From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Mon, 30 Jul 2012 15:15:14 +0000 (-0400)
Subject: Active Directory apparently requires that tenths of a second be
X-Git-Tag: SUDO_1_7_10~28
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9b67d2c203e3f4150aa5c00db41b8c172988bbd4;p=sudo

Active Directory apparently requires that tenths of a second be
present in a date so append .0 to the "now" value in the time filter.
Also remove space for the global AND from TIMEFILTER_LENGTH since
it was not being used consistently.  Buffers of TIMEFILTER_LENGTH
now need to account for the terminating NUL byte.

--HG--
branch : 1.7
---

diff --git a/ldap.c b/ldap.c
index 4f98addc5..e00958f1b 100644
--- a/ldap.c
+++ b/ldap.c
@@ -132,14 +132,12 @@ extern int ldapssl_set_strength(LDAP *ldap, int strength);
 #define SUDO_LDAP_SSL		1
 #define SUDO_LDAP_STARTTLS	2
 
-/* The TIMEFILTER_LENGTH includes the filter itself plus the global AND
-   wrapped around the user filter and the time filter when timed entries
+/* The TIMEFILTER_LENGTH is the length of the filter when timed entries
    are used. The length is computed as follows:
-       85       for the filter
-       + 2 * 13 for the now timestamp
-       +      3 for the global AND
+       81       for the filter itself
+       + 2 * 17 for the now timestamp
 */
-#define TIMEFILTER_LENGTH	114    
+#define TIMEFILTER_LENGTH	115
 
 /*
  * The ldap_search structure implements a linked list of ldap and
@@ -996,7 +994,7 @@ sudo_ldap_timefilter(buffer, buffersize)
 {
     struct tm *tp;
     time_t now;
-    char timebuffer[16];
+    char timebuffer[sizeof("20120727121554.0Z")];
     int bytes = 0;
 
     /* Make sure we have a formatted timestamp for __now__. */
@@ -1007,8 +1005,8 @@ sudo_ldap_timefilter(buffer, buffersize)
     }
 
     /* Format the timestamp according to the RFC. */
-    if (strftime(timebuffer, sizeof(timebuffer), "%Y%m%d%H%M%SZ", tp) == 0) {
-	warning("unable to format timestamp");
+    if (strftime(timebuffer, sizeof(timebuffer), "%Y%m%d%H%M%S.0Z", tp) == 0) {
+	warningx("unable to format timestamp");
 	goto done;
     }
 
@@ -1144,13 +1142,17 @@ sudo_ldap_build_pass1(pw)
     struct passwd *pw;
 {
     struct group *grp;
-    char *buf, timebuffer[TIMEFILTER_LENGTH];
+    char *buf, timebuffer[TIMEFILTER_LENGTH + 1];
     size_t sz = 0;
     int i;
 
-    /* Start with LDAP search filter length + 3 */
+    /* If there is a filter, allocate space for the global AND. */
+    if (ldap_conf.timed || ldap_conf.search_filter)
+	sz += 3;
+
+    /* Add LDAP search filter if present. */
     if (ldap_conf.search_filter)
-	sz += strlen(ldap_conf.search_filter) + 3;
+	sz += strlen(ldap_conf.search_filter);
 
     /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */
     sz += 29 + sudo_ldap_value_len(pw->pw_name);
@@ -1233,7 +1235,7 @@ sudo_ldap_build_pass1(pw)
 static char *
 sudo_ldap_build_pass2()
 {
-    char *filt, timebuffer[TIMEFILTER_LENGTH];
+    char *filt, timebuffer[TIMEFILTER_LENGTH + 1];
 
     if (ldap_conf.timed)
 	sudo_ldap_timefilter(timebuffer, sizeof(timebuffer));