[Freeipa-devel] [PATCH 0026] Prevent integer overflow when setting krbPasswordExpiration
Tomas Babej
tbabej at redhat.com
Wed Jan 23 13:00:00 UTC 2013
On 01/22/2013 07:39 PM, Dmitri Pal wrote:
> On 01/22/2013 10:57 AM, Simo Sorce wrote:
>> On Tue, 2013-01-22 at 15:50 +0100, Tomas Babej wrote:
>>> Here I bring the updated version of the patch. Please note, that I
>>> *added* a flag attribute to ipadb_ldap_attr_to_krb5_timestamp
>>> function, that controls whether the timestamp will be checked for
>>> overflow or not. The reasoning behind this is that some attributes
>>> will not be set to future dates, due to their inherent nature - such
>>> as krbLastSuccessfulAuth or krbLastAdminUnlock.
>>>
>>> These are all related to past dates, and it would make no sense to set
>>> them to future dates, even manually. Therefore I'd rather represent
>>> negative values in these attributes as past dates. They would have to
>>> be set manually anyway, because they would represent timestamps before
>>> the beginning of the unix epoch, however, I find this approach better
>>> than pushing them up to year 2038 in case such things happens.
>>>
>>> Any objections to this approach?
>>>
>> I am not sure I understand what is the point of giving this option to
>> callers. A) How does an API user know when to use one or the other
>> option. B) What good does it make to have the same date return different
>> results based on a flag ?
>>
>> What will happen later on when MIT will 'fix' the 2038 limit by changing
>> the meaning of negative timestamps ? Keep in mind that right now
>> negative timestamps are not really valid in the MIT code.
>>
>> Unless there is a 'use' for getting negative timestamps I think it is
>> only harmful to allow it and consumers would only be confused on whether
>> it should be used or not.
>>
>> So my first impression is that you are a bit overthinking here and we
>> should instead always force the same behavior for all callers and always
>> check and enforce endoftime dates.
>>
>> Simo.
>>
> +1
Ok, the patch does not distinguish between 'past' and 'future'
timestamps anymore.
Please respond if you see any issues.
Tomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-tbabej-0026-7-Prevent-integer-overflow-when-setting-krbPasswordExp.patch
Type: text/x-patch
Size: 7751 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130123/c5363e38/attachment.bin>
More information about the Freeipa-devel
mailing list