From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 4 Jul 2022 08:51:38 +0000 (+1200)
Subject: CVE-2021-20251 s4:auth_winbind: Check return status of authsam_logon_success_accounting()
X-Git-Tag: talloc-2.4.0~1068
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=268ea7bef5af4b9c8a02f4f5856113ff0664d9e8;p=thirdparty%2Fsamba.git

CVE-2021-20251 s4:auth_winbind: Check return status of authsam_logon_success_accounting()

This may return an error if we find the account is locked out.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c
index d7879966603..6381f866667 100644
--- a/source4/auth/ntlm/auth_winbind.c
+++ b/source4/auth/ntlm/auth_winbind.c
@@ -252,11 +252,14 @@ static void winbind_check_password_done(struct tevent_req *subreq)
 		status = authsam_search_account(state, ctx->auth_ctx->sam_ctx,
 						nt4_account, domain_dn, &msg);
 		if (NT_STATUS_IS_OK(status)) {
-			authsam_logon_success_accounting(
+			status = authsam_logon_success_accounting(
 				ctx->auth_ctx->sam_ctx, msg,
 				domain_dn,
 				user_info->flags & USER_INFO_INTERACTIVE_LOGON,
 				NULL);
+			if (tevent_req_nterror(req, status)) {
+				return;
+			}
 		}
 	}