CVE-2018-16857 dsdb/util: Add better default lockOutObservationWindow

Clearly the lockOutObservationWindow value is important, and using a
default value of zero doesn't work very well.

This patch adds a better default value (the domain default setting of 30
minutes).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Wed Nov 28 11:31:14 CET 2018 on sn-devel-144

diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 50c96f7c781d06b36437f4203d2026924f51ac22..dd9a5dcadf56c745e4075082c8223ba396bf04f2 100644 (file)
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -56,6 +56,9 @@
  */
 #include "dsdb/samdb/ldb_modules/util.h"
 
+/* default is 30 minutes: -1e7 * 30 * 60 */
+#define DEFAULT_OBSERVATION_WINDOW              -18000000000
+
 /*
   search the sam for the specified attributes in a specific domain, filter on
   objectSid being in domain_sid.
@@ -5370,7 +5373,7 @@ int samdb_result_effective_badPwdCount(struct ldb_context *sam_ldb,
                lockOutObservationWindow =
                        ldb_msg_find_attr_as_int64(res->msgs[0],
                                                   "msDS-LockoutObservationWindow",
-                                                   0);
+                                                   DEFAULT_OBSERVATION_WINDOW);
                talloc_free(res);
        } else {
 
@@ -5409,10 +5412,11 @@ static int64_t get_lockout_observation_window(struct ldb_message *domain_msg,
        if (pso_msg != NULL) {
                return ldb_msg_find_attr_as_int64(pso_msg,
                                                  "msDS-LockoutObservationWindow",
-                                                  0);
+                                                  DEFAULT_OBSERVATION_WINDOW);
        } else {
                return ldb_msg_find_attr_as_int64(domain_msg,
-                                                 "lockOutObservationWindow", 0);
+                                                 "lockOutObservationWindow",
+                                                  DEFAULT_OBSERVATION_WINDOW);
        }
 }