CVE-2021-20251 s4:auth_winbind: Check return status of authsam_logon_success_accounting()

This may return an error if we find the account is locked out.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 268ea7bef5af4b9c8a02f4f5856113ff0664d9e8)

diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c
index d78799666035a203063d2c334fe0dcef4c3c26fd..6381f866667e6737599209706196bd4376e43deb 100644 (file)
--- a/source4/auth/ntlm/auth_winbind.c
+++ b/source4/auth/ntlm/auth_winbind.c
@@ -252,11 +252,14 @@ static void winbind_check_password_done(struct tevent_req *subreq)
                status = authsam_search_account(state, ctx->auth_ctx->sam_ctx,
                                                nt4_account, domain_dn, &msg);
                if (NT_STATUS_IS_OK(status)) {
-                       authsam_logon_success_accounting(
+                       status = authsam_logon_success_accounting(
                                ctx->auth_ctx->sam_ctx, msg,
                                domain_dn,
                                user_info->flags & USER_INFO_INTERACTIVE_LOGON,
                                NULL);
+                       if (tevent_req_nterror(req, status)) {
+                               return;
+                       }
                }
        }