summaryrefslogtreecommitdiff
path: root/source4/dsdb
diff options
context:
space:
mode:
authorMatthias Dieter Wallnöfer <mdw@samba.org>2011-10-13 08:48:08 +0200
committerMatthias Dieter Wallnöfer <mdw@samba.org>2011-10-27 18:52:29 +0200
commit6287d0d61c1b63f399edc901133a6f61069224a6 (patch)
tree48b01e433a56ebb4be62b2ae87107226e1d3a0aa /source4/dsdb
parentbb02aa5e0020e9f41d353d59889888caf9867b91 (diff)
downloadsamba-6287d0d61c1b63f399edc901133a6f61069224a6.tar.gz
samba-6287d0d61c1b63f399edc901133a6f61069224a6.tar.bz2
samba-6287d0d61c1b63f399edc901133a6f61069224a6.zip
s4:objectclass_attrs LDB module - implement the dSHeuristics length checks correctly
Consider bug #8489 Reviewed-by: abartlet
Diffstat (limited to 'source4/dsdb')
-rw-r--r--source4/dsdb/samdb/ldb_modules/objectclass_attrs.c42
1 files changed, 37 insertions, 5 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
index b6f91651dc..d45c46fdb9 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
@@ -72,15 +72,47 @@ static struct oc_context *oc_init_context(struct ldb_module *module,
static int oc_op_callback(struct ldb_request *req, struct ldb_reply *ares);
-/* checks correctness of dSHeuristics attribute
- * as described in MS-ADTS 7.1.1.2.4.1.2 dSHeuristics */
+/*
+ * Checks the correctness of the "dSHeuristics" attribute as described in both
+ * MS-ADTS 7.1.1.2.4.1.2 dSHeuristics and MS-ADTS 3.1.1.5.3.2 Constraints
+ */
static int oc_validate_dsheuristics(struct ldb_message_element *el)
{
if (el->num_values > 0) {
- if (el->values[0].length > DS_HR_LDAP_BYPASS_UPPER_LIMIT_BOUNDS) {
+ if ((el->values[0].length >= DS_HR_NINETIETH_CHAR) &&
+ (el->values[0].data[DS_HR_NINETIETH_CHAR-1] != '9')) {
return LDB_ERR_CONSTRAINT_VIOLATION;
- } else if (el->values[0].length >= DS_HR_TENTH_CHAR
- && el->values[0].data[DS_HR_TENTH_CHAR-1] != '1') {
+ }
+ if ((el->values[0].length >= DS_HR_EIGHTIETH_CHAR) &&
+ (el->values[0].data[DS_HR_EIGHTIETH_CHAR-1] != '8')) {
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ if ((el->values[0].length >= DS_HR_SEVENTIETH_CHAR) &&
+ (el->values[0].data[DS_HR_SEVENTIETH_CHAR-1] != '7')) {
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ if ((el->values[0].length >= DS_HR_SIXTIETH_CHAR) &&
+ (el->values[0].data[DS_HR_SIXTIETH_CHAR-1] != '6')) {
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ if ((el->values[0].length >= DS_HR_FIFTIETH_CHAR) &&
+ (el->values[0].data[DS_HR_FIFTIETH_CHAR-1] != '5')) {
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ if ((el->values[0].length >= DS_HR_FOURTIETH_CHAR) &&
+ (el->values[0].data[DS_HR_FOURTIETH_CHAR-1] != '4')) {
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ if ((el->values[0].length >= DS_HR_THIRTIETH_CHAR) &&
+ (el->values[0].data[DS_HR_THIRTIETH_CHAR-1] != '3')) {
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ if ((el->values[0].length >= DS_HR_TWENTIETH_CHAR) &&
+ (el->values[0].data[DS_HR_TWENTIETH_CHAR-1] != '2')) {
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ if ((el->values[0].length >= DS_HR_TENTH_CHAR) &&
+ (el->values[0].data[DS_HR_TENTH_CHAR-1] != '1')) {
return LDB_ERR_CONSTRAINT_VIOLATION;
}
}