| commit | 5eb5daaa1521d424ebde5a4d06ad05c9cdfc7996 | |
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | |
| Fri, 1 Jul 2022 03:04:41 +0000 (1 15:04 +1200) | ||
| committer | Jule Anger <janger@samba.org> | |
| Sun, 18 Sep 2022 16:46:09 +0000 (18 16:46 +0000) | ||
| tree | b568a08387099894b23a585267379505d7c0ec0c | treesnapshot (tar.gz zip) |
| parent | 29b31129fd372513ad24e56ec4caab6844e2ed72 | commitdiff |
CVE-2021-20251 s4:kdc: Check return status of authsam_logon_success_accounting()
If we find that the user has been locked out sometime during the request
(due to a race), we will now return an error code.
Note that we cannot avoid the MIT KDC aspect of the issue by checking
the return status of mit_samba_zero_bad_password_count(), because
kdb_vftabl::audit_as_req() returning void means we cannot pass on the
result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b1e740896ebae14ba64250da2f718e1d707e9eed)
If we find that the user has been locked out sometime during the request
(due to a race), we will now return an error code.
Note that we cannot avoid the MIT KDC aspect of the issue by checking
the return status of mit_samba_zero_bad_password_count(), because
kdb_vftabl::audit_as_req() returning void means we cannot pass on the
result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b1e740896ebae14ba64250da2f718e1d707e9eed)
| source4/kdc/hdb-samba4.c | diffblobblamehistory |