diff options
| author | Matthias Dieter Wallnöfer <mdw@samba.org> | 2011-10-13 08:48:08 +0200 |
|---|---|---|
| committer | Matthias Dieter Wallnöfer <mdw@samba.org> | 2011-10-27 18:52:29 +0200 |
| commit | 6287d0d61c1b63f399edc901133a6f61069224a6 (patch) | |
| tree | 48b01e433a56ebb4be62b2ae87107226e1d3a0aa | |
| parent | bb02aa5e0020e9f41d353d59889888caf9867b91 (diff) | |
| download | samba-6287d0d61c1b63f399edc901133a6f61069224a6.tar.gz samba-6287d0d61c1b63f399edc901133a6f61069224a6.tar.bz2 samba-6287d0d61c1b63f399edc901133a6f61069224a6.zip | |
s4:objectclass_attrs LDB module - implement the dSHeuristics length checks correctly
Consider bug #8489
Reviewed-by: abartlet
| -rw-r--r-- | libds/common/flags.h | 10 | ||||
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 42 |
2 files changed, 46 insertions, 6 deletions
diff --git a/libds/common/flags.h b/libds/common/flags.h index 714251dff5..c25a9e9101 100644 --- a/libds/common/flags.h +++ b/libds/common/flags.h @@ -239,7 +239,15 @@ #define DS_HR_COMPUTE_ANR_STATS 0x0000000F #define DS_HR_ADMINSDEXMASK 0x00000010 #define DS_HR_KVNOEMUW2K 0x00000011 -#define DS_HR_LDAP_BYPASS_UPPER_LIMIT_BOUNDS 0x00000012 + +#define DS_HR_TWENTIETH_CHAR 0x00000014 +#define DS_HR_THIRTIETH_CHAR 0x0000001E +#define DS_HR_FOURTIETH_CHAR 0x00000028 +#define DS_HR_FIFTIETH_CHAR 0x00000032 +#define DS_HR_SIXTIETH_CHAR 0x0000003C +#define DS_HR_SEVENTIETH_CHAR 0x00000046 +#define DS_HR_EIGHTIETH_CHAR 0x00000050 +#define DS_HR_NINETIETH_CHAR 0x0000005A /* mS-DS-ReplicatesNCReason */ #define NTDSCONN_KCC_GC_TOPOLOGY 0x00000001 diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c index b6f91651dc..d45c46fdb9 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c @@ -72,15 +72,47 @@ static struct oc_context *oc_init_context(struct ldb_module *module, static int oc_op_callback(struct ldb_request *req, struct ldb_reply *ares); -/* checks correctness of dSHeuristics attribute - * as described in MS-ADTS 7.1.1.2.4.1.2 dSHeuristics */ +/* + * Checks the correctness of the "dSHeuristics" attribute as described in both + * MS-ADTS 7.1.1.2.4.1.2 dSHeuristics and MS-ADTS 3.1.1.5.3.2 Constraints + */ static int oc_validate_dsheuristics(struct ldb_message_element *el) { if (el->num_values > 0) { - if (el->values[0].length > DS_HR_LDAP_BYPASS_UPPER_LIMIT_BOUNDS) { + if ((el->values[0].length >= DS_HR_NINETIETH_CHAR) && + (el->values[0].data[DS_HR_NINETIETH_CHAR-1] != '9')) { return LDB_ERR_CONSTRAINT_VIOLATION; - } else if (el->values[0].length >= DS_HR_TENTH_CHAR - && el->values[0].data[DS_HR_TENTH_CHAR-1] != '1') { + } + if ((el->values[0].length >= DS_HR_EIGHTIETH_CHAR) && + (el->values[0].data[DS_HR_EIGHTIETH_CHAR-1] != '8')) { + return LDB_ERR_CONSTRAINT_VIOLATION; + } + if ((el->values[0].length >= DS_HR_SEVENTIETH_CHAR) && + (el->values[0].data[DS_HR_SEVENTIETH_CHAR-1] != '7')) { + return LDB_ERR_CONSTRAINT_VIOLATION; + } + if ((el->values[0].length >= DS_HR_SIXTIETH_CHAR) && + (el->values[0].data[DS_HR_SIXTIETH_CHAR-1] != '6')) { + return LDB_ERR_CONSTRAINT_VIOLATION; + } + if ((el->values[0].length >= DS_HR_FIFTIETH_CHAR) && + (el->values[0].data[DS_HR_FIFTIETH_CHAR-1] != '5')) { + return LDB_ERR_CONSTRAINT_VIOLATION; + } + if ((el->values[0].length >= DS_HR_FOURTIETH_CHAR) && + (el->values[0].data[DS_HR_FOURTIETH_CHAR-1] != '4')) { + return LDB_ERR_CONSTRAINT_VIOLATION; + } + if ((el->values[0].length >= DS_HR_THIRTIETH_CHAR) && + (el->values[0].data[DS_HR_THIRTIETH_CHAR-1] != '3')) { + return LDB_ERR_CONSTRAINT_VIOLATION; + } + if ((el->values[0].length >= DS_HR_TWENTIETH_CHAR) && + (el->values[0].data[DS_HR_TWENTIETH_CHAR-1] != '2')) { + return LDB_ERR_CONSTRAINT_VIOLATION; + } + if ((el->values[0].length >= DS_HR_TENTH_CHAR) && + (el->values[0].data[DS_HR_TENTH_CHAR-1] != '1')) { return LDB_ERR_CONSTRAINT_VIOLATION; } } |