 0, OutgoingAuthenticationInformation MUST NOT be NULL.

  • OutgoingAuthInfos MUST be 0 or 1.

  • Each IncomingPreviousAuthenticationInformation MUST satisfy validation for LSAPR_AUTH_INFORMATION.

  • Each IncomingAuthenticationInformation MUST satisfy validation for LSAPR_AUTH_INFORMATION.

  • Each OutgoingPreviousAuthenticationInformation MUST satisfy validation for LSAPR_AUTH_INFORMATION.

  • Each OutgoingAuthenticationInformation MUST satisfy validation for LSAPR_AUTH_INFORMATION.

LSAPR_TRUSTED_DOMAIN_FULL_INFORMATION

  • Information MUST satisfy LSAPR_TRUSTED_DOMAIN_INFORMATION_EX validation.

  • AuthInformation MUST satisfy LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION validation.

LSAPR_TRUSTED_DOMAIN_FULL_INFORMATION2

  • Information MUST satisfy LSAPR_TRUSTED_DOMAIN_INFORMATION_EX2 validation.

  • FlatName MUST satisfy RPC_UNICODE_STRING validation.

  • SID MUST be NULL or satisfy RPC_SID validation, including domain SID validation.

  • If ForestTrustLength is not 0, ForestTrustInfo MUST NOT be NULL.

LSAPR_AUTH_INFORMATION

If AuthInfoLength is not 0, AuthInfo MUST NOT be NULL.

LSA_FOREST_TRUST_DOMAIN_INFO

  • SID MUST satisfy RPC_SID validation, including domain SID validation.

  • DnsName MUST satisfy RPC_UNICODE_STRING validation.

  • NetbiosName MUST satisfy RPC_UNICODE_STRING validation.

LSA_FOREST_TRUST_BINARY_DATA

If Length is not 0, Buffer MUST NOT be NULL.

LSA_FOREST_TRUST_RECORD

  • For ForestTrustType = ForestTrustTopLevelName or ForestTrustTopLevelNameEx, ForestTrustData.TopLevelName MUST satisfy RPC_UNICODE_STRING validation.

  • For ForestTrustType = ForestTrustDomainInfo, ForestTrustData.DomainInfo MUST satisfy LSA_FOREST_TRUST_DOMAIN_INFO validation.

LSA_FOREST_TRUST_INFORMATION

  • If RecordCount is not 0, Entries MUST NOT be NULL.

  • Each one of Entries MUST satisfy LSA_FOREST_TRUST_RECORD validation.

LSA_FOREST_TRUST_COLLISION_RECORD

Name MUST satisfy RPC_UNICODE_STRING validation.

LSA_FOREST_TRUST_COLLISION_INFORMATION

  • If RecordCount is not 0, Entries MUST NOT be NULL.

  • Each one of Entries MUST satisfy LSA_FOREST_TRUST_COLLISION_RECORD validation.

LSAPR_HANDLE

MUST not be NULL.

LSAPR_ACCOUNT_INFORMATION

SID MUST satisfy RPC_SID validation.

LSAPR_ACCOUNT_ENUM_BUFFER

  • If EntriesRead is not 0, Information MUST NOT be NULL.

  • Each Information element MUST satisfy LSAPR_ACCOUNT_INFORMATION validation.

LSAPR_POLICY_PRIVILEGE_DEF

Name MUST satisfy RPC_UNICODE_STRING validation.

LSAPR_PRIVILEGE_ENUM_BUFFER

  • If Entries is not 0, Privileges MUST NOT be NULL.

  • Each element in Entries MUST satisfy LSAPR_POLICY_PRIVILEGE_DEF validation.

LSAPR_TRUSTED_DOMAIN_INFORMATION_BASIC

  • Name MUST satisfy RPC_UNICODE_STRING validation.

  • SID MUST be NULL or MUST satisfy RPC_SID validation including domain SID validation.

LSAPR_TRUSTED_ENUM_BUFFER

  • If EntriesRead is not 0, Information MUST NOT be NULL.

  • Each element in Information MUST satisfy LSAPR_TRUST_INFORMATION validation.

LSAPR_TRUSTED_PASSWORD_INFO

OldPassword and Password MUST satisfy LSAPR_CR_CIPHER_VALUE validation.

LSAPR_TRUSTED_DOMAIN_NAME_INFO

Name MUST satisfy RPC_UNICODE_STRING validation.

LSAPR_USER_RIGHT_SET

  • If Entries is not 0, UserRights MUST NOT be NULL.

  • Each element in UserRights MUST satisfy RPC_UNICODE_STRING validation.

LSAPR_TRUSTED_DOMAIN_INFORMATION_EX

  • Name MUST satisfy RPC_UNICODE_STRING validation.

  • FlatName MUST satisfy RPC_UNICODE_STRING validation.

  • SID MUST be NULL or MUST satisfy RPC_SID validation including domain SID validation.