Bug 1267253

Summary: Negative offset during otptoken-sync suffers causes integer underflow
Product: Red Hat Enterprise Linux 7 Reporter: Tomas Babej <tbabej>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED DUPLICATE QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: jcholast, mkosek, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-30 05:53:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Babej 2015-09-29 13:04:50 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5333

If a negative offset between the device and the server is detected during otptoken-sync, it will underflow, and set a large positive value as offset instead.

{{{

-------------------
1 OTP token matched
-------------------
  dn:
ipatokenuniqueid=1e7a8029-8872-46f5-8254-9d03a62d2417,cn=otp,dc=ipa,dc=test
  Unique ID: 1e7a8029-8872-46f5-8254-9d03a62d2417
  Type: TOTP
  Owner: test
  Key: eu/S8oUunB188tRc5HE8CkxMmyI=
  Algorithm: sha1
  Digits: 6
  Clock offset: 4294963816
  Clock interval: 30
  ipatokentotpwatermark: 48117551
  objectclass: top, ipatokentotp, ipatoken
}}}
Comment 1 Tomas Babej 2015-09-29 13:10:05 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/d3cca6db57fb26aea1d45bc522336dddc6256825
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/3c52f62e6c4e07b107780d95a6a4ff79d89c75b9
Comment 2 Nathaniel McCallum 2015-09-29 13:15:43 UTC 
This is probably a duplicate of:
https://bugzilla.redhat.com/show_bug.cgi?id=1217009
Comment 3 Tomas Babej 2015-09-29 13:18:52 UTC 
Hashes in the previous comment are not correct, following ones are.

master:
https://fedorahosted.org/freeipa/changeset/9e3eeadeb3120f3577e00ab9cb410eccf8d71de0
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/7db0a8e8512733ff91462b9b3b20c21ad6ec4212
Comment 4 Jan Cholasta 2015-09-30 05:53:23 UTC 
This is indeed a duplicate of bug 1217009.

*** This bug has been marked as a duplicate of bug 1217009 ***