From 5ea62390abab7348ca99ca7022298b25b5620169 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 21 May 2018 15:25:33 +1200 Subject: [PATCH 1/7] ldb_tdb: Remove pointless check of ldb_dn_is_valid() If the DN is not valid the ltdb_search_dn1() will catch it with ldb_dn_validate() which is the only safe way to check this. ldb_dn_is_valid() does not actually check, but instead returns only the result of the previous checks, if there was one. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374 --- lib/ldb/ldb_tdb/ldb_search.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/lib/ldb/ldb_tdb/ldb_search.c b/lib/ldb/ldb_tdb/ldb_search.c index af66a097ad5..1fd6adb6db4 100644 --- a/lib/ldb/ldb_tdb/ldb_search.c +++ b/lib/ldb/ldb_tdb/ldb_search.c @@ -759,14 +759,6 @@ int ltdb_search(struct ltdb_context *ctx) /* We accept subtree searches from a NULL base DN, ie over the whole DB */ ret = LDB_SUCCESS; } - } else if (ldb_dn_is_valid(req->op.search.base) == false) { - - /* We don't want invalid base DNs here */ - ldb_asprintf_errstring(ldb, - "Invalid Base DN: %s", - ldb_dn_get_linearized(req->op.search.base)); - ret = LDB_ERR_INVALID_DN_SYNTAX; - } else if (req->op.search.scope == LDB_SCOPE_BASE) { /* -- 2.11.0 From 70f75e723e4fb00a526d7275aaee05cdc31ab59b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 4 Jul 2018 13:26:16 +1200 Subject: [PATCH 2/7] ldb: extend API tests These additional API tests just check that an invalid base DN is never accepted. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- lib/ldb/tests/python/api.py | 47 ++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 44 insertions(+), 3 deletions(-) diff --git a/lib/ldb/tests/python/api.py b/lib/ldb/tests/python/api.py index e4010960697..471d70fc521 100755 --- a/lib/ldb/tests/python/api.py +++ b/lib/ldb/tests/python/api.py @@ -1309,6 +1309,41 @@ class SearchTests(LdbBaseTest): expression="(distinguishedName=OU=OU1,DC=SAMBA,DCXXXX)") self.assertEqual(len(res11), 0) + def test_bad_dn_search_base(self): + """Testing with a bad base DN (SCOPE_BASE)""" + + try: + res11 = self.l.search(base="OU=OU1,DC=SAMBA,DCXXX", + scope=ldb.SCOPE_BASE) + self.fail("Should have failed with ERR_INVALID_DN_SYNTAX") + except ldb.LdbError as err: + enum = err.args[0] + self.assertEqual(enum, ldb.ERR_INVALID_DN_SYNTAX) + + + def test_bad_dn_search_one(self): + """Testing with a bad base DN (SCOPE_ONELEVEL)""" + + try: + res11 = self.l.search(base="DC=SAMBA,DCXXXX", + scope=ldb.SCOPE_ONELEVEL) + self.fail("Should have failed with ERR_INVALID_DN_SYNTAX") + except ldb.LdbError as err: + enum = err.args[0] + self.assertEqual(enum, ldb.ERR_INVALID_DN_SYNTAX) + + def test_bad_dn_search_subtree(self): + """Testing with a bad base DN (SCOPE_SUBTREE)""" + + try: + res11 = self.l.search(base="DC=SAMBA,DCXXXX", + scope=ldb.SCOPE_SUBTREE) + self.fail("Should have failed with ERR_INVALID_DN_SYNTAX") + except ldb.LdbError as err: + enum = err.args[0] + self.assertEqual(enum, ldb.ERR_INVALID_DN_SYNTAX) + + # Run the search tests against an lmdb backend class SearchTestsLmdb(SearchTests): @@ -1375,8 +1410,10 @@ class IndexedAndOneLevelDNFilterSearchTests(SearchTests): def setUp(self): super(IndexedAndOneLevelDNFilterSearchTests, self).setUp() self.l.add({"dn": "@OPTIONS", - "disallowDNFilter": "TRUE"}) + "disallowDNFilter": "TRUE", + "checkBaseOnSearch": "TRUE"}) self.disallowDNFilter = True + self.checkBaseOnSearch = True self.l.add({"dn": "@INDEXLIST", "@IDXATTR": [b"x", b"y", b"ou"], @@ -1408,8 +1445,10 @@ class GUIDIndexedDNFilterSearchTests(SearchTests): "@IDX_DN_GUID": [b"GUID"]} super(GUIDIndexedDNFilterSearchTests, self).setUp() self.l.add({"dn": "@OPTIONS", - "disallowDNFilter": "TRUE"}) + "disallowDNFilter": "TRUE", + "checkBaseOnSearch": "TRUE"}) self.disallowDNFilter = True + self.checkBaseOnSearch = True self.IDX = True self.IDXGUID = True @@ -1423,8 +1462,10 @@ class GUIDAndOneLevelIndexedSearchTests(SearchTests): "@IDX_DN_GUID": [b"GUID"]} super(GUIDAndOneLevelIndexedSearchTests, self).setUp() self.l.add({"dn": "@OPTIONS", - "disallowDNFilter": "TRUE"}) + "disallowDNFilter": "TRUE", + "checkBaseOnSearch": "TRUE"}) self.disallowDNFilter = True + self.checkBaseOnSearch = True self.IDX = True self.IDXGUID = True self.IDXONE = True -- 2.11.0 From 5f47dd22f97807be8db71538c64088e2da6e7a10 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 3 Jul 2018 15:21:07 +1200 Subject: [PATCH 3/7] ldb: Release LDB 1.4.2 * New API ldb_dn_add_child_val() avoids passing untrusted input to ldb_dn_add_child_fmt() Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- lib/ldb/ABI/ldb-1.4.2.sigs | 279 ++++++++++++++++++++++++++++++++++ lib/ldb/ABI/pyldb-util-1.4.2.sigs | 2 + lib/ldb/ABI/pyldb-util.py3-1.4.2.sigs | 2 + lib/ldb/wscript | 2 +- 4 files changed, 284 insertions(+), 1 deletion(-) create mode 100644 lib/ldb/ABI/ldb-1.4.2.sigs create mode 100644 lib/ldb/ABI/pyldb-util-1.4.2.sigs create mode 100644 lib/ldb/ABI/pyldb-util.py3-1.4.2.sigs diff --git a/lib/ldb/ABI/ldb-1.4.2.sigs b/lib/ldb/ABI/ldb-1.4.2.sigs new file mode 100644 index 00000000000..a31b84ef4b5 --- /dev/null +++ b/lib/ldb/ABI/ldb-1.4.2.sigs @@ -0,0 +1,279 @@ +ldb_add: int (struct ldb_context *, const struct ldb_message *) +ldb_any_comparison: int (struct ldb_context *, void *, ldb_attr_handler_t, const struct ldb_val *, const struct ldb_val *) +ldb_asprintf_errstring: void (struct ldb_context *, const char *, ...) +ldb_attr_casefold: char *(TALLOC_CTX *, const char *) +ldb_attr_dn: int (const char *) +ldb_attr_in_list: int (const char * const *, const char *) +ldb_attr_list_copy: const char **(TALLOC_CTX *, const char * const *) +ldb_attr_list_copy_add: const char **(TALLOC_CTX *, const char * const *, const char *) +ldb_base64_decode: int (char *) +ldb_base64_encode: char *(TALLOC_CTX *, const char *, int) +ldb_binary_decode: struct ldb_val (TALLOC_CTX *, const char *) +ldb_binary_encode: char *(TALLOC_CTX *, struct ldb_val) +ldb_binary_encode_string: char *(TALLOC_CTX *, const char *) +ldb_build_add_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) +ldb_build_del_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) +ldb_build_extended_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const char *, void *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) +ldb_build_mod_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) +ldb_build_rename_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, struct ldb_dn *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) +ldb_build_search_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, enum ldb_scope, const char *, const char * const *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) +ldb_build_search_req_ex: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, enum ldb_scope, struct ldb_parse_tree *, const char * const *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) +ldb_casefold: char *(struct ldb_context *, TALLOC_CTX *, const char *, size_t) +ldb_casefold_default: char *(void *, TALLOC_CTX *, const char *, size_t) +ldb_check_critical_controls: int (struct ldb_control **) +ldb_comparison_binary: int (struct ldb_context *, void *, const struct ldb_val *, const struct ldb_val *) +ldb_comparison_fold: int (struct ldb_context *, void *, const struct ldb_val *, const struct ldb_val *) +ldb_connect: int (struct ldb_context *, const char *, unsigned int, const char **) +ldb_control_to_string: char *(TALLOC_CTX *, const struct ldb_control *) +ldb_controls_except_specified: struct ldb_control **(struct ldb_control **, TALLOC_CTX *, struct ldb_control *) +ldb_debug: void (struct ldb_context *, enum ldb_debug_level, const char *, ...) +ldb_debug_add: void (struct ldb_context *, const char *, ...) +ldb_debug_end: void (struct ldb_context *, enum ldb_debug_level) +ldb_debug_set: void (struct ldb_context *, enum ldb_debug_level, const char *, ...) +ldb_delete: int (struct ldb_context *, struct ldb_dn *) +ldb_dn_add_base: bool (struct ldb_dn *, struct ldb_dn *) +ldb_dn_add_base_fmt: bool (struct ldb_dn *, const char *, ...) +ldb_dn_add_child: bool (struct ldb_dn *, struct ldb_dn *) +ldb_dn_add_child_fmt: bool (struct ldb_dn *, const char *, ...) +ldb_dn_alloc_casefold: char *(TALLOC_CTX *, struct ldb_dn *) +ldb_dn_alloc_linearized: char *(TALLOC_CTX *, struct ldb_dn *) +ldb_dn_canonical_ex_string: char *(TALLOC_CTX *, struct ldb_dn *) +ldb_dn_canonical_string: char *(TALLOC_CTX *, struct ldb_dn *) +ldb_dn_check_local: bool (struct ldb_module *, struct ldb_dn *) +ldb_dn_check_special: bool (struct ldb_dn *, const char *) +ldb_dn_compare: int (struct ldb_dn *, struct ldb_dn *) +ldb_dn_compare_base: int (struct ldb_dn *, struct ldb_dn *) +ldb_dn_copy: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *) +ldb_dn_escape_value: char *(TALLOC_CTX *, struct ldb_val) +ldb_dn_extended_add_syntax: int (struct ldb_context *, unsigned int, const struct ldb_dn_extended_syntax *) +ldb_dn_extended_filter: void (struct ldb_dn *, const char * const *) +ldb_dn_extended_syntax_by_name: const struct ldb_dn_extended_syntax *(struct ldb_context *, const char *) +ldb_dn_from_ldb_val: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const struct ldb_val *) +ldb_dn_get_casefold: const char *(struct ldb_dn *) +ldb_dn_get_comp_num: int (struct ldb_dn *) +ldb_dn_get_component_name: const char *(struct ldb_dn *, unsigned int) +ldb_dn_get_component_val: const struct ldb_val *(struct ldb_dn *, unsigned int) +ldb_dn_get_extended_comp_num: int (struct ldb_dn *) +ldb_dn_get_extended_component: const struct ldb_val *(struct ldb_dn *, const char *) +ldb_dn_get_extended_linearized: char *(TALLOC_CTX *, struct ldb_dn *, int) +ldb_dn_get_ldb_context: struct ldb_context *(struct ldb_dn *) +ldb_dn_get_linearized: const char *(struct ldb_dn *) +ldb_dn_get_parent: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *) +ldb_dn_get_rdn_name: const char *(struct ldb_dn *) +ldb_dn_get_rdn_val: const struct ldb_val *(struct ldb_dn *) +ldb_dn_has_extended: bool (struct ldb_dn *) +ldb_dn_is_null: bool (struct ldb_dn *) +ldb_dn_is_special: bool (struct ldb_dn *) +ldb_dn_is_valid: bool (struct ldb_dn *) +ldb_dn_map_local: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *) +ldb_dn_map_rebase_remote: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *) +ldb_dn_map_remote: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *) +ldb_dn_minimise: bool (struct ldb_dn *) +ldb_dn_new: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const char *) +ldb_dn_new_fmt: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const char *, ...) +ldb_dn_remove_base_components: bool (struct ldb_dn *, unsigned int) +ldb_dn_remove_child_components: bool (struct ldb_dn *, unsigned int) +ldb_dn_remove_extended_components: void (struct ldb_dn *) +ldb_dn_replace_components: bool (struct ldb_dn *, struct ldb_dn *) +ldb_dn_set_component: int (struct ldb_dn *, int, const char *, const struct ldb_val) +ldb_dn_set_extended_component: int (struct ldb_dn *, const char *, const struct ldb_val *) +ldb_dn_update_components: int (struct ldb_dn *, const struct ldb_dn *) +ldb_dn_validate: bool (struct ldb_dn *) +ldb_dump_results: void (struct ldb_context *, struct ldb_result *, FILE *) +ldb_error_at: int (struct ldb_context *, int, const char *, const char *, int) +ldb_errstring: const char *(struct ldb_context *) +ldb_extended: int (struct ldb_context *, const char *, void *, struct ldb_result **) +ldb_extended_default_callback: int (struct ldb_request *, struct ldb_reply *) +ldb_filter_from_tree: char *(TALLOC_CTX *, const struct ldb_parse_tree *) +ldb_get_config_basedn: struct ldb_dn *(struct ldb_context *) +ldb_get_create_perms: unsigned int (struct ldb_context *) +ldb_get_default_basedn: struct ldb_dn *(struct ldb_context *) +ldb_get_event_context: struct tevent_context *(struct ldb_context *) +ldb_get_flags: unsigned int (struct ldb_context *) +ldb_get_opaque: void *(struct ldb_context *, const char *) +ldb_get_root_basedn: struct ldb_dn *(struct ldb_context *) +ldb_get_schema_basedn: struct ldb_dn *(struct ldb_context *) +ldb_global_init: int (void) +ldb_handle_get_event_context: struct tevent_context *(struct ldb_handle *) +ldb_handle_new: struct ldb_handle *(TALLOC_CTX *, struct ldb_context *) +ldb_handle_use_global_event_context: void (struct ldb_handle *) +ldb_handler_copy: int (struct ldb_context *, void *, const struct ldb_val *, struct ldb_val *) +ldb_handler_fold: int (struct ldb_context *, void *, const struct ldb_val *, struct ldb_val *) +ldb_init: struct ldb_context *(TALLOC_CTX *, struct tevent_context *) +ldb_ldif_message_redacted_string: char *(struct ldb_context *, TALLOC_CTX *, enum ldb_changetype, const struct ldb_message *) +ldb_ldif_message_string: char *(struct ldb_context *, TALLOC_CTX *, enum ldb_changetype, const struct ldb_message *) +ldb_ldif_parse_modrdn: int (struct ldb_context *, const struct ldb_ldif *, TALLOC_CTX *, struct ldb_dn **, struct ldb_dn **, bool *, struct ldb_dn **, struct ldb_dn **) +ldb_ldif_read: struct ldb_ldif *(struct ldb_context *, int (*)(void *), void *) +ldb_ldif_read_file: struct ldb_ldif *(struct ldb_context *, FILE *) +ldb_ldif_read_file_state: struct ldb_ldif *(struct ldb_context *, struct ldif_read_file_state *) +ldb_ldif_read_free: void (struct ldb_context *, struct ldb_ldif *) +ldb_ldif_read_string: struct ldb_ldif *(struct ldb_context *, const char **) +ldb_ldif_write: int (struct ldb_context *, int (*)(void *, const char *, ...), void *, const struct ldb_ldif *) +ldb_ldif_write_file: int (struct ldb_context *, FILE *, const struct ldb_ldif *) +ldb_ldif_write_redacted_trace_string: char *(struct ldb_context *, TALLOC_CTX *, const struct ldb_ldif *) +ldb_ldif_write_string: char *(struct ldb_context *, TALLOC_CTX *, const struct ldb_ldif *) +ldb_load_modules: int (struct ldb_context *, const char **) +ldb_map_add: int (struct ldb_module *, struct ldb_request *) +ldb_map_delete: int (struct ldb_module *, struct ldb_request *) +ldb_map_init: int (struct ldb_module *, const struct ldb_map_attribute *, const struct ldb_map_objectclass *, const char * const *, const char *, const char *) +ldb_map_modify: int (struct ldb_module *, struct ldb_request *) +ldb_map_rename: int (struct ldb_module *, struct ldb_request *) +ldb_map_search: int (struct ldb_module *, struct ldb_request *) +ldb_match_message: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, enum ldb_scope, bool *) +ldb_match_msg: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope) +ldb_match_msg_error: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope, bool *) +ldb_match_msg_objectclass: int (const struct ldb_message *, const char *) +ldb_mod_register_control: int (struct ldb_module *, const char *) +ldb_modify: int (struct ldb_context *, const struct ldb_message *) +ldb_modify_default_callback: int (struct ldb_request *, struct ldb_reply *) +ldb_module_call_chain: char *(struct ldb_request *, TALLOC_CTX *) +ldb_module_connect_backend: int (struct ldb_context *, const char *, const char **, struct ldb_module **) +ldb_module_done: int (struct ldb_request *, struct ldb_control **, struct ldb_extended *, int) +ldb_module_flags: uint32_t (struct ldb_context *) +ldb_module_get_ctx: struct ldb_context *(struct ldb_module *) +ldb_module_get_name: const char *(struct ldb_module *) +ldb_module_get_ops: const struct ldb_module_ops *(struct ldb_module *) +ldb_module_get_private: void *(struct ldb_module *) +ldb_module_init_chain: int (struct ldb_context *, struct ldb_module *) +ldb_module_load_list: int (struct ldb_context *, const char **, struct ldb_module *, struct ldb_module **) +ldb_module_new: struct ldb_module *(TALLOC_CTX *, struct ldb_context *, const char *, const struct ldb_module_ops *) +ldb_module_next: struct ldb_module *(struct ldb_module *) +ldb_module_popt_options: struct poptOption **(struct ldb_context *) +ldb_module_send_entry: int (struct ldb_request *, struct ldb_message *, struct ldb_control **) +ldb_module_send_referral: int (struct ldb_request *, char *) +ldb_module_set_next: void (struct ldb_module *, struct ldb_module *) +ldb_module_set_private: void (struct ldb_module *, void *) +ldb_modules_hook: int (struct ldb_context *, enum ldb_module_hook_type) +ldb_modules_list_from_string: const char **(struct ldb_context *, TALLOC_CTX *, const char *) +ldb_modules_load: int (const char *, const char *) +ldb_msg_add: int (struct ldb_message *, const struct ldb_message_element *, int) +ldb_msg_add_empty: int (struct ldb_message *, const char *, int, struct ldb_message_element **) +ldb_msg_add_fmt: int (struct ldb_message *, const char *, const char *, ...) +ldb_msg_add_linearized_dn: int (struct ldb_message *, const char *, struct ldb_dn *) +ldb_msg_add_steal_string: int (struct ldb_message *, const char *, char *) +ldb_msg_add_steal_value: int (struct ldb_message *, const char *, struct ldb_val *) +ldb_msg_add_string: int (struct ldb_message *, const char *, const char *) +ldb_msg_add_value: int (struct ldb_message *, const char *, const struct ldb_val *, struct ldb_message_element **) +ldb_msg_canonicalize: struct ldb_message *(struct ldb_context *, const struct ldb_message *) +ldb_msg_check_string_attribute: int (const struct ldb_message *, const char *, const char *) +ldb_msg_copy: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *) +ldb_msg_copy_attr: int (struct ldb_message *, const char *, const char *) +ldb_msg_copy_shallow: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *) +ldb_msg_diff: struct ldb_message *(struct ldb_context *, struct ldb_message *, struct ldb_message *) +ldb_msg_difference: int (struct ldb_context *, TALLOC_CTX *, struct ldb_message *, struct ldb_message *, struct ldb_message **) +ldb_msg_element_compare: int (struct ldb_message_element *, struct ldb_message_element *) +ldb_msg_element_compare_name: int (struct ldb_message_element *, struct ldb_message_element *) +ldb_msg_element_equal_ordered: bool (const struct ldb_message_element *, const struct ldb_message_element *) +ldb_msg_find_attr_as_bool: int (const struct ldb_message *, const char *, int) +ldb_msg_find_attr_as_dn: struct ldb_dn *(struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, const char *) +ldb_msg_find_attr_as_double: double (const struct ldb_message *, const char *, double) +ldb_msg_find_attr_as_int: int (const struct ldb_message *, const char *, int) +ldb_msg_find_attr_as_int64: int64_t (const struct ldb_message *, const char *, int64_t) +ldb_msg_find_attr_as_string: const char *(const struct ldb_message *, const char *, const char *) +ldb_msg_find_attr_as_uint: unsigned int (const struct ldb_message *, const char *, unsigned int) +ldb_msg_find_attr_as_uint64: uint64_t (const struct ldb_message *, const char *, uint64_t) +ldb_msg_find_common_values: int (struct ldb_context *, TALLOC_CTX *, struct ldb_message_element *, struct ldb_message_element *, uint32_t) +ldb_msg_find_duplicate_val: int (struct ldb_context *, TALLOC_CTX *, const struct ldb_message_element *, struct ldb_val **, uint32_t) +ldb_msg_find_element: struct ldb_message_element *(const struct ldb_message *, const char *) +ldb_msg_find_ldb_val: const struct ldb_val *(const struct ldb_message *, const char *) +ldb_msg_find_val: struct ldb_val *(const struct ldb_message_element *, struct ldb_val *) +ldb_msg_new: struct ldb_message *(TALLOC_CTX *) +ldb_msg_normalize: int (struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_message **) +ldb_msg_remove_attr: void (struct ldb_message *, const char *) +ldb_msg_remove_element: void (struct ldb_message *, struct ldb_message_element *) +ldb_msg_rename_attr: int (struct ldb_message *, const char *, const char *) +ldb_msg_sanity_check: int (struct ldb_context *, const struct ldb_message *) +ldb_msg_sort_elements: void (struct ldb_message *) +ldb_next_del_trans: int (struct ldb_module *) +ldb_next_end_trans: int (struct ldb_module *) +ldb_next_init: int (struct ldb_module *) +ldb_next_prepare_commit: int (struct ldb_module *) +ldb_next_read_lock: int (struct ldb_module *) +ldb_next_read_unlock: int (struct ldb_module *) +ldb_next_remote_request: int (struct ldb_module *, struct ldb_request *) +ldb_next_request: int (struct ldb_module *, struct ldb_request *) +ldb_next_start_trans: int (struct ldb_module *) +ldb_op_default_callback: int (struct ldb_request *, struct ldb_reply *) +ldb_options_find: const char *(struct ldb_context *, const char **, const char *) +ldb_pack_data: int (struct ldb_context *, const struct ldb_message *, struct ldb_val *) +ldb_parse_control_from_string: struct ldb_control *(struct ldb_context *, TALLOC_CTX *, const char *) +ldb_parse_control_strings: struct ldb_control **(struct ldb_context *, TALLOC_CTX *, const char **) +ldb_parse_tree: struct ldb_parse_tree *(TALLOC_CTX *, const char *) +ldb_parse_tree_attr_replace: void (struct ldb_parse_tree *, const char *, const char *) +ldb_parse_tree_copy_shallow: struct ldb_parse_tree *(TALLOC_CTX *, const struct ldb_parse_tree *) +ldb_parse_tree_walk: int (struct ldb_parse_tree *, int (*)(struct ldb_parse_tree *, void *), void *) +ldb_qsort: void (void * const, size_t, size_t, void *, ldb_qsort_cmp_fn_t) +ldb_register_backend: int (const char *, ldb_connect_fn, bool) +ldb_register_extended_match_rule: int (struct ldb_context *, const struct ldb_extended_match_rule *) +ldb_register_hook: int (ldb_hook_fn) +ldb_register_module: int (const struct ldb_module_ops *) +ldb_rename: int (struct ldb_context *, struct ldb_dn *, struct ldb_dn *) +ldb_reply_add_control: int (struct ldb_reply *, const char *, bool, void *) +ldb_reply_get_control: struct ldb_control *(struct ldb_reply *, const char *) +ldb_req_get_custom_flags: uint32_t (struct ldb_request *) +ldb_req_is_untrusted: bool (struct ldb_request *) +ldb_req_location: const char *(struct ldb_request *) +ldb_req_mark_trusted: void (struct ldb_request *) +ldb_req_mark_untrusted: void (struct ldb_request *) +ldb_req_set_custom_flags: void (struct ldb_request *, uint32_t) +ldb_req_set_location: void (struct ldb_request *, const char *) +ldb_request: int (struct ldb_context *, struct ldb_request *) +ldb_request_add_control: int (struct ldb_request *, const char *, bool, void *) +ldb_request_done: int (struct ldb_request *, int) +ldb_request_get_control: struct ldb_control *(struct ldb_request *, const char *) +ldb_request_get_status: int (struct ldb_request *) +ldb_request_replace_control: int (struct ldb_request *, const char *, bool, void *) +ldb_request_set_state: void (struct ldb_request *, int) +ldb_reset_err_string: void (struct ldb_context *) +ldb_save_controls: int (struct ldb_control *, struct ldb_request *, struct ldb_control ***) +ldb_schema_attribute_add: int (struct ldb_context *, const char *, unsigned int, const char *) +ldb_schema_attribute_add_with_syntax: int (struct ldb_context *, const char *, unsigned int, const struct ldb_schema_syntax *) +ldb_schema_attribute_by_name: const struct ldb_schema_attribute *(struct ldb_context *, const char *) +ldb_schema_attribute_fill_with_syntax: int (struct ldb_context *, TALLOC_CTX *, const char *, unsigned int, const struct ldb_schema_syntax *, struct ldb_schema_attribute *) +ldb_schema_attribute_remove: void (struct ldb_context *, const char *) +ldb_schema_attribute_remove_flagged: void (struct ldb_context *, unsigned int) +ldb_schema_attribute_set_override_handler: void (struct ldb_context *, ldb_attribute_handler_override_fn_t, void *) +ldb_schema_set_override_GUID_index: void (struct ldb_context *, const char *, const char *) +ldb_schema_set_override_indexlist: void (struct ldb_context *, bool) +ldb_search: int (struct ldb_context *, TALLOC_CTX *, struct ldb_result **, struct ldb_dn *, enum ldb_scope, const char * const *, const char *, ...) +ldb_search_default_callback: int (struct ldb_request *, struct ldb_reply *) +ldb_sequence_number: int (struct ldb_context *, enum ldb_sequence_type, uint64_t *) +ldb_set_create_perms: void (struct ldb_context *, unsigned int) +ldb_set_debug: int (struct ldb_context *, void (*)(void *, enum ldb_debug_level, const char *, va_list), void *) +ldb_set_debug_stderr: int (struct ldb_context *) +ldb_set_default_dns: void (struct ldb_context *) +ldb_set_errstring: void (struct ldb_context *, const char *) +ldb_set_event_context: void (struct ldb_context *, struct tevent_context *) +ldb_set_flags: void (struct ldb_context *, unsigned int) +ldb_set_modules_dir: void (struct ldb_context *, const char *) +ldb_set_opaque: int (struct ldb_context *, const char *, void *) +ldb_set_require_private_event_context: void (struct ldb_context *) +ldb_set_timeout: int (struct ldb_context *, struct ldb_request *, int) +ldb_set_timeout_from_prev_req: int (struct ldb_context *, struct ldb_request *, struct ldb_request *) +ldb_set_utf8_default: void (struct ldb_context *) +ldb_set_utf8_fns: void (struct ldb_context *, void *, char *(*)(void *, void *, const char *, size_t)) +ldb_setup_wellknown_attributes: int (struct ldb_context *) +ldb_should_b64_encode: int (struct ldb_context *, const struct ldb_val *) +ldb_standard_syntax_by_name: const struct ldb_schema_syntax *(struct ldb_context *, const char *) +ldb_strerror: const char *(int) +ldb_string_to_time: time_t (const char *) +ldb_string_utc_to_time: time_t (const char *) +ldb_timestring: char *(TALLOC_CTX *, time_t) +ldb_timestring_utc: char *(TALLOC_CTX *, time_t) +ldb_transaction_cancel: int (struct ldb_context *) +ldb_transaction_cancel_noerr: int (struct ldb_context *) +ldb_transaction_commit: int (struct ldb_context *) +ldb_transaction_prepare_commit: int (struct ldb_context *) +ldb_transaction_start: int (struct ldb_context *) +ldb_unpack_data: int (struct ldb_context *, const struct ldb_val *, struct ldb_message *) +ldb_unpack_data_only_attr_list: int (struct ldb_context *, const struct ldb_val *, struct ldb_message *, const char * const *, unsigned int, unsigned int *) +ldb_unpack_data_only_attr_list_flags: int (struct ldb_context *, const struct ldb_val *, struct ldb_message *, const char * const *, unsigned int, unsigned int, unsigned int *) +ldb_val_dup: struct ldb_val (TALLOC_CTX *, const struct ldb_val *) +ldb_val_equal_exact: int (const struct ldb_val *, const struct ldb_val *) +ldb_val_map_local: struct ldb_val (struct ldb_module *, void *, const struct ldb_map_attribute *, const struct ldb_val *) +ldb_val_map_remote: struct ldb_val (struct ldb_module *, void *, const struct ldb_map_attribute *, const struct ldb_val *) +ldb_val_string_cmp: int (const struct ldb_val *, const char *) +ldb_val_to_time: int (const struct ldb_val *, time_t *) +ldb_valid_attr_name: int (const char *) +ldb_vdebug: void (struct ldb_context *, enum ldb_debug_level, const char *, va_list) +ldb_wait: int (struct ldb_handle *, enum ldb_wait_type) diff --git a/lib/ldb/ABI/pyldb-util-1.4.2.sigs b/lib/ldb/ABI/pyldb-util-1.4.2.sigs new file mode 100644 index 00000000000..74d6719d2bc --- /dev/null +++ b/lib/ldb/ABI/pyldb-util-1.4.2.sigs @@ -0,0 +1,2 @@ +pyldb_Dn_FromDn: PyObject *(struct ldb_dn *) +pyldb_Object_AsDn: bool (TALLOC_CTX *, PyObject *, struct ldb_context *, struct ldb_dn **) diff --git a/lib/ldb/ABI/pyldb-util.py3-1.4.2.sigs b/lib/ldb/ABI/pyldb-util.py3-1.4.2.sigs new file mode 100644 index 00000000000..74d6719d2bc --- /dev/null +++ b/lib/ldb/ABI/pyldb-util.py3-1.4.2.sigs @@ -0,0 +1,2 @@ +pyldb_Dn_FromDn: PyObject *(struct ldb_dn *) +pyldb_Object_AsDn: bool (TALLOC_CTX *, PyObject *, struct ldb_context *, struct ldb_dn **) diff --git a/lib/ldb/wscript b/lib/ldb/wscript index 35b40eddce6..c9c9663d987 100644 --- a/lib/ldb/wscript +++ b/lib/ldb/wscript @@ -1,7 +1,7 @@ #!/usr/bin/env python APPNAME = 'ldb' -VERSION = '1.4.1' +VERSION = '1.4.2' blddir = 'bin' -- 2.11.0 From 0e54eb796654cead8d672c6591bd821b36917145 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 2 Jul 2018 16:49:37 +1200 Subject: [PATCH 4/7] dns_server: Be strict when constructing a LDB DN from an untrusted DNS name This changes our DNS server to be much more careful when constructing DNS names into LDB DN values. This avoids a segfault deep in the LDB code if the ldb_dn_get_casefold() fails there. A seperate patch will address that part of the issue, and a later patch will re-work this code to use single API: ldb_dn_add_child_val(). This is not squahed with this work because this patch does not rely on a new LDB release, and so may be helpful for a backport. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13466 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- source4/dns_server/dnsserver_common.c | 59 +++++++++++++++++++++++++++++++++-- 1 file changed, 56 insertions(+), 3 deletions(-) diff --git a/source4/dns_server/dnsserver_common.c b/source4/dns_server/dnsserver_common.c index 6c7ab802575..ec3b917be80 100644 --- a/source4/dns_server/dnsserver_common.c +++ b/source4/dns_server/dnsserver_common.c @@ -915,7 +915,11 @@ WERROR dns_common_name2dn(struct ldb_context *samdb, struct ldb_dn *dn; const struct dns_server_zone *z; size_t host_part_len = 0; + struct ldb_val host_part; WERROR werr; + bool ok; + int ret; + const char *casefold = NULL; if (name == NULL) { return DNS_ERR(FORMAT_ERROR); @@ -924,7 +928,13 @@ WERROR dns_common_name2dn(struct ldb_context *samdb, if (strcmp(name, "") == 0) { base = ldb_get_default_basedn(samdb); dn = ldb_dn_copy(mem_ctx, base); - ldb_dn_add_child_fmt(dn, "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System"); + ok = ldb_dn_add_child_fmt(dn, + "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System"); + if (ok == false) { + TALLOC_FREE(dn); + return WERR_NOT_ENOUGH_MEMORY; + } + *_dn = dn; return WERR_OK; } @@ -950,13 +960,56 @@ WERROR dns_common_name2dn(struct ldb_context *samdb, if (host_part_len == 0) { dn = ldb_dn_copy(mem_ctx, z->dn); - ldb_dn_add_child_fmt(dn, "DC=@"); + ok = ldb_dn_add_child_fmt(dn, "DC=@"); + if (! ok) { + TALLOC_FREE(dn); + return WERR_NOT_ENOUGH_MEMORY; + } *_dn = dn; return WERR_OK; } dn = ldb_dn_copy(mem_ctx, z->dn); - ldb_dn_add_child_fmt(dn, "DC=%*.*s", (int)host_part_len, (int)host_part_len, name); + if (dn == NULL) { + TALLOC_FREE(dn); + return WERR_NOT_ENOUGH_MEMORY; + } + + ok = ldb_dn_add_child_fmt(dn, "DC=X"); + + if (ok == false) { + TALLOC_FREE(dn); + return WERR_NOT_ENOUGH_MEMORY; + } + + host_part = data_blob_const(name, host_part_len); + + ret = ldb_dn_set_component(dn, 0, "DC", host_part); + if (ret != LDB_SUCCESS) { + TALLOC_FREE(dn); + return WERR_NOT_ENOUGH_MEMORY; + } + + /* + * Check the new DN here for validity, so as to catch errors + * early + */ + ok = ldb_dn_validate(dn); + if (ok == false) { + TALLOC_FREE(dn); + return DNS_ERR(NAME_ERROR); + } + + /* + * The value from this check is saved in the DN, and doing + * this here allows an easy return here. + */ + casefold = ldb_dn_get_casefold(dn); + if (casefold == NULL) { + TALLOC_FREE(dn); + return DNS_ERR(NAME_ERROR); + } + *_dn = dn; return WERR_OK; } -- 2.11.0 From 1e67a5d0cf8f8a8cbb1f5a6e4acf26dc166cfd03 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Thu, 5 Jul 2018 15:27:35 +1200 Subject: [PATCH 5/7] selftest: Remove knownfail now ldb 1.4.1 is released with CVE-2018-1140 fixed Signed-off-by: Douglas Bagnall --- selftest/knownfail.d/dns | 3 --- 1 file changed, 3 deletions(-) diff --git a/selftest/knownfail.d/dns b/selftest/knownfail.d/dns index 140ded24fa0..cb3003240ea 100644 --- a/selftest/knownfail.d/dns +++ b/selftest/knownfail.d/dns @@ -45,6 +45,3 @@ samba.tests.dns.__main__.TestSimpleQueries.test_qtype_all_query\(rodc:local\) # The SOA override should not pass against the RODC, it must not overstamp samba.tests.dns.__main__.TestSimpleQueries.test_one_SOA_query\(rodc:local\) - -# This still needs to be fixed in LDB -samba.tests.dns_invalid.__main__.TestBrokenQueries.test_invalid_chars_in_name\(ad_dc:local\) -- 2.11.0 From 38b9f1ed03d92b900f38faac19a4254f1eb39bbb Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 3 Jul 2018 15:16:56 +1200 Subject: [PATCH 6/7] ldb: Add new function ldb_dn_add_child_val() This is safer for untrusted input than ldb_dn_add_child_fmt() Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- lib/ldb/common/ldb_dn.c | 35 +++++++++++++ lib/ldb/include/ldb.h | 3 ++ lib/ldb/tests/test_ldb_dn.c | 117 ++++++++++++++++++++++++++++++++++++++++++++ lib/ldb/wscript | 6 +++ 4 files changed, 161 insertions(+) create mode 100644 lib/ldb/tests/test_ldb_dn.c diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c index dfeb600f56f..3bd655adbd5 100644 --- a/lib/ldb/common/ldb_dn.c +++ b/lib/ldb/common/ldb_dn.c @@ -1605,6 +1605,41 @@ bool ldb_dn_add_child_fmt(struct ldb_dn *dn, const char *child_fmt, ...) return ret; } +/* modify the given dn by adding a single child element. + * + * return true if successful and false if not + * if false is returned the dn may be marked invalid + */ +bool ldb_dn_add_child_val(struct ldb_dn *dn, + const char *rdn, + struct ldb_val value) +{ + bool ret; + int ldb_ret; + struct ldb_dn *child = NULL; + + if ( !dn || dn->invalid) { + return false; + } + + child = ldb_dn_new(dn, dn->ldb, "X=Y"); + ret = ldb_dn_add_child(dn, child); + + if (ret == false) { + return false; + } + + ldb_ret = ldb_dn_set_component(dn, + 0, + rdn, + value); + if (ldb_ret != LDB_SUCCESS) { + return false; + } + + return true; +} + bool ldb_dn_remove_base_components(struct ldb_dn *dn, unsigned int num) { unsigned int i; diff --git a/lib/ldb/include/ldb.h b/lib/ldb/include/ldb.h index 9918b4e69d9..81bee934da5 100644 --- a/lib/ldb/include/ldb.h +++ b/lib/ldb/include/ldb.h @@ -1882,6 +1882,9 @@ bool ldb_dn_add_child(struct ldb_dn *dn, struct ldb_dn *child); bool ldb_dn_add_child_fmt(struct ldb_dn *dn, const char *child_fmt, ...) PRINTF_ATTRIBUTE(2,3); bool ldb_dn_remove_base_components(struct ldb_dn *dn, unsigned int num); bool ldb_dn_remove_child_components(struct ldb_dn *dn, unsigned int num); +bool ldb_dn_add_child_val(struct ldb_dn *dn, + const char *rdn, + struct ldb_val value); struct ldb_dn *ldb_dn_copy(TALLOC_CTX *mem_ctx, struct ldb_dn *dn); struct ldb_dn *ldb_dn_get_parent(TALLOC_CTX *mem_ctx, struct ldb_dn *dn); diff --git a/lib/ldb/tests/test_ldb_dn.c b/lib/ldb/tests/test_ldb_dn.c new file mode 100644 index 00000000000..4965dcef575 --- /dev/null +++ b/lib/ldb/tests/test_ldb_dn.c @@ -0,0 +1,117 @@ +/* + * Unix SMB/CIFS implementation. + * + * Copyright (C) 2018 Andreas Schneider + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#include +#include +#include +#include + +#include + +static void test_ldb_dn_add_child_fmt(void **state) +{ + struct ldb_context *ldb = ldb_init(NULL, NULL); + + struct ldb_dn *dn = ldb_dn_new(ldb, ldb, "dc=samba,dc=org"); + + assert_true(ldb_dn_add_child_fmt(dn, + "DC=X")); + + assert_string_equal("DC=X,dc=samba,dc=org", + ldb_dn_get_linearized(dn)); + + assert_string_equal("DC=X,DC=SAMBA,DC=ORG", + ldb_dn_get_casefold(dn)); + +} + +static void test_ldb_dn_add_child_fmt2(void **state) +{ + struct ldb_context *ldb = ldb_init(NULL, NULL); + + struct ldb_dn *dn = ldb_dn_new(ldb, ldb, "dc=samba,dc=org"); + + assert_true(ldb_dn_add_child_fmt(dn, + "DC=X,DC=Y")); + + assert_string_equal("DC=X,DC=Y,dc=samba,dc=org", + ldb_dn_get_linearized(dn)); + + assert_string_equal("DC=X,DC=Y,DC=SAMBA,DC=ORG", + ldb_dn_get_casefold(dn)); + + assert_int_equal(4, + ldb_dn_get_comp_num(dn)); + +} + +static void test_ldb_dn_add_child_val(void **state) +{ + struct ldb_context *ldb = ldb_init(NULL, NULL); + + struct ldb_dn *dn = ldb_dn_new(ldb, ldb, "dc=samba,dc=org"); + struct ldb_val name = {.data = discard_const("X"), + .length = 1 + }; + + assert_true(ldb_dn_add_child_val(dn, + "DC", name)); + + assert_string_equal("DC=X,dc=samba,dc=org", + ldb_dn_get_linearized(dn)); + + assert_string_equal("DC=X,DC=SAMBA,DC=ORG", + ldb_dn_get_casefold(dn)); + +} + +static void test_ldb_dn_add_child_val2(void **state) +{ + struct ldb_context *ldb = ldb_init(NULL, NULL); + + struct ldb_dn *dn = ldb_dn_new(ldb, ldb, "dc=samba,dc=org"); + + struct ldb_val name = {.data = discard_const("X,DC=Y"), + .length = 6 + }; + + assert_true(ldb_dn_add_child_val(dn, + "DC", name)); + + assert_string_equal("DC=X\\,DC\\3DY,dc=samba,dc=org", + ldb_dn_get_linearized(dn)); + + assert_string_equal("DC=X\\,DC\\3DY,DC=SAMBA,DC=ORG", + ldb_dn_get_casefold(dn)); + + assert_int_equal(3, + ldb_dn_get_comp_num(dn)); + +} + +int main(void) { + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_ldb_dn_add_child_fmt), + cmocka_unit_test(test_ldb_dn_add_child_fmt2), + cmocka_unit_test(test_ldb_dn_add_child_val), + cmocka_unit_test(test_ldb_dn_add_child_val2), + }; + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/lib/ldb/wscript b/lib/ldb/wscript index c9c9663d987..001981c7356 100644 --- a/lib/ldb/wscript +++ b/lib/ldb/wscript @@ -488,6 +488,11 @@ def build(bld): deps='cmocka ldb', install=False) + bld.SAMBA_BINARY('test_ldb_dn', + source='tests/test_ldb_dn.c', + deps='cmocka ldb', + install=False) + if bld.CONFIG_SET('HAVE_LMDB'): bld.SAMBA_BINARY('ldb_mdb_mod_op_test', source='tests/ldb_mod_op_test.c', @@ -544,6 +549,7 @@ def test(ctx): cmocka_ret = 0 test_exes = ['test_ldb_qsort', + 'test_ldb_dn', 'ldb_msg_test', 'ldb_tdb_mod_op_test', 'ldb_tdb_guid_mod_op_test', -- 2.11.0 From 0d1705741d4d67153657872c488d7542c11b694f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 3 Jul 2018 15:18:25 +1200 Subject: [PATCH 7/7] dns_server: Avoid ldb_dn_add_child_fmt() on untrusted input By using the new ldb_dn_add_child_val() we ensure that the user-controlled values are not parsed as DN seperators. Additionally, the casefold DN is obtained before the search to trigger a full parse of the DN before being handled to the LDB search. This is not normally required but is done here due to the nature of the untrusted input. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- source4/dns_server/dlz_bind9.c | 156 ++++++++++++++++++++++++++++++-- source4/dns_server/dnsserver_common.c | 13 +-- source4/rpc_server/dnsserver/dnsdb.c | 11 ++- source4/rpc_server/dnsserver/dnsutils.c | 14 ++- 4 files changed, 172 insertions(+), 22 deletions(-) diff --git a/source4/dns_server/dlz_bind9.c b/source4/dns_server/dlz_bind9.c index ac785f0d4f3..94f3110f9b8 100644 --- a/source4/dns_server/dlz_bind9.c +++ b/source4/dns_server/dlz_bind9.c @@ -776,8 +776,11 @@ static isc_result_t b9_find_zone_dn(struct dlz_bind9_data *state, const char *zo int i; for (i=0; zone_prefixes[i]; i++) { + const char *casefold; struct ldb_dn *dn; struct ldb_result *res; + struct ldb_val zone_name_val + = data_blob_string_const(zone_name); dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb)); if (dn == NULL) { @@ -785,11 +788,40 @@ static isc_result_t b9_find_zone_dn(struct dlz_bind9_data *state, const char *zo return ISC_R_NOMEMORY; } - if (!ldb_dn_add_child_fmt(dn, "DC=%s,%s", zone_name, zone_prefixes[i])) { + /* + * This dance ensures that it is not possible to put + * (eg) an extra DC=x, into the DNS name being + * queried + */ + + if (!ldb_dn_add_child_fmt(dn, + "DC=X,%s", + zone_prefixes[i])) { + talloc_free(tmp_ctx); + return ISC_R_NOMEMORY; + } + + ret = ldb_dn_set_component(dn, + 0, + "DC", + zone_name_val); + if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ISC_R_NOMEMORY; } + /* + * Check if this is a plausibly valid DN early + * (time spent here will be saved during the + * search due to an internal cache) + */ + casefold = ldb_dn_get_casefold(dn); + + if (casefold == NULL) { + talloc_free(tmp_ctx); + return ISC_R_NOTFOUND; + } + ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_BASE, attrs, "objectClass=dnsZone"); if (ret == LDB_SUCCESS) { if (zone_dn != NULL) { @@ -820,19 +852,42 @@ static isc_result_t b9_find_name_dn(struct dlz_bind9_data *state, const char *na isc_result_t result; result = b9_find_zone_dn(state, p, mem_ctx, dn); if (result == ISC_R_SUCCESS) { + const char *casefold; + /* we found a zone, now extend the DN to get * the full DN */ bool ret; if (p == name) { ret = ldb_dn_add_child_fmt(*dn, "DC=@"); + if (ret == false) { + talloc_free(*dn); + return ISC_R_NOMEMORY; + } } else { - ret = ldb_dn_add_child_fmt(*dn, "DC=%.*s", (int)(p-name)-1, name); + struct ldb_val name_val + = data_blob_const(name, + (int)(p-name)-1); + + if (!ldb_dn_add_child_val(*dn, + "DC", + name_val)) { + talloc_free(*dn); + return ISC_R_NOMEMORY; + } } - if (!ret) { - talloc_free(*dn); - return ISC_R_NOMEMORY; + + /* + * Check if this is a plausibly valid DN early + * (time spent here will be saved during the + * search due to an internal cache) + */ + casefold = ldb_dn_get_casefold(*dn); + + if (casefold == NULL) { + return ISC_R_NOTFOUND; } + return ISC_R_SUCCESS; } p = strchr(p, '.'); @@ -874,19 +929,63 @@ static isc_result_t dlz_lookup_types(struct dlz_bind9_data *state, WERROR werr = WERR_DNS_ERROR_NAME_DOES_NOT_EXIST; struct dnsp_DnssrvRpcRecord *records = NULL; uint16_t num_records = 0, i; + struct ldb_val zone_name_val + = data_blob_string_const(zone); + struct ldb_val name_val + = data_blob_string_const(name); for (i=0; zone_prefixes[i]; i++) { + int ret; + const char *casefold; dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb)); if (dn == NULL) { talloc_free(tmp_ctx); return ISC_R_NOMEMORY; } - if (!ldb_dn_add_child_fmt(dn, "DC=%s,DC=%s,%s", name, zone, zone_prefixes[i])) { + /* + * This dance ensures that it is not possible to put + * (eg) an extra DC=x, into the DNS name being + * queried + */ + + if (!ldb_dn_add_child_fmt(dn, + "DC=X,DC=X,%s", + zone_prefixes[i])) { + talloc_free(tmp_ctx); + return ISC_R_NOMEMORY; + } + + ret = ldb_dn_set_component(dn, + 1, + "DC", + zone_name_val); + if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ISC_R_NOMEMORY; } + ret = ldb_dn_set_component(dn, + 0, + "DC", + name_val); + if (ret != LDB_SUCCESS) { + talloc_free(tmp_ctx); + return ISC_R_NOMEMORY; + } + + /* + * Check if this is a plausibly valid DN early + * (time spent here will be saved during the + * search due to an internal cache) + */ + casefold = ldb_dn_get_casefold(dn); + + if (casefold == NULL) { + talloc_free(tmp_ctx); + return ISC_R_NOTFOUND; + } + werr = dns_common_wildcard_lookup(state->samdb, tmp_ctx, dn, &records, &num_records); if (W_ERROR_IS_OK(werr)) { @@ -953,19 +1052,50 @@ _PUBLIC_ isc_result_t dlz_allnodes(const char *zone, void *dbdata, struct ldb_dn *dn; struct ldb_result *res; TALLOC_CTX *tmp_ctx = talloc_new(state); + struct ldb_val zone_name_val = data_blob_string_const(zone); for (i=0; zone_prefixes[i]; i++) { + const char *casefold; + dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb)); if (dn == NULL) { talloc_free(tmp_ctx); return ISC_R_NOMEMORY; } - if (!ldb_dn_add_child_fmt(dn, "DC=%s,%s", zone, zone_prefixes[i])) { + /* + * This dance ensures that it is not possible to put + * (eg) an extra DC=x, into the DNS name being + * queried + */ + + if (!ldb_dn_add_child_fmt(dn, + "DC=X,%s", + zone_prefixes[i])) { + talloc_free(tmp_ctx); + return ISC_R_NOMEMORY; + } + + ret = ldb_dn_set_component(dn, + 0, + "DC", + zone_name_val); + if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ISC_R_NOMEMORY; } + /* + * Check if this is a plausibly valid DN early + * (time spent here will be saved during the + * search due to an internal cache) + */ + casefold = ldb_dn_get_casefold(dn); + + if (casefold == NULL) { + return ISC_R_NOTFOUND; + } + ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_SUBTREE, attrs, "objectClass=dnsNode"); if (ret == LDB_SUCCESS) { @@ -1118,8 +1248,18 @@ static bool b9_has_soa(struct dlz_bind9_data *state, struct ldb_dn *dn, const ch WERROR werr; struct dnsp_DnssrvRpcRecord *records = NULL; uint16_t num_records = 0, i; + struct ldb_val zone_name_val + = data_blob_string_const(zone); + + /* + * This dance ensures that it is not possible to put + * (eg) an extra DC=x, into the DNS name being + * queried + */ - if (!ldb_dn_add_child_fmt(dn, "DC=@,DC=%s", zone)) { + if (!ldb_dn_add_child_val(dn, + "DC", + zone_name_val)) { talloc_free(tmp_ctx); return false; } diff --git a/source4/dns_server/dnsserver_common.c b/source4/dns_server/dnsserver_common.c index ec3b917be80..e214a9f37ec 100644 --- a/source4/dns_server/dnsserver_common.c +++ b/source4/dns_server/dnsserver_common.c @@ -918,7 +918,6 @@ WERROR dns_common_name2dn(struct ldb_context *samdb, struct ldb_val host_part; WERROR werr; bool ok; - int ret; const char *casefold = NULL; if (name == NULL) { @@ -975,17 +974,11 @@ WERROR dns_common_name2dn(struct ldb_context *samdb, return WERR_NOT_ENOUGH_MEMORY; } - ok = ldb_dn_add_child_fmt(dn, "DC=X"); - - if (ok == false) { - TALLOC_FREE(dn); - return WERR_NOT_ENOUGH_MEMORY; - } - host_part = data_blob_const(name, host_part_len); - ret = ldb_dn_set_component(dn, 0, "DC", host_part); - if (ret != LDB_SUCCESS) { + ok = ldb_dn_add_child_val(dn, "DC", host_part); + + if (ok == false) { TALLOC_FREE(dn); return WERR_NOT_ENOUGH_MEMORY; } diff --git a/source4/rpc_server/dnsserver/dnsdb.c b/source4/rpc_server/dnsserver/dnsdb.c index 81a2d2070a0..6ecc0b2a581 100644 --- a/source4/rpc_server/dnsserver/dnsdb.c +++ b/source4/rpc_server/dnsserver/dnsdb.c @@ -365,6 +365,7 @@ WERROR dnsserver_db_add_empty_node(TALLOC_CTX *mem_ctx, struct ldb_result *res; struct ldb_dn *dn; char *encoded_name = ldb_binary_encode_string(mem_ctx, name); + struct ldb_val name_val = data_blob_string_const(name); int ret; ret = ldb_search(samdb, mem_ctx, &res, z->zone_dn, LDB_SCOPE_BASE, attrs, @@ -382,7 +383,7 @@ WERROR dnsserver_db_add_empty_node(TALLOC_CTX *mem_ctx, dn = ldb_dn_copy(mem_ctx, z->zone_dn); W_ERROR_HAVE_NO_MEMORY(dn); - if (!ldb_dn_add_child_fmt(dn, "DC=%s", name)) { + if (!ldb_dn_add_child_val(dn, "DC", name_val)) { return WERR_NOT_ENOUGH_MEMORY; } @@ -886,6 +887,7 @@ WERROR dnsserver_db_create_zone(struct ldb_context *samdb, struct dnsp_DnssrvRpcRecord *dns_rec; struct dnsp_soa soa; char *tmpstr, *server_fqdn, *soa_email; + struct ldb_val name_val = data_blob_string_const(zone->name); NTTIME t; /* We only support primary zones for now */ @@ -912,7 +914,12 @@ WERROR dnsserver_db_create_zone(struct ldb_context *samdb, dn = ldb_dn_copy(tmp_ctx, p->partition_dn); W_ERROR_HAVE_NO_MEMORY_AND_FREE(dn, tmp_ctx); - if(!ldb_dn_add_child_fmt(dn, "DC=%s,CN=MicrosoftDNS", zone->name)) { + if (!ldb_dn_add_child_fmt(dn, "CN=MicrosoftDNS")) { + talloc_free(tmp_ctx); + return WERR_NOT_ENOUGH_MEMORY; + } + + if (!ldb_dn_add_child_val(dn, "DC", name_val)) { talloc_free(tmp_ctx); return WERR_NOT_ENOUGH_MEMORY; } diff --git a/source4/rpc_server/dnsserver/dnsutils.c b/source4/rpc_server/dnsserver/dnsutils.c index 72b47f72b4f..ece8f02c4d0 100644 --- a/source4/rpc_server/dnsserver/dnsutils.c +++ b/source4/rpc_server/dnsserver/dnsutils.c @@ -313,6 +313,8 @@ struct ldb_dn *dnsserver_name_to_dn(TALLOC_CTX *mem_ctx, struct dnsserver_zone * { struct ldb_dn *dn; bool ret; + struct ldb_val name_val = + data_blob_string_const(name); dn = ldb_dn_copy(mem_ctx, z->zone_dn); if (dn == NULL) { @@ -320,9 +322,17 @@ struct ldb_dn *dnsserver_name_to_dn(TALLOC_CTX *mem_ctx, struct dnsserver_zone * } if (strcasecmp(name, z->name) == 0) { ret = ldb_dn_add_child_fmt(dn, "DC=@"); - } else { - ret = ldb_dn_add_child_fmt(dn, "DC=%s", name); + if (!ret) { + talloc_free(dn); + return NULL; + } + return dn; } + + ret = ldb_dn_add_child_val(dn, + "DC", + name_val); + if (!ret) { talloc_free(dn); return NULL; -- 2.11.0