samba/CVE-2020-14303-2.patch

From 153c8db09b26455aa9802ff95943dd8a75f31893 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary@catalyst.net.nz>
Date: Wed, 24 Jun 2020 14:27:08 +1200
Subject: [PATCH 20/22] CVE-2020-14303: s4 nbt: fix busy loop on empty UDP
 packet

An empty UDP packet put the nbt server into a busy loop that consumes
100% of a cpu.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14417

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
---
 libcli/nbt/nbtsocket.c         | 17 ++++++++++++++++-
 selftest/knownfail.d/empty-nbt |  1 -
 2 files changed, 16 insertions(+), 2 deletions(-)
 delete mode 100644 selftest/knownfail.d/empty-nbt

diff --git a/libcli/nbt/nbtsocket.c b/libcli/nbt/nbtsocket.c
index 33d53fba993..8aecaf73247 100644
--- a/libcli/nbt/nbtsocket.c
+++ b/libcli/nbt/nbtsocket.c
@@ -167,8 +167,23 @@ static void nbt_name_socket_recv(struct nbt_name_socket *nbtsock)
 		return;
 	}
 
+	/*
+	 * Given a zero length, data_blob_talloc() returns the
+	 * NULL blob {NULL, 0}.
+	 *
+	 * We only want to error return here on a real out of memory condition
+	 * (i.e. dsize != 0, so the UDP packet has data, but the return of the
+	 * allocation failed, so blob.data==NULL).
+	 *
+	 * Given an actual zero length UDP packet having blob.data == NULL
+	 * isn't an out of memory error condition, that's the defined semantics
+	 * of data_blob_talloc() when asked for zero bytes.
+	 *
+	 * We still need to continue to do the zero-length socket_recvfrom()
+	 * read in order to clear the "read pending" condition on the socket.
+	 */
 	blob = data_blob_talloc(tmp_ctx, NULL, dsize);
-	if (blob.data == NULL) {
+	if (blob.data == NULL && dsize != 0) {
 		talloc_free(tmp_ctx);
 		return;
 	}
diff --git a/selftest/knownfail.d/empty-nbt b/selftest/knownfail.d/empty-nbt
deleted file mode 100644
index e4bcccab4e5..00000000000
--- a/selftest/knownfail.d/empty-nbt
+++ /dev/null
@@ -1 +0,0 @@
-^samba.tests.dns_packet.samba.tests.dns_packet.TestNbtPackets.test_empty_packet
\ No newline at end of file
-- 
2.17.1