On 01/16/2013 06:57 PM, Simo Sorce wrote:
On Wed, 2013-01-16 at 18:32 +0100, Tomas Babej wrote:

They all use ipadb_ldap_attr_to_time_t() to get their values,
so the following addition to the patch should be sufficient.
It will break dates for other users of the function that do not need to
artificially limit the results. Please add a new function.

Simo.

Done.

Tomas
ACK

Simo

Self-ACK-deny, I just realized that I forgot to change the function calls.

Tomas
>From ff4617b133def655dd6457c90c9211d2ed447723 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Mon, 14 Jan 2013 10:19:44 -0500
Subject: [PATCH] Prevent integer overflow when setting krbPasswordExpiration

Since in Kerberos V5 are used 32-bit unix timestamps, setting
maxlife in pwpolicy to values such as 9999 days would cause
integer overflow in krbPasswordExpiration attribute.

This would result into unpredictable behaviour such as users
not being able to log in after password expiration if password
policy was changed (#3114) or new users not being able to log
in at all (#3312).

The timestamp value is truncated to Jan 1, 2038 in ipa-kdc driver.

https://fedorahosted.org/freeipa/ticket/3312
https://fedorahosted.org/freeipa/ticket/3114
---
 daemons/ipa-kdb/ipa_kdb_common.c     | 14 ++++++++++++++
 daemons/ipa-kdb/ipa_kdb_passwords.c  |  5 +++++
 daemons/ipa-kdb/ipa_kdb_principals.c | 16 ++++++++--------
 util/ipa_pwd.h                       |  3 +++
 4 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_common.c b/daemons/ipa-kdb/ipa_kdb_common.c
index 71df9634c4e25378494b165db9a9381f2b8fc206..6b8411f631028c73f01792982f9dd5416e688f6c 100644
--- a/daemons/ipa-kdb/ipa_kdb_common.c
+++ b/daemons/ipa-kdb/ipa_kdb_common.c
@@ -480,6 +480,20 @@ int ipadb_ldap_attr_to_time_t(LDAP *lcontext, LDAPMessage *le,
     return ret;
 }
 
+int ipadb_ldap_attr_to_krb5_timestamp(LDAP *lcontext, LDAPMessage *le,
+                                      char *attrname, time_t *result)
+{
+    int ret = ipadb_ldab_attr_to_time_t(lcontext, le,
+                                        attrname, result);
+
+    /* in the case of integer owerflow, set result to IPAPWD_END_OF_TIME */
+    if ((*result+86400) < 0) {
+        *result = IPAPWD_END_OF_TIME; // 1 Jan 2038, 00:00 GMT
+    }
+
+    return ret;
+}
+
 int ipadb_ldap_attr_has_value(LDAP *lcontext, LDAPMessage *le,
                               char *attrname, char *value)
 {
diff --git a/daemons/ipa-kdb/ipa_kdb_passwords.c b/daemons/ipa-kdb/ipa_kdb_passwords.c
index b6520ea75a78474f6f7761311c9d165924e88b27..a1fda16fe5b1bb5c6cfc30dd03c2eb12c26a7714 100644
--- a/daemons/ipa-kdb/ipa_kdb_passwords.c
+++ b/daemons/ipa-kdb/ipa_kdb_passwords.c
@@ -246,6 +246,11 @@ krb5_error_code ipadb_get_pwd_expiration(krb5_context context,
         *expire_time = mod_time;
     }
 
+    /* in the case of integer owerflow, set expiration to IPAPWD_END_OF_TIME */
+    if ((*expire_time+86400) < 0) {
+        *expire_time = IPAPWD_END_OF_TIME; // 1 Jan 2038, 00:00 GMT
+    }
+
     kerr = 0;
 
 done:
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 62155816201f705b7828c861915bf63c6b00177b..68caee69b55f506cde4dc745e14d8bcf631a44fb 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -286,8 +286,8 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
         *polmask |= MAXRENEWABLEAGE_BIT;
     }
 
-    ret = ipadb_ldap_attr_to_time_t(lcontext, lentry,
-                                    "krbPrincipalexpiration", &restime);
+    ret = ipadb_ldap_attr_to_krb5_timestamp(lcontext, lentry,
+                                           "krbPrincipalexpiration", &restime);
     switch (ret) {
     case 0:
         entry->expiration = restime;
@@ -298,8 +298,8 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
         goto done;
     }
 
-    ret = ipadb_ldap_attr_to_time_t(lcontext, lentry,
-                                    "krbPasswordExpiration", &restime);
+    ret = ipadb_ldap_attr_to_krb5_timestamp(lcontext, lentry,
+                                           "krbPasswordExpiration", &restime);
     switch (ret) {
     case 0:
         entry->pw_expiration = restime;
@@ -310,8 +310,8 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
         goto done;
     }
 
-    ret = ipadb_ldap_attr_to_time_t(lcontext, lentry,
-                                    "krbLastSuccessfulAuth", &restime);
+    ret = ipadb_ldap_attr_to_krb5_timestamp(lcontext, lentry,
+                                           "krbLastSuccessfulAuth", &restime);
     switch (ret) {
     case 0:
         entry->last_success = restime;
@@ -322,8 +322,8 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
         goto done;
     }
 
-    ret = ipadb_ldap_attr_to_time_t(lcontext, lentry,
-                                    "krbLastFailedAuth", &restime);
+    ret = ipadb_ldap_attr_to_krb5_timestamp(lcontext, lentry,
+                                           "krbLastFailedAuth", &restime);
     switch (ret) {
     case 0:
         entry->last_failed = restime;
diff --git a/util/ipa_pwd.h b/util/ipa_pwd.h
index 00de889ff53cdc113a6c926e35c87e7b08238e4a..a6990cac6333bf2582fb071a507001b10145df6d 100644
--- a/util/ipa_pwd.h
+++ b/util/ipa_pwd.h
@@ -27,6 +27,9 @@
 #define IPAPWD_DEFAULT_PWDLIFE (90 * 24 *3600)
 #define IPAPWD_DEFAULT_MINLEN 0
 
+/* 1 Jan 2038, 00:00 GMT */
+#define IPAPWD_END_OF_TIME 2145916800
+
 /*
  * IMPORTANT: please update error string table in ipa_pwd.c if you change this
  * error code table.
-- 
1.8.0.2

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to