Commit 4f86beea authored by Tim Beale's avatar Tim Beale Committed by Karolin Seeger

CVE-2018-16857 dsdb/util: Correctly treat lockOutObservationWindow as 64-bit int

Commit 442a38c9 refactored some code into a new
get_lockout_observation_window() function. However, in moving the code,
an ldb_msg_find_attr_as_int64() inadvertently got converted to a
ldb_msg_find_attr_as_int().

ldb_msg_find_attr_as_int() will only work for values up to -2147483648
(about 3.5 minutes in MS timestamp form). Unfortunately, the automated
tests used a low enough timeout that they still worked, however,
password lockout would not work with the Samba default settings.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683Signed-off-by: default avatarTim Beale <timbeale@catalyst.net.nz>
Reviewed-by: default avatarAndrew Bartlett <abartlet@samba.org>
parent ec9cc4ed
samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_pso_login_lockout_krb5\(ad_dc_ntvfs\)
samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_pso_login_lockout_ntlm\(ad_dc_ntvfs\)
samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_login_lockout_ntlm\(ad_dc_ntvfs\)
samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_login_lockout_krb5\(ad_dc_ntvfs\)
......@@ -5400,12 +5400,12 @@ static int64_t get_lockout_observation_window(struct ldb_message *domain_msg,
struct ldb_message *pso_msg)
{
if (pso_msg != NULL) {
return ldb_msg_find_attr_as_int(pso_msg,
"msDS-LockoutObservationWindow",
0);
return ldb_msg_find_attr_as_int64(pso_msg,
"msDS-LockoutObservationWindow",
0);
} else {
return ldb_msg_find_attr_as_int(domain_msg,
"lockOutObservationWindow", 0);
return ldb_msg_find_attr_as_int64(domain_msg,
"lockOutObservationWindow", 0);
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment