mirror of
https://github.com/samba-team/samba.git
synced 2025-01-27 14:04:05 +03:00
secrets: fix replacemend random seed generator (security issue).
This is a regression introduced by the change to dbwrap. The replacement dbwrap_change_int32_atomic() does not correctly mimic the behaviour of tdb_change_int32_atomic(): The intended behaviour is to use *oldval as an initial value when the entry does not yet exist in the db and to return the old value in *oldval. The effect was that: 1. get_rand_seed() always returns sys_getpid() in *new_seed instead of the incremented seed from the secrets.tdb. 2. the seed stored in the tdb is always starting at 0 instead of sys_getpid() + 1 and incremented in subsequent calls. In principle this is a security issue, but i think the danger is low, since this is only used as a fallback when there is no useable /dev/urandom, and this is at most called on startup or via reinit_after_fork. Michael (This used to be commit bfc5d34a196f667276ce1e173821db478d01258b)
This commit is contained in:
Michael Adam
parent
149e1ae25a
commit
4c5752d40f
@ -150,9 +150,13 @@ int32 dbwrap_change_int32_atomic(struct db_context *db, const char *keystr,
|
||||
return -1;
|
||||
}
|
||||
|
||||
if ((rec->value.dptr != NULL)
|
||||
&& (rec->value.dsize == sizeof(val))) {
|
||||
if (rec->value.dptr == NULL) {
|
||||
val = *oldval;
|
||||
} else if (rec->value.dsize == sizeof(val)) {
|
||||
val = IVAL(rec->value.dptr, 0);
|
||||
*oldval = val;
|
||||
} else {
|
||||
return -1;
|
||||
}
|
||||
|
||||
val += change_val;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user