56 lines
1.7 KiB
Diff
56 lines
1.7 KiB
Diff
From 83b00656ea0e8cfdce8a9c1cef71e41477e8e6f0 Mon Sep 17 00:00:00 2001
|
|
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
Date: Fri, 15 May 2020 00:06:08 +1200
|
|
Subject: [PATCH 17/22] CVE-2020-10745: dns_util/push: forbid names longer than
|
|
255 bytes
|
|
|
|
As per RFC 1035.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
|
|
|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
---
|
|
librpc/ndr/ndr_dns_utils.c | 10 +++++++++-
|
|
selftest/knownfail.d/ndr_dns_nbt | 1 -
|
|
2 files changed, 9 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/librpc/ndr/ndr_dns_utils.c b/librpc/ndr/ndr_dns_utils.c
|
|
index 6931dac422d..b7f11dbab4e 100644
|
|
--- a/librpc/ndr/ndr_dns_utils.c
|
|
+++ b/librpc/ndr/ndr_dns_utils.c
|
|
@@ -11,6 +11,8 @@ enum ndr_err_code ndr_push_dns_string_list(struct ndr_push *ndr,
|
|
int ndr_flags,
|
|
const char *s)
|
|
{
|
|
+ const char *start = s;
|
|
+
|
|
if (!(ndr_flags & NDR_SCALARS)) {
|
|
return NDR_ERR_SUCCESS;
|
|
}
|
|
@@ -84,7 +86,13 @@ enum ndr_err_code ndr_push_dns_string_list(struct ndr_push *ndr,
|
|
talloc_free(compname);
|
|
|
|
s += complen;
|
|
- if (*s == '.') s++;
|
|
+ if (*s == '.') {
|
|
+ s++;
|
|
+ }
|
|
+ if (s - start > 255) {
|
|
+ return ndr_push_error(ndr, NDR_ERR_STRING,
|
|
+ "name > 255 character long");
|
|
+ }
|
|
}
|
|
|
|
/* if we reach the end of the string and have pushed the last component
|
|
diff --git a/selftest/knownfail.d/ndr_dns_nbt b/selftest/knownfail.d/ndr_dns_nbt
|
|
index e11c121b7a7..603395c8c50 100644
|
|
--- a/selftest/knownfail.d/ndr_dns_nbt
|
|
+++ b/selftest/knownfail.d/ndr_dns_nbt
|
|
@@ -1,3 +1,2 @@
|
|
-librpc.ndr.ndr_dns_nbt.test_ndr_dns_string_half_dots
|
|
librpc.ndr.ndr_dns_nbt.test_ndr_nbt_string_all_dots
|
|
librpc.ndr.ndr_dns_nbt.test_ndr_nbt_string_half_dots
|
|
--
|
|
2.17.1
|
|
|