The Samba-Bugzilla – Attachment 14230 Details for
Bug 13466
[SECURITY Hardening] DNS query with escapes characters in dns name makes samba crashing
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.8
look-4.8.patch (text/plain), 6.80 KB, created by
Kai Blin
on 2018-06-08 19:23:01 UTC
(
hide
)
Description:
patch for 4.8
Filename:
MIME Type:
Creator:
Kai Blin
Created:
2018-06-08 19:23:01 UTC
Size:
6.80 KB
patch
obsolete
>From e7de3dc09ab84ebe8f300fc19d8f961372d31029 Mon Sep 17 00:00:00 2001 >From: Kai Blin <kai@samba.org> >Date: Fri, 8 Jun 2018 18:20:16 +0200 >Subject: [PATCH 1/2] dns: Add a test to trigger the LDB casefolding issue on > invalid chars > >Signed-off-by: Kai Blin <kai@samba.org> >--- > python/samba/tests/dns_invalid.py | 87 +++++++++++++++++++++++++++++++++++++++ > selftest/knownfail.d/dns | 3 ++ > source4/selftest/tests.py | 3 ++ > 3 files changed, 93 insertions(+) > create mode 100644 python/samba/tests/dns_invalid.py > >diff --git a/python/samba/tests/dns_invalid.py b/python/samba/tests/dns_invalid.py >new file mode 100644 >index 00000000000..f462314ae92 >--- /dev/null >+++ b/python/samba/tests/dns_invalid.py >@@ -0,0 +1,87 @@ >+# Unix SMB/CIFS implementation. >+# Copyright (C) Kai Blin <kai@samba.org> 2018 >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+import os >+import sys >+import struct >+import random >+import socket >+import samba.ndr as ndr >+from samba import credentials, param >+from samba.dcerpc import dns, dnsp, dnsserver >+from samba.netcmd.dns import TXTRecord, dns_record_match, data_to_dns_record >+from samba.tests.subunitrun import SubunitOptions, TestProgram >+from samba import werror, WERRORError >+from samba.tests.dns_base import DNSTest >+import samba.getopt as options >+import optparse >+ >+parser = optparse.OptionParser("dns_invalid.py <server ip> [options]") >+sambaopts = options.SambaOptions(parser) >+parser.add_option_group(sambaopts) >+ >+# This timeout only has relevance when testing against Windows >+# Format errors tend to return patchy responses, so a timeout is needed. >+parser.add_option("--timeout", type="int", dest="timeout", >+ help="Specify timeout for DNS requests") >+ >+# use command line creds if available >+credopts = options.CredentialsOptions(parser) >+parser.add_option_group(credopts) >+subunitopts = SubunitOptions(parser) >+parser.add_option_group(subunitopts) >+ >+opts, args = parser.parse_args() >+ >+lp = sambaopts.get_loadparm() >+creds = credopts.get_credentials(lp) >+ >+timeout = opts.timeout >+ >+if len(args) < 1: >+ parser.print_usage() >+ sys.exit(1) >+ >+server_ip = args[0] >+creds.set_krb_forwardable(credentials.NO_KRB_FORWARDABLE) >+ >+ >+class TestBrokenQueries(DNSTest): >+ def setUp(self): >+ super(TestBrokenQueries, self).setUp() >+ global server, server_ip, lp, creds, timeout >+ self.server_ip = server_ip >+ self.lp = lp >+ self.creds = creds >+ self.timeout = timeout >+ >+ def test_invalid_chars_in_name(self): >+ """Check the server refuses invalid characters in the query name""" >+ p = self.make_name_packet(dns.DNS_OPCODE_QUERY) >+ questions = [] >+ >+ name = "\x10\x11\x05\xa8.%s" % self.get_dns_domain() >+ q = self.make_name_question(name, dns.DNS_QTYPE_A, dns.DNS_QCLASS_IN) >+ print "asking for ", q.name >+ questions.append(q) >+ >+ self.finish_name_packet(p, questions) >+ (response, response_packet) = self.dns_transaction_udp(p, host=server_ip) >+ self.assert_dns_rcode_equals(response, dns.DNS_RCODE_NXDOMAIN) >+ >+ >+TestProgram(module=__name__, opts=subunitopts) >diff --git a/selftest/knownfail.d/dns b/selftest/knownfail.d/dns >index cb3003240ea..140ded24fa0 100644 >--- a/selftest/knownfail.d/dns >+++ b/selftest/knownfail.d/dns >@@ -45,3 +45,6 @@ samba.tests.dns.__main__.TestSimpleQueries.test_qtype_all_query\(rodc:local\) > > # The SOA override should not pass against the RODC, it must not overstamp > samba.tests.dns.__main__.TestSimpleQueries.test_one_SOA_query\(rodc:local\) >+ >+# This still needs to be fixed in LDB >+samba.tests.dns_invalid.__main__.TestBrokenQueries.test_invalid_chars_in_name\(ad_dc:local\) >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 621a61347bc..3a964026fcd 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -369,6 +369,9 @@ plantestsuite_loadlist("samba.tests.dns_forwarder", "fl2003dc:local", [python, o > > plantestsuite_loadlist("samba.tests.dns_tkey", "fl2008r2dc", [python, os.path.join(srcdir(), "python/samba/tests/dns_tkey.py"), '$SERVER', '$SERVER_IP', '--machine-pass', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT']) > plantestsuite_loadlist("samba.tests.dns_wildcard", "ad_dc", [python, os.path.join(srcdir(), "python/samba/tests/dns_wildcard.py"), '$SERVER', '$SERVER_IP', '--machine-pass', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT']) >+ >+plantestsuite_loadlist("samba.tests.dns_invalid", "ad_dc", [python, os.path.join(srcdir(), "python/samba/tests/dns_invalid.py"), '$SERVER_IP', '--machine-pass', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT']) >+ > for t in smbtorture4_testsuites("dns_internal."): > plansmbtorture4testsuite(t, "ad_dc_ntvfs:local", '//$SERVER/whavever') > >-- >2.11.0 > > >From 3cec68236a27e5940de3fd2922a6d80c7ad52222 Mon Sep 17 00:00:00 2001 >From: Kai Blin <kai@samba.org> >Date: Fri, 8 Jun 2018 19:41:05 +0200 >Subject: [PATCH 2/2] ldb: fix crash in ltdb_index_dn_attr > >Still needs a cmocka test > >Signed-off-by: Kai Blin <kai@samba.org> >--- > lib/ldb/ldb_tdb/ldb_index.c | 3 +++ > selftest/knownfail.d/dns | 3 --- > 2 files changed, 3 insertions(+), 3 deletions(-) > >diff --git a/lib/ldb/ldb_tdb/ldb_index.c b/lib/ldb/ldb_tdb/ldb_index.c >index ee2027319e3..32979d0399b 100644 >--- a/lib/ldb/ldb_tdb/ldb_index.c >+++ b/lib/ldb/ldb_tdb/ldb_index.c >@@ -1391,6 +1391,9 @@ static int ltdb_index_dn_attr(struct ldb_module *module, > > /* work out the index key from the parent DN */ > val.data = (uint8_t *)((uintptr_t)ldb_dn_get_casefold(dn)); >+ if (!val.data) { >+ return LDB_ERR_NO_SUCH_OBJECT; >+ } > val.length = strlen((char *)val.data); > key = ltdb_index_key(ldb, ltdb, attr, &val, NULL); > if (!key) { >diff --git a/selftest/knownfail.d/dns b/selftest/knownfail.d/dns >index 140ded24fa0..cb3003240ea 100644 >--- a/selftest/knownfail.d/dns >+++ b/selftest/knownfail.d/dns >@@ -45,6 +45,3 @@ samba.tests.dns.__main__.TestSimpleQueries.test_qtype_all_query\(rodc:local\) > > # The SOA override should not pass against the RODC, it must not overstamp > samba.tests.dns.__main__.TestSimpleQueries.test_one_SOA_query\(rodc:local\) >- >-# This still needs to be fixed in LDB >-samba.tests.dns_invalid.__main__.TestBrokenQueries.test_invalid_chars_in_name\(ad_dc:local\) >-- >2.11.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 13466
:
14228
|
14229
|
14230
|
14288
|
14294