Active Directory apparently requires that tenths of a second be

present in a date so append .0 to the "now" value in the time filter.
Also remove space for the global AND from TIMEFILTER_LENGTH since
it was not being used consistently.  Buffers of TIMEFILTER_LENGTH
now need to account for the terminating NUL byte.

diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index b667643577324f009616822c7c271a85eb2ed50e..8e69b22577d432b3fe7c7bb2d5c06b45cd20fb5c 100644 (file)
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -132,14 +132,12 @@ extern int ldapssl_set_strength(LDAP *ldap, int strength);
 #define SUDO_LDAP_SSL          1
 #define SUDO_LDAP_STARTTLS     2
 
-/* The TIMEFILTER_LENGTH includes the filter itself plus the global AND
-   wrapped around the user filter and the time filter when timed entries
+/* The TIMEFILTER_LENGTH is the length of the filter when timed entries
    are used. The length is computed as follows:
-       85       for the filter
-       + 2 * 13 for the now timestamp
-       +      3 for the global AND
+       81       for the filter itself
+       + 2 * 17 for the now timestamp
 */
-#define TIMEFILTER_LENGTH      114    
+#define TIMEFILTER_LENGTH      115
 
 /*
  * The ldap_search structure implements a linked list of ldap and
@@ -984,7 +982,7 @@ sudo_ldap_timefilter(char *buffer, size_t buffersize)
 {
     struct tm *tp;
     time_t now;
-    char timebuffer[16];
+    char timebuffer[sizeof("20120727121554.0Z")];
     int bytes = 0;
     debug_decl(sudo_ldap_timefilter, SUDO_DEBUG_LDAP)
 
@@ -996,8 +994,8 @@ sudo_ldap_timefilter(char *buffer, size_t buffersize)
     }
 
     /* Format the timestamp according to the RFC. */
-    if (strftime(timebuffer, sizeof(timebuffer), "%Y%m%d%H%M%SZ", tp) == 0) {
-       warning(_("unable to format timestamp"));
+    if (strftime(timebuffer, sizeof(timebuffer), "%Y%m%d%H%M%S.0Z", tp) == 0) {
+       warningx(_("unable to format timestamp"));
        goto done;
     }
 
@@ -1129,15 +1127,19 @@ static char *
 sudo_ldap_build_pass1(struct passwd *pw)
 {
     struct group *grp;
-    char *buf, timebuffer[TIMEFILTER_LENGTH], gidbuf[MAX_UID_T_LEN + 1];
+    char *buf, timebuffer[TIMEFILTER_LENGTH + 1], gidbuf[MAX_UID_T_LEN + 1];
     struct group_list *grlist;
     size_t sz = 0;
     int i;
     debug_decl(sudo_ldap_build_pass1, SUDO_DEBUG_LDAP)
 
-    /* Start with LDAP search filter length + 3 */
+    /* If there is a filter, allocate space for the global AND. */
+    if (ldap_conf.timed || ldap_conf.search_filter)
+       sz += 3;
+
+    /* Add LDAP search filter if present. */
     if (ldap_conf.search_filter)
-       sz += strlen(ldap_conf.search_filter) + 3;
+       sz += strlen(ldap_conf.search_filter);
 
     /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */
     sz += 29 + sudo_ldap_value_len(pw->pw_name);
@@ -1241,7 +1243,7 @@ sudo_ldap_build_pass1(struct passwd *pw)
 static char *
 sudo_ldap_build_pass2(void)
 {
-    char *filt, timebuffer[TIMEFILTER_LENGTH];
+    char *filt, timebuffer[TIMEFILTER_LENGTH + 1];
     debug_decl(sudo_ldap_build_pass2, SUDO_DEBUG_LDAP)
 
     if (ldap_conf.timed)