svn rev #25513: branches/krb5-1-9/src/plugins/kdb/ldap/libkdb_ldap/

tlyu@MIT.EDU tlyu at MIT.EDU
Mon Dec 5 16:38:44 EST 2011


http://src.mit.edu/fisheye/changelog/krb5/?cs=25513
Commit By: tlyu
Log Message:
ticket: 7040
version_fixed: 1.9.3
status: resolved

pull up r25480 from trunk, minus a non-applying manpage patch

 ------------------------------------------------------------------------
 r25480 | ghudson | 2011-11-20 00:19:45 -0500 (Sun, 20 Nov 2011) | 13 lines

 ticket: 7021
 subject: Fix failure interval of 0 in LDAP lockout code
 target_version: 1.10
 tags: pullup

 A failure count interval of 0 caused krb5_ldap_lockout_check_policy to
 pass the lockout check (but didn't cause a reset of the failure count
 in krb5_ldap_lockout_audit).  It should be treated as forever, as in
 the DB2 back end.

 This bug is the previously unknown cause of the assertion failure
 fixed in CVE-2011-1528.


Changed Files:
U   branches/krb5-1-9/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
Modified: branches/krb5-1-9/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
===================================================================
--- branches/krb5-1-9/src/plugins/kdb/ldap/libkdb_ldap/lockout.c	2011-12-05 20:53:52 UTC (rev 25512)
+++ branches/krb5-1-9/src/plugins/kdb/ldap/libkdb_ldap/lockout.c	2011-12-05 21:38:44 UTC (rev 25513)
@@ -131,7 +131,7 @@
     code = lookup_lockout_policy(context, entry, &max_fail,
                                  &failcnt_interval,
                                  &lockout_duration);
-    if (code != 0 || failcnt_interval == 0)
+    if (code != 0)
         return code;
 
     if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))




More information about the cvs-krb5 mailing list