CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED
authorStefan Metzmacher <metze@samba.org>
Fri, 18 Dec 2015 07:29:50 +0000 (08:29 +0100)
committerStefan Metzmacher <metze@samba.org>
Tue, 12 Apr 2016 17:25:24 +0000 (19:25 +0200)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: G√ľnther Deschner <gd@samba.org>
source4/libcli/ldap/ldap_bind.c

index 79478e775d8115c52cabb7d8234c7f0bd359106d..c5d821982c6acc41bd538e5286f1159029ce83b6 100644 (file)
@@ -437,6 +437,13 @@ try_logon_again:
 
                result = response->r.BindResponse.response.resultcode;
 
+               if (result == LDAP_STRONG_AUTH_REQUIRED) {
+                       if (wrap_flags == 0) {
+                               wrap_flags = ADS_AUTH_SASL_SIGN;
+                               goto try_logon_again;
+                       }
+               }
+
                if (result == LDAP_INVALID_CREDENTIALS) {
                        /*
                          try a second time on invalid credentials, to