diff options
| author | Greg Hudson <ghudson@mit.edu> | 2011-11-20 05:19:45 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2011-11-20 05:19:45 +0000 |
| commit | 4a84d4137426d0951d5565adef30efebab719d23 (patch) | |
| tree | 7766a40972a4320d3c3408e3d65f2eed9ab237cb /src/plugins/kdb | |
| parent | 3820268fb7e226be78218b9853723f8d4c9c924a (diff) | |
| download | krb5-4a84d4137426d0951d5565adef30efebab719d23.tar.gz krb5-4a84d4137426d0951d5565adef30efebab719d23.tar.xz krb5-4a84d4137426d0951d5565adef30efebab719d23.zip | |
Fix failure interval of 0 in LDAP lockout code
A failure count interval of 0 caused krb5_ldap_lockout_check_policy to
pass the lockout check (but didn't cause a reset of the failure count
in krb5_ldap_lockout_audit). It should be treated as forever, as in
the DB2 back end.
This bug is the previously unknown cause of the assertion failure
fixed in CVE-2011-1528.
ticket: 7021
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25480 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins/kdb')
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/lockout.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c index 36505f8320..83d79e098a 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c @@ -127,7 +127,7 @@ krb5_ldap_lockout_check_policy(krb5_context context, code = lookup_lockout_policy(context, entry, &max_fail, &failcnt_interval, &lockout_duration); - if (code != 0 || failcnt_interval == 0) + if (code != 0) return code; if (locked_check_p(context, stamp, max_fail, lockout_duration, entry)) |