The Samba-Bugzilla – Attachment 14288 Details for
Bug 13466
[SECURITY Hardening] DNS query with escapes characters in dns name makes samba crashing
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch to followup to CVE-2018-1140 to harden the DNS server
followup-to-CVE-2018-1140-master.patch (text/plain), 50.29 KB, created by
Andrew Bartlett
on 2018-07-06 03:37:44 UTC
(
hide
)
Description:
patch to followup to CVE-2018-1140 to harden the DNS server
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2018-07-06 03:37:44 UTC
Size:
50.29 KB
patch
obsolete
>From 5ea62390abab7348ca99ca7022298b25b5620169 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 21 May 2018 15:25:33 +1200 >Subject: [PATCH 1/7] ldb_tdb: Remove pointless check of ldb_dn_is_valid() > >If the DN is not valid the ltdb_search_dn1() will catch it with ldb_dn_validate() which >is the only safe way to check this. ldb_dn_is_valid() does not actually check, but instead >returns only the result of the previous checks, if there was one. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374 >--- > lib/ldb/ldb_tdb/ldb_search.c | 8 -------- > 1 file changed, 8 deletions(-) > >diff --git a/lib/ldb/ldb_tdb/ldb_search.c b/lib/ldb/ldb_tdb/ldb_search.c >index af66a097ad5..1fd6adb6db4 100644 >--- a/lib/ldb/ldb_tdb/ldb_search.c >+++ b/lib/ldb/ldb_tdb/ldb_search.c >@@ -759,14 +759,6 @@ int ltdb_search(struct ltdb_context *ctx) > /* We accept subtree searches from a NULL base DN, ie over the whole DB */ > ret = LDB_SUCCESS; > } >- } else if (ldb_dn_is_valid(req->op.search.base) == false) { >- >- /* We don't want invalid base DNs here */ >- ldb_asprintf_errstring(ldb, >- "Invalid Base DN: %s", >- ldb_dn_get_linearized(req->op.search.base)); >- ret = LDB_ERR_INVALID_DN_SYNTAX; >- > } else if (req->op.search.scope == LDB_SCOPE_BASE) { > > /* >-- >2.11.0 > > >From 70f75e723e4fb00a526d7275aaee05cdc31ab59b Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Wed, 4 Jul 2018 13:26:16 +1200 >Subject: [PATCH 2/7] ldb: extend API tests > >These additional API tests just check that an invalid base DN >is never accepted. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > lib/ldb/tests/python/api.py | 47 ++++++++++++++++++++++++++++++++++++++++++--- > 1 file changed, 44 insertions(+), 3 deletions(-) > >diff --git a/lib/ldb/tests/python/api.py b/lib/ldb/tests/python/api.py >index e4010960697..471d70fc521 100755 >--- a/lib/ldb/tests/python/api.py >+++ b/lib/ldb/tests/python/api.py >@@ -1309,6 +1309,41 @@ class SearchTests(LdbBaseTest): > expression="(distinguishedName=OU=OU1,DC=SAMBA,DCXXXX)") > self.assertEqual(len(res11), 0) > >+ def test_bad_dn_search_base(self): >+ """Testing with a bad base DN (SCOPE_BASE)""" >+ >+ try: >+ res11 = self.l.search(base="OU=OU1,DC=SAMBA,DCXXX", >+ scope=ldb.SCOPE_BASE) >+ self.fail("Should have failed with ERR_INVALID_DN_SYNTAX") >+ except ldb.LdbError as err: >+ enum = err.args[0] >+ self.assertEqual(enum, ldb.ERR_INVALID_DN_SYNTAX) >+ >+ >+ def test_bad_dn_search_one(self): >+ """Testing with a bad base DN (SCOPE_ONELEVEL)""" >+ >+ try: >+ res11 = self.l.search(base="DC=SAMBA,DCXXXX", >+ scope=ldb.SCOPE_ONELEVEL) >+ self.fail("Should have failed with ERR_INVALID_DN_SYNTAX") >+ except ldb.LdbError as err: >+ enum = err.args[0] >+ self.assertEqual(enum, ldb.ERR_INVALID_DN_SYNTAX) >+ >+ def test_bad_dn_search_subtree(self): >+ """Testing with a bad base DN (SCOPE_SUBTREE)""" >+ >+ try: >+ res11 = self.l.search(base="DC=SAMBA,DCXXXX", >+ scope=ldb.SCOPE_SUBTREE) >+ self.fail("Should have failed with ERR_INVALID_DN_SYNTAX") >+ except ldb.LdbError as err: >+ enum = err.args[0] >+ self.assertEqual(enum, ldb.ERR_INVALID_DN_SYNTAX) >+ >+ > > # Run the search tests against an lmdb backend > class SearchTestsLmdb(SearchTests): >@@ -1375,8 +1410,10 @@ class IndexedAndOneLevelDNFilterSearchTests(SearchTests): > def setUp(self): > super(IndexedAndOneLevelDNFilterSearchTests, self).setUp() > self.l.add({"dn": "@OPTIONS", >- "disallowDNFilter": "TRUE"}) >+ "disallowDNFilter": "TRUE", >+ "checkBaseOnSearch": "TRUE"}) > self.disallowDNFilter = True >+ self.checkBaseOnSearch = True > > self.l.add({"dn": "@INDEXLIST", > "@IDXATTR": [b"x", b"y", b"ou"], >@@ -1408,8 +1445,10 @@ class GUIDIndexedDNFilterSearchTests(SearchTests): > "@IDX_DN_GUID": [b"GUID"]} > super(GUIDIndexedDNFilterSearchTests, self).setUp() > self.l.add({"dn": "@OPTIONS", >- "disallowDNFilter": "TRUE"}) >+ "disallowDNFilter": "TRUE", >+ "checkBaseOnSearch": "TRUE"}) > self.disallowDNFilter = True >+ self.checkBaseOnSearch = True > self.IDX = True > self.IDXGUID = True > >@@ -1423,8 +1462,10 @@ class GUIDAndOneLevelIndexedSearchTests(SearchTests): > "@IDX_DN_GUID": [b"GUID"]} > super(GUIDAndOneLevelIndexedSearchTests, self).setUp() > self.l.add({"dn": "@OPTIONS", >- "disallowDNFilter": "TRUE"}) >+ "disallowDNFilter": "TRUE", >+ "checkBaseOnSearch": "TRUE"}) > self.disallowDNFilter = True >+ self.checkBaseOnSearch = True > self.IDX = True > self.IDXGUID = True > self.IDXONE = True >-- >2.11.0 > > >From 5f47dd22f97807be8db71538c64088e2da6e7a10 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 3 Jul 2018 15:21:07 +1200 >Subject: [PATCH 3/7] ldb: Release LDB 1.4.2 > >* New API ldb_dn_add_child_val() avoids passing untrusted input to ldb_dn_add_child_fmt() > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > lib/ldb/ABI/ldb-1.4.2.sigs | 279 ++++++++++++++++++++++++++++++++++ > lib/ldb/ABI/pyldb-util-1.4.2.sigs | 2 + > lib/ldb/ABI/pyldb-util.py3-1.4.2.sigs | 2 + > lib/ldb/wscript | 2 +- > 4 files changed, 284 insertions(+), 1 deletion(-) > create mode 100644 lib/ldb/ABI/ldb-1.4.2.sigs > create mode 100644 lib/ldb/ABI/pyldb-util-1.4.2.sigs > create mode 100644 lib/ldb/ABI/pyldb-util.py3-1.4.2.sigs > >diff --git a/lib/ldb/ABI/ldb-1.4.2.sigs b/lib/ldb/ABI/ldb-1.4.2.sigs >new file mode 100644 >index 00000000000..a31b84ef4b5 >--- /dev/null >+++ b/lib/ldb/ABI/ldb-1.4.2.sigs >@@ -0,0 +1,279 @@ >+ldb_add: int (struct ldb_context *, const struct ldb_message *) >+ldb_any_comparison: int (struct ldb_context *, void *, ldb_attr_handler_t, const struct ldb_val *, const struct ldb_val *) >+ldb_asprintf_errstring: void (struct ldb_context *, const char *, ...) >+ldb_attr_casefold: char *(TALLOC_CTX *, const char *) >+ldb_attr_dn: int (const char *) >+ldb_attr_in_list: int (const char * const *, const char *) >+ldb_attr_list_copy: const char **(TALLOC_CTX *, const char * const *) >+ldb_attr_list_copy_add: const char **(TALLOC_CTX *, const char * const *, const char *) >+ldb_base64_decode: int (char *) >+ldb_base64_encode: char *(TALLOC_CTX *, const char *, int) >+ldb_binary_decode: struct ldb_val (TALLOC_CTX *, const char *) >+ldb_binary_encode: char *(TALLOC_CTX *, struct ldb_val) >+ldb_binary_encode_string: char *(TALLOC_CTX *, const char *) >+ldb_build_add_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) >+ldb_build_del_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) >+ldb_build_extended_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const char *, void *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) >+ldb_build_mod_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) >+ldb_build_rename_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, struct ldb_dn *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) >+ldb_build_search_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, enum ldb_scope, const char *, const char * const *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) >+ldb_build_search_req_ex: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, enum ldb_scope, struct ldb_parse_tree *, const char * const *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) >+ldb_casefold: char *(struct ldb_context *, TALLOC_CTX *, const char *, size_t) >+ldb_casefold_default: char *(void *, TALLOC_CTX *, const char *, size_t) >+ldb_check_critical_controls: int (struct ldb_control **) >+ldb_comparison_binary: int (struct ldb_context *, void *, const struct ldb_val *, const struct ldb_val *) >+ldb_comparison_fold: int (struct ldb_context *, void *, const struct ldb_val *, const struct ldb_val *) >+ldb_connect: int (struct ldb_context *, const char *, unsigned int, const char **) >+ldb_control_to_string: char *(TALLOC_CTX *, const struct ldb_control *) >+ldb_controls_except_specified: struct ldb_control **(struct ldb_control **, TALLOC_CTX *, struct ldb_control *) >+ldb_debug: void (struct ldb_context *, enum ldb_debug_level, const char *, ...) >+ldb_debug_add: void (struct ldb_context *, const char *, ...) >+ldb_debug_end: void (struct ldb_context *, enum ldb_debug_level) >+ldb_debug_set: void (struct ldb_context *, enum ldb_debug_level, const char *, ...) >+ldb_delete: int (struct ldb_context *, struct ldb_dn *) >+ldb_dn_add_base: bool (struct ldb_dn *, struct ldb_dn *) >+ldb_dn_add_base_fmt: bool (struct ldb_dn *, const char *, ...) >+ldb_dn_add_child: bool (struct ldb_dn *, struct ldb_dn *) >+ldb_dn_add_child_fmt: bool (struct ldb_dn *, const char *, ...) >+ldb_dn_alloc_casefold: char *(TALLOC_CTX *, struct ldb_dn *) >+ldb_dn_alloc_linearized: char *(TALLOC_CTX *, struct ldb_dn *) >+ldb_dn_canonical_ex_string: char *(TALLOC_CTX *, struct ldb_dn *) >+ldb_dn_canonical_string: char *(TALLOC_CTX *, struct ldb_dn *) >+ldb_dn_check_local: bool (struct ldb_module *, struct ldb_dn *) >+ldb_dn_check_special: bool (struct ldb_dn *, const char *) >+ldb_dn_compare: int (struct ldb_dn *, struct ldb_dn *) >+ldb_dn_compare_base: int (struct ldb_dn *, struct ldb_dn *) >+ldb_dn_copy: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *) >+ldb_dn_escape_value: char *(TALLOC_CTX *, struct ldb_val) >+ldb_dn_extended_add_syntax: int (struct ldb_context *, unsigned int, const struct ldb_dn_extended_syntax *) >+ldb_dn_extended_filter: void (struct ldb_dn *, const char * const *) >+ldb_dn_extended_syntax_by_name: const struct ldb_dn_extended_syntax *(struct ldb_context *, const char *) >+ldb_dn_from_ldb_val: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const struct ldb_val *) >+ldb_dn_get_casefold: const char *(struct ldb_dn *) >+ldb_dn_get_comp_num: int (struct ldb_dn *) >+ldb_dn_get_component_name: const char *(struct ldb_dn *, unsigned int) >+ldb_dn_get_component_val: const struct ldb_val *(struct ldb_dn *, unsigned int) >+ldb_dn_get_extended_comp_num: int (struct ldb_dn *) >+ldb_dn_get_extended_component: const struct ldb_val *(struct ldb_dn *, const char *) >+ldb_dn_get_extended_linearized: char *(TALLOC_CTX *, struct ldb_dn *, int) >+ldb_dn_get_ldb_context: struct ldb_context *(struct ldb_dn *) >+ldb_dn_get_linearized: const char *(struct ldb_dn *) >+ldb_dn_get_parent: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *) >+ldb_dn_get_rdn_name: const char *(struct ldb_dn *) >+ldb_dn_get_rdn_val: const struct ldb_val *(struct ldb_dn *) >+ldb_dn_has_extended: bool (struct ldb_dn *) >+ldb_dn_is_null: bool (struct ldb_dn *) >+ldb_dn_is_special: bool (struct ldb_dn *) >+ldb_dn_is_valid: bool (struct ldb_dn *) >+ldb_dn_map_local: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *) >+ldb_dn_map_rebase_remote: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *) >+ldb_dn_map_remote: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *) >+ldb_dn_minimise: bool (struct ldb_dn *) >+ldb_dn_new: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const char *) >+ldb_dn_new_fmt: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const char *, ...) >+ldb_dn_remove_base_components: bool (struct ldb_dn *, unsigned int) >+ldb_dn_remove_child_components: bool (struct ldb_dn *, unsigned int) >+ldb_dn_remove_extended_components: void (struct ldb_dn *) >+ldb_dn_replace_components: bool (struct ldb_dn *, struct ldb_dn *) >+ldb_dn_set_component: int (struct ldb_dn *, int, const char *, const struct ldb_val) >+ldb_dn_set_extended_component: int (struct ldb_dn *, const char *, const struct ldb_val *) >+ldb_dn_update_components: int (struct ldb_dn *, const struct ldb_dn *) >+ldb_dn_validate: bool (struct ldb_dn *) >+ldb_dump_results: void (struct ldb_context *, struct ldb_result *, FILE *) >+ldb_error_at: int (struct ldb_context *, int, const char *, const char *, int) >+ldb_errstring: const char *(struct ldb_context *) >+ldb_extended: int (struct ldb_context *, const char *, void *, struct ldb_result **) >+ldb_extended_default_callback: int (struct ldb_request *, struct ldb_reply *) >+ldb_filter_from_tree: char *(TALLOC_CTX *, const struct ldb_parse_tree *) >+ldb_get_config_basedn: struct ldb_dn *(struct ldb_context *) >+ldb_get_create_perms: unsigned int (struct ldb_context *) >+ldb_get_default_basedn: struct ldb_dn *(struct ldb_context *) >+ldb_get_event_context: struct tevent_context *(struct ldb_context *) >+ldb_get_flags: unsigned int (struct ldb_context *) >+ldb_get_opaque: void *(struct ldb_context *, const char *) >+ldb_get_root_basedn: struct ldb_dn *(struct ldb_context *) >+ldb_get_schema_basedn: struct ldb_dn *(struct ldb_context *) >+ldb_global_init: int (void) >+ldb_handle_get_event_context: struct tevent_context *(struct ldb_handle *) >+ldb_handle_new: struct ldb_handle *(TALLOC_CTX *, struct ldb_context *) >+ldb_handle_use_global_event_context: void (struct ldb_handle *) >+ldb_handler_copy: int (struct ldb_context *, void *, const struct ldb_val *, struct ldb_val *) >+ldb_handler_fold: int (struct ldb_context *, void *, const struct ldb_val *, struct ldb_val *) >+ldb_init: struct ldb_context *(TALLOC_CTX *, struct tevent_context *) >+ldb_ldif_message_redacted_string: char *(struct ldb_context *, TALLOC_CTX *, enum ldb_changetype, const struct ldb_message *) >+ldb_ldif_message_string: char *(struct ldb_context *, TALLOC_CTX *, enum ldb_changetype, const struct ldb_message *) >+ldb_ldif_parse_modrdn: int (struct ldb_context *, const struct ldb_ldif *, TALLOC_CTX *, struct ldb_dn **, struct ldb_dn **, bool *, struct ldb_dn **, struct ldb_dn **) >+ldb_ldif_read: struct ldb_ldif *(struct ldb_context *, int (*)(void *), void *) >+ldb_ldif_read_file: struct ldb_ldif *(struct ldb_context *, FILE *) >+ldb_ldif_read_file_state: struct ldb_ldif *(struct ldb_context *, struct ldif_read_file_state *) >+ldb_ldif_read_free: void (struct ldb_context *, struct ldb_ldif *) >+ldb_ldif_read_string: struct ldb_ldif *(struct ldb_context *, const char **) >+ldb_ldif_write: int (struct ldb_context *, int (*)(void *, const char *, ...), void *, const struct ldb_ldif *) >+ldb_ldif_write_file: int (struct ldb_context *, FILE *, const struct ldb_ldif *) >+ldb_ldif_write_redacted_trace_string: char *(struct ldb_context *, TALLOC_CTX *, const struct ldb_ldif *) >+ldb_ldif_write_string: char *(struct ldb_context *, TALLOC_CTX *, const struct ldb_ldif *) >+ldb_load_modules: int (struct ldb_context *, const char **) >+ldb_map_add: int (struct ldb_module *, struct ldb_request *) >+ldb_map_delete: int (struct ldb_module *, struct ldb_request *) >+ldb_map_init: int (struct ldb_module *, const struct ldb_map_attribute *, const struct ldb_map_objectclass *, const char * const *, const char *, const char *) >+ldb_map_modify: int (struct ldb_module *, struct ldb_request *) >+ldb_map_rename: int (struct ldb_module *, struct ldb_request *) >+ldb_map_search: int (struct ldb_module *, struct ldb_request *) >+ldb_match_message: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, enum ldb_scope, bool *) >+ldb_match_msg: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope) >+ldb_match_msg_error: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope, bool *) >+ldb_match_msg_objectclass: int (const struct ldb_message *, const char *) >+ldb_mod_register_control: int (struct ldb_module *, const char *) >+ldb_modify: int (struct ldb_context *, const struct ldb_message *) >+ldb_modify_default_callback: int (struct ldb_request *, struct ldb_reply *) >+ldb_module_call_chain: char *(struct ldb_request *, TALLOC_CTX *) >+ldb_module_connect_backend: int (struct ldb_context *, const char *, const char **, struct ldb_module **) >+ldb_module_done: int (struct ldb_request *, struct ldb_control **, struct ldb_extended *, int) >+ldb_module_flags: uint32_t (struct ldb_context *) >+ldb_module_get_ctx: struct ldb_context *(struct ldb_module *) >+ldb_module_get_name: const char *(struct ldb_module *) >+ldb_module_get_ops: const struct ldb_module_ops *(struct ldb_module *) >+ldb_module_get_private: void *(struct ldb_module *) >+ldb_module_init_chain: int (struct ldb_context *, struct ldb_module *) >+ldb_module_load_list: int (struct ldb_context *, const char **, struct ldb_module *, struct ldb_module **) >+ldb_module_new: struct ldb_module *(TALLOC_CTX *, struct ldb_context *, const char *, const struct ldb_module_ops *) >+ldb_module_next: struct ldb_module *(struct ldb_module *) >+ldb_module_popt_options: struct poptOption **(struct ldb_context *) >+ldb_module_send_entry: int (struct ldb_request *, struct ldb_message *, struct ldb_control **) >+ldb_module_send_referral: int (struct ldb_request *, char *) >+ldb_module_set_next: void (struct ldb_module *, struct ldb_module *) >+ldb_module_set_private: void (struct ldb_module *, void *) >+ldb_modules_hook: int (struct ldb_context *, enum ldb_module_hook_type) >+ldb_modules_list_from_string: const char **(struct ldb_context *, TALLOC_CTX *, const char *) >+ldb_modules_load: int (const char *, const char *) >+ldb_msg_add: int (struct ldb_message *, const struct ldb_message_element *, int) >+ldb_msg_add_empty: int (struct ldb_message *, const char *, int, struct ldb_message_element **) >+ldb_msg_add_fmt: int (struct ldb_message *, const char *, const char *, ...) >+ldb_msg_add_linearized_dn: int (struct ldb_message *, const char *, struct ldb_dn *) >+ldb_msg_add_steal_string: int (struct ldb_message *, const char *, char *) >+ldb_msg_add_steal_value: int (struct ldb_message *, const char *, struct ldb_val *) >+ldb_msg_add_string: int (struct ldb_message *, const char *, const char *) >+ldb_msg_add_value: int (struct ldb_message *, const char *, const struct ldb_val *, struct ldb_message_element **) >+ldb_msg_canonicalize: struct ldb_message *(struct ldb_context *, const struct ldb_message *) >+ldb_msg_check_string_attribute: int (const struct ldb_message *, const char *, const char *) >+ldb_msg_copy: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *) >+ldb_msg_copy_attr: int (struct ldb_message *, const char *, const char *) >+ldb_msg_copy_shallow: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *) >+ldb_msg_diff: struct ldb_message *(struct ldb_context *, struct ldb_message *, struct ldb_message *) >+ldb_msg_difference: int (struct ldb_context *, TALLOC_CTX *, struct ldb_message *, struct ldb_message *, struct ldb_message **) >+ldb_msg_element_compare: int (struct ldb_message_element *, struct ldb_message_element *) >+ldb_msg_element_compare_name: int (struct ldb_message_element *, struct ldb_message_element *) >+ldb_msg_element_equal_ordered: bool (const struct ldb_message_element *, const struct ldb_message_element *) >+ldb_msg_find_attr_as_bool: int (const struct ldb_message *, const char *, int) >+ldb_msg_find_attr_as_dn: struct ldb_dn *(struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, const char *) >+ldb_msg_find_attr_as_double: double (const struct ldb_message *, const char *, double) >+ldb_msg_find_attr_as_int: int (const struct ldb_message *, const char *, int) >+ldb_msg_find_attr_as_int64: int64_t (const struct ldb_message *, const char *, int64_t) >+ldb_msg_find_attr_as_string: const char *(const struct ldb_message *, const char *, const char *) >+ldb_msg_find_attr_as_uint: unsigned int (const struct ldb_message *, const char *, unsigned int) >+ldb_msg_find_attr_as_uint64: uint64_t (const struct ldb_message *, const char *, uint64_t) >+ldb_msg_find_common_values: int (struct ldb_context *, TALLOC_CTX *, struct ldb_message_element *, struct ldb_message_element *, uint32_t) >+ldb_msg_find_duplicate_val: int (struct ldb_context *, TALLOC_CTX *, const struct ldb_message_element *, struct ldb_val **, uint32_t) >+ldb_msg_find_element: struct ldb_message_element *(const struct ldb_message *, const char *) >+ldb_msg_find_ldb_val: const struct ldb_val *(const struct ldb_message *, const char *) >+ldb_msg_find_val: struct ldb_val *(const struct ldb_message_element *, struct ldb_val *) >+ldb_msg_new: struct ldb_message *(TALLOC_CTX *) >+ldb_msg_normalize: int (struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_message **) >+ldb_msg_remove_attr: void (struct ldb_message *, const char *) >+ldb_msg_remove_element: void (struct ldb_message *, struct ldb_message_element *) >+ldb_msg_rename_attr: int (struct ldb_message *, const char *, const char *) >+ldb_msg_sanity_check: int (struct ldb_context *, const struct ldb_message *) >+ldb_msg_sort_elements: void (struct ldb_message *) >+ldb_next_del_trans: int (struct ldb_module *) >+ldb_next_end_trans: int (struct ldb_module *) >+ldb_next_init: int (struct ldb_module *) >+ldb_next_prepare_commit: int (struct ldb_module *) >+ldb_next_read_lock: int (struct ldb_module *) >+ldb_next_read_unlock: int (struct ldb_module *) >+ldb_next_remote_request: int (struct ldb_module *, struct ldb_request *) >+ldb_next_request: int (struct ldb_module *, struct ldb_request *) >+ldb_next_start_trans: int (struct ldb_module *) >+ldb_op_default_callback: int (struct ldb_request *, struct ldb_reply *) >+ldb_options_find: const char *(struct ldb_context *, const char **, const char *) >+ldb_pack_data: int (struct ldb_context *, const struct ldb_message *, struct ldb_val *) >+ldb_parse_control_from_string: struct ldb_control *(struct ldb_context *, TALLOC_CTX *, const char *) >+ldb_parse_control_strings: struct ldb_control **(struct ldb_context *, TALLOC_CTX *, const char **) >+ldb_parse_tree: struct ldb_parse_tree *(TALLOC_CTX *, const char *) >+ldb_parse_tree_attr_replace: void (struct ldb_parse_tree *, const char *, const char *) >+ldb_parse_tree_copy_shallow: struct ldb_parse_tree *(TALLOC_CTX *, const struct ldb_parse_tree *) >+ldb_parse_tree_walk: int (struct ldb_parse_tree *, int (*)(struct ldb_parse_tree *, void *), void *) >+ldb_qsort: void (void * const, size_t, size_t, void *, ldb_qsort_cmp_fn_t) >+ldb_register_backend: int (const char *, ldb_connect_fn, bool) >+ldb_register_extended_match_rule: int (struct ldb_context *, const struct ldb_extended_match_rule *) >+ldb_register_hook: int (ldb_hook_fn) >+ldb_register_module: int (const struct ldb_module_ops *) >+ldb_rename: int (struct ldb_context *, struct ldb_dn *, struct ldb_dn *) >+ldb_reply_add_control: int (struct ldb_reply *, const char *, bool, void *) >+ldb_reply_get_control: struct ldb_control *(struct ldb_reply *, const char *) >+ldb_req_get_custom_flags: uint32_t (struct ldb_request *) >+ldb_req_is_untrusted: bool (struct ldb_request *) >+ldb_req_location: const char *(struct ldb_request *) >+ldb_req_mark_trusted: void (struct ldb_request *) >+ldb_req_mark_untrusted: void (struct ldb_request *) >+ldb_req_set_custom_flags: void (struct ldb_request *, uint32_t) >+ldb_req_set_location: void (struct ldb_request *, const char *) >+ldb_request: int (struct ldb_context *, struct ldb_request *) >+ldb_request_add_control: int (struct ldb_request *, const char *, bool, void *) >+ldb_request_done: int (struct ldb_request *, int) >+ldb_request_get_control: struct ldb_control *(struct ldb_request *, const char *) >+ldb_request_get_status: int (struct ldb_request *) >+ldb_request_replace_control: int (struct ldb_request *, const char *, bool, void *) >+ldb_request_set_state: void (struct ldb_request *, int) >+ldb_reset_err_string: void (struct ldb_context *) >+ldb_save_controls: int (struct ldb_control *, struct ldb_request *, struct ldb_control ***) >+ldb_schema_attribute_add: int (struct ldb_context *, const char *, unsigned int, const char *) >+ldb_schema_attribute_add_with_syntax: int (struct ldb_context *, const char *, unsigned int, const struct ldb_schema_syntax *) >+ldb_schema_attribute_by_name: const struct ldb_schema_attribute *(struct ldb_context *, const char *) >+ldb_schema_attribute_fill_with_syntax: int (struct ldb_context *, TALLOC_CTX *, const char *, unsigned int, const struct ldb_schema_syntax *, struct ldb_schema_attribute *) >+ldb_schema_attribute_remove: void (struct ldb_context *, const char *) >+ldb_schema_attribute_remove_flagged: void (struct ldb_context *, unsigned int) >+ldb_schema_attribute_set_override_handler: void (struct ldb_context *, ldb_attribute_handler_override_fn_t, void *) >+ldb_schema_set_override_GUID_index: void (struct ldb_context *, const char *, const char *) >+ldb_schema_set_override_indexlist: void (struct ldb_context *, bool) >+ldb_search: int (struct ldb_context *, TALLOC_CTX *, struct ldb_result **, struct ldb_dn *, enum ldb_scope, const char * const *, const char *, ...) >+ldb_search_default_callback: int (struct ldb_request *, struct ldb_reply *) >+ldb_sequence_number: int (struct ldb_context *, enum ldb_sequence_type, uint64_t *) >+ldb_set_create_perms: void (struct ldb_context *, unsigned int) >+ldb_set_debug: int (struct ldb_context *, void (*)(void *, enum ldb_debug_level, const char *, va_list), void *) >+ldb_set_debug_stderr: int (struct ldb_context *) >+ldb_set_default_dns: void (struct ldb_context *) >+ldb_set_errstring: void (struct ldb_context *, const char *) >+ldb_set_event_context: void (struct ldb_context *, struct tevent_context *) >+ldb_set_flags: void (struct ldb_context *, unsigned int) >+ldb_set_modules_dir: void (struct ldb_context *, const char *) >+ldb_set_opaque: int (struct ldb_context *, const char *, void *) >+ldb_set_require_private_event_context: void (struct ldb_context *) >+ldb_set_timeout: int (struct ldb_context *, struct ldb_request *, int) >+ldb_set_timeout_from_prev_req: int (struct ldb_context *, struct ldb_request *, struct ldb_request *) >+ldb_set_utf8_default: void (struct ldb_context *) >+ldb_set_utf8_fns: void (struct ldb_context *, void *, char *(*)(void *, void *, const char *, size_t)) >+ldb_setup_wellknown_attributes: int (struct ldb_context *) >+ldb_should_b64_encode: int (struct ldb_context *, const struct ldb_val *) >+ldb_standard_syntax_by_name: const struct ldb_schema_syntax *(struct ldb_context *, const char *) >+ldb_strerror: const char *(int) >+ldb_string_to_time: time_t (const char *) >+ldb_string_utc_to_time: time_t (const char *) >+ldb_timestring: char *(TALLOC_CTX *, time_t) >+ldb_timestring_utc: char *(TALLOC_CTX *, time_t) >+ldb_transaction_cancel: int (struct ldb_context *) >+ldb_transaction_cancel_noerr: int (struct ldb_context *) >+ldb_transaction_commit: int (struct ldb_context *) >+ldb_transaction_prepare_commit: int (struct ldb_context *) >+ldb_transaction_start: int (struct ldb_context *) >+ldb_unpack_data: int (struct ldb_context *, const struct ldb_val *, struct ldb_message *) >+ldb_unpack_data_only_attr_list: int (struct ldb_context *, const struct ldb_val *, struct ldb_message *, const char * const *, unsigned int, unsigned int *) >+ldb_unpack_data_only_attr_list_flags: int (struct ldb_context *, const struct ldb_val *, struct ldb_message *, const char * const *, unsigned int, unsigned int, unsigned int *) >+ldb_val_dup: struct ldb_val (TALLOC_CTX *, const struct ldb_val *) >+ldb_val_equal_exact: int (const struct ldb_val *, const struct ldb_val *) >+ldb_val_map_local: struct ldb_val (struct ldb_module *, void *, const struct ldb_map_attribute *, const struct ldb_val *) >+ldb_val_map_remote: struct ldb_val (struct ldb_module *, void *, const struct ldb_map_attribute *, const struct ldb_val *) >+ldb_val_string_cmp: int (const struct ldb_val *, const char *) >+ldb_val_to_time: int (const struct ldb_val *, time_t *) >+ldb_valid_attr_name: int (const char *) >+ldb_vdebug: void (struct ldb_context *, enum ldb_debug_level, const char *, va_list) >+ldb_wait: int (struct ldb_handle *, enum ldb_wait_type) >diff --git a/lib/ldb/ABI/pyldb-util-1.4.2.sigs b/lib/ldb/ABI/pyldb-util-1.4.2.sigs >new file mode 100644 >index 00000000000..74d6719d2bc >--- /dev/null >+++ b/lib/ldb/ABI/pyldb-util-1.4.2.sigs >@@ -0,0 +1,2 @@ >+pyldb_Dn_FromDn: PyObject *(struct ldb_dn *) >+pyldb_Object_AsDn: bool (TALLOC_CTX *, PyObject *, struct ldb_context *, struct ldb_dn **) >diff --git a/lib/ldb/ABI/pyldb-util.py3-1.4.2.sigs b/lib/ldb/ABI/pyldb-util.py3-1.4.2.sigs >new file mode 100644 >index 00000000000..74d6719d2bc >--- /dev/null >+++ b/lib/ldb/ABI/pyldb-util.py3-1.4.2.sigs >@@ -0,0 +1,2 @@ >+pyldb_Dn_FromDn: PyObject *(struct ldb_dn *) >+pyldb_Object_AsDn: bool (TALLOC_CTX *, PyObject *, struct ldb_context *, struct ldb_dn **) >diff --git a/lib/ldb/wscript b/lib/ldb/wscript >index 35b40eddce6..c9c9663d987 100644 >--- a/lib/ldb/wscript >+++ b/lib/ldb/wscript >@@ -1,7 +1,7 @@ > #!/usr/bin/env python > > APPNAME = 'ldb' >-VERSION = '1.4.1' >+VERSION = '1.4.2' > > blddir = 'bin' > >-- >2.11.0 > > >From 0e54eb796654cead8d672c6591bd821b36917145 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 2 Jul 2018 16:49:37 +1200 >Subject: [PATCH 4/7] dns_server: Be strict when constructing a LDB DN from an > untrusted DNS name > >This changes our DNS server to be much more careful when constructing DNS names >into LDB DN values. > >This avoids a segfault deep in the LDB code if the ldb_dn_get_casefold() fails there. > >A seperate patch will address that part of the issue, and a later patch >will re-work this code to use single API: ldb_dn_add_child_val(). This >is not squahed with this work because this patch does not rely on a new >LDB release, and so may be helpful for a backport. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13466 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > source4/dns_server/dnsserver_common.c | 59 +++++++++++++++++++++++++++++++++-- > 1 file changed, 56 insertions(+), 3 deletions(-) > >diff --git a/source4/dns_server/dnsserver_common.c b/source4/dns_server/dnsserver_common.c >index 6c7ab802575..ec3b917be80 100644 >--- a/source4/dns_server/dnsserver_common.c >+++ b/source4/dns_server/dnsserver_common.c >@@ -915,7 +915,11 @@ WERROR dns_common_name2dn(struct ldb_context *samdb, > struct ldb_dn *dn; > const struct dns_server_zone *z; > size_t host_part_len = 0; >+ struct ldb_val host_part; > WERROR werr; >+ bool ok; >+ int ret; >+ const char *casefold = NULL; > > if (name == NULL) { > return DNS_ERR(FORMAT_ERROR); >@@ -924,7 +928,13 @@ WERROR dns_common_name2dn(struct ldb_context *samdb, > if (strcmp(name, "") == 0) { > base = ldb_get_default_basedn(samdb); > dn = ldb_dn_copy(mem_ctx, base); >- ldb_dn_add_child_fmt(dn, "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System"); >+ ok = ldb_dn_add_child_fmt(dn, >+ "DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System"); >+ if (ok == false) { >+ TALLOC_FREE(dn); >+ return WERR_NOT_ENOUGH_MEMORY; >+ } >+ > *_dn = dn; > return WERR_OK; > } >@@ -950,13 +960,56 @@ WERROR dns_common_name2dn(struct ldb_context *samdb, > > if (host_part_len == 0) { > dn = ldb_dn_copy(mem_ctx, z->dn); >- ldb_dn_add_child_fmt(dn, "DC=@"); >+ ok = ldb_dn_add_child_fmt(dn, "DC=@"); >+ if (! ok) { >+ TALLOC_FREE(dn); >+ return WERR_NOT_ENOUGH_MEMORY; >+ } > *_dn = dn; > return WERR_OK; > } > > dn = ldb_dn_copy(mem_ctx, z->dn); >- ldb_dn_add_child_fmt(dn, "DC=%*.*s", (int)host_part_len, (int)host_part_len, name); >+ if (dn == NULL) { >+ TALLOC_FREE(dn); >+ return WERR_NOT_ENOUGH_MEMORY; >+ } >+ >+ ok = ldb_dn_add_child_fmt(dn, "DC=X"); >+ >+ if (ok == false) { >+ TALLOC_FREE(dn); >+ return WERR_NOT_ENOUGH_MEMORY; >+ } >+ >+ host_part = data_blob_const(name, host_part_len); >+ >+ ret = ldb_dn_set_component(dn, 0, "DC", host_part); >+ if (ret != LDB_SUCCESS) { >+ TALLOC_FREE(dn); >+ return WERR_NOT_ENOUGH_MEMORY; >+ } >+ >+ /* >+ * Check the new DN here for validity, so as to catch errors >+ * early >+ */ >+ ok = ldb_dn_validate(dn); >+ if (ok == false) { >+ TALLOC_FREE(dn); >+ return DNS_ERR(NAME_ERROR); >+ } >+ >+ /* >+ * The value from this check is saved in the DN, and doing >+ * this here allows an easy return here. >+ */ >+ casefold = ldb_dn_get_casefold(dn); >+ if (casefold == NULL) { >+ TALLOC_FREE(dn); >+ return DNS_ERR(NAME_ERROR); >+ } >+ > *_dn = dn; > return WERR_OK; > } >-- >2.11.0 > > >From 1e67a5d0cf8f8a8cbb1f5a6e4acf26dc166cfd03 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Thu, 5 Jul 2018 15:27:35 +1200 >Subject: [PATCH 5/7] selftest: Remove knownfail now ldb 1.4.1 is released with > CVE-2018-1140 fixed > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > selftest/knownfail.d/dns | 3 --- > 1 file changed, 3 deletions(-) > >diff --git a/selftest/knownfail.d/dns b/selftest/knownfail.d/dns >index 140ded24fa0..cb3003240ea 100644 >--- a/selftest/knownfail.d/dns >+++ b/selftest/knownfail.d/dns >@@ -45,6 +45,3 @@ samba.tests.dns.__main__.TestSimpleQueries.test_qtype_all_query\(rodc:local\) > > # The SOA override should not pass against the RODC, it must not overstamp > samba.tests.dns.__main__.TestSimpleQueries.test_one_SOA_query\(rodc:local\) >- >-# This still needs to be fixed in LDB >-samba.tests.dns_invalid.__main__.TestBrokenQueries.test_invalid_chars_in_name\(ad_dc:local\) >-- >2.11.0 > > >From 38b9f1ed03d92b900f38faac19a4254f1eb39bbb Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 3 Jul 2018 15:16:56 +1200 >Subject: [PATCH 6/7] ldb: Add new function ldb_dn_add_child_val() > >This is safer for untrusted input than ldb_dn_add_child_fmt() > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > lib/ldb/common/ldb_dn.c | 35 +++++++++++++ > lib/ldb/include/ldb.h | 3 ++ > lib/ldb/tests/test_ldb_dn.c | 117 ++++++++++++++++++++++++++++++++++++++++++++ > lib/ldb/wscript | 6 +++ > 4 files changed, 161 insertions(+) > create mode 100644 lib/ldb/tests/test_ldb_dn.c > >diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c >index dfeb600f56f..3bd655adbd5 100644 >--- a/lib/ldb/common/ldb_dn.c >+++ b/lib/ldb/common/ldb_dn.c >@@ -1605,6 +1605,41 @@ bool ldb_dn_add_child_fmt(struct ldb_dn *dn, const char *child_fmt, ...) > return ret; > } > >+/* modify the given dn by adding a single child element. >+ * >+ * return true if successful and false if not >+ * if false is returned the dn may be marked invalid >+ */ >+bool ldb_dn_add_child_val(struct ldb_dn *dn, >+ const char *rdn, >+ struct ldb_val value) >+{ >+ bool ret; >+ int ldb_ret; >+ struct ldb_dn *child = NULL; >+ >+ if ( !dn || dn->invalid) { >+ return false; >+ } >+ >+ child = ldb_dn_new(dn, dn->ldb, "X=Y"); >+ ret = ldb_dn_add_child(dn, child); >+ >+ if (ret == false) { >+ return false; >+ } >+ >+ ldb_ret = ldb_dn_set_component(dn, >+ 0, >+ rdn, >+ value); >+ if (ldb_ret != LDB_SUCCESS) { >+ return false; >+ } >+ >+ return true; >+} >+ > bool ldb_dn_remove_base_components(struct ldb_dn *dn, unsigned int num) > { > unsigned int i; >diff --git a/lib/ldb/include/ldb.h b/lib/ldb/include/ldb.h >index 9918b4e69d9..81bee934da5 100644 >--- a/lib/ldb/include/ldb.h >+++ b/lib/ldb/include/ldb.h >@@ -1882,6 +1882,9 @@ bool ldb_dn_add_child(struct ldb_dn *dn, struct ldb_dn *child); > bool ldb_dn_add_child_fmt(struct ldb_dn *dn, const char *child_fmt, ...) PRINTF_ATTRIBUTE(2,3); > bool ldb_dn_remove_base_components(struct ldb_dn *dn, unsigned int num); > bool ldb_dn_remove_child_components(struct ldb_dn *dn, unsigned int num); >+bool ldb_dn_add_child_val(struct ldb_dn *dn, >+ const char *rdn, >+ struct ldb_val value); > > struct ldb_dn *ldb_dn_copy(TALLOC_CTX *mem_ctx, struct ldb_dn *dn); > struct ldb_dn *ldb_dn_get_parent(TALLOC_CTX *mem_ctx, struct ldb_dn *dn); >diff --git a/lib/ldb/tests/test_ldb_dn.c b/lib/ldb/tests/test_ldb_dn.c >new file mode 100644 >index 00000000000..4965dcef575 >--- /dev/null >+++ b/lib/ldb/tests/test_ldb_dn.c >@@ -0,0 +1,117 @@ >+/* >+ * Unix SMB/CIFS implementation. >+ * >+ * Copyright (C) 2018 Andreas Schneider <asn@samba.org> >+ * >+ * This program is free software; you can redistribute it and/or modify >+ * it under the terms of the GNU General Public License as published by >+ * the Free Software Foundation; either version 3 of the License, or >+ * (at your option) any later version. >+ * >+ * This program is distributed in the hope that it will be useful, >+ * but WITHOUT ANY WARRANTY; without even the implied warranty of >+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+ * GNU General Public License for more details. >+ * >+ * You should have received a copy of the GNU General Public License >+ * along with this program. If not, see <http://www.gnu.org/licenses/>. >+ */ >+ >+#include <stdarg.h> >+#include <stddef.h> >+#include <setjmp.h> >+#include <cmocka.h> >+ >+#include <ldb.h> >+ >+static void test_ldb_dn_add_child_fmt(void **state) >+{ >+ struct ldb_context *ldb = ldb_init(NULL, NULL); >+ >+ struct ldb_dn *dn = ldb_dn_new(ldb, ldb, "dc=samba,dc=org"); >+ >+ assert_true(ldb_dn_add_child_fmt(dn, >+ "DC=X")); >+ >+ assert_string_equal("DC=X,dc=samba,dc=org", >+ ldb_dn_get_linearized(dn)); >+ >+ assert_string_equal("DC=X,DC=SAMBA,DC=ORG", >+ ldb_dn_get_casefold(dn)); >+ >+} >+ >+static void test_ldb_dn_add_child_fmt2(void **state) >+{ >+ struct ldb_context *ldb = ldb_init(NULL, NULL); >+ >+ struct ldb_dn *dn = ldb_dn_new(ldb, ldb, "dc=samba,dc=org"); >+ >+ assert_true(ldb_dn_add_child_fmt(dn, >+ "DC=X,DC=Y")); >+ >+ assert_string_equal("DC=X,DC=Y,dc=samba,dc=org", >+ ldb_dn_get_linearized(dn)); >+ >+ assert_string_equal("DC=X,DC=Y,DC=SAMBA,DC=ORG", >+ ldb_dn_get_casefold(dn)); >+ >+ assert_int_equal(4, >+ ldb_dn_get_comp_num(dn)); >+ >+} >+ >+static void test_ldb_dn_add_child_val(void **state) >+{ >+ struct ldb_context *ldb = ldb_init(NULL, NULL); >+ >+ struct ldb_dn *dn = ldb_dn_new(ldb, ldb, "dc=samba,dc=org"); >+ struct ldb_val name = {.data = discard_const("X"), >+ .length = 1 >+ }; >+ >+ assert_true(ldb_dn_add_child_val(dn, >+ "DC", name)); >+ >+ assert_string_equal("DC=X,dc=samba,dc=org", >+ ldb_dn_get_linearized(dn)); >+ >+ assert_string_equal("DC=X,DC=SAMBA,DC=ORG", >+ ldb_dn_get_casefold(dn)); >+ >+} >+ >+static void test_ldb_dn_add_child_val2(void **state) >+{ >+ struct ldb_context *ldb = ldb_init(NULL, NULL); >+ >+ struct ldb_dn *dn = ldb_dn_new(ldb, ldb, "dc=samba,dc=org"); >+ >+ struct ldb_val name = {.data = discard_const("X,DC=Y"), >+ .length = 6 >+ }; >+ >+ assert_true(ldb_dn_add_child_val(dn, >+ "DC", name)); >+ >+ assert_string_equal("DC=X\\,DC\\3DY,dc=samba,dc=org", >+ ldb_dn_get_linearized(dn)); >+ >+ assert_string_equal("DC=X\\,DC\\3DY,DC=SAMBA,DC=ORG", >+ ldb_dn_get_casefold(dn)); >+ >+ assert_int_equal(3, >+ ldb_dn_get_comp_num(dn)); >+ >+} >+ >+int main(void) { >+ const struct CMUnitTest tests[] = { >+ cmocka_unit_test(test_ldb_dn_add_child_fmt), >+ cmocka_unit_test(test_ldb_dn_add_child_fmt2), >+ cmocka_unit_test(test_ldb_dn_add_child_val), >+ cmocka_unit_test(test_ldb_dn_add_child_val2), >+ }; >+ >+ return cmocka_run_group_tests(tests, NULL, NULL); >+} >diff --git a/lib/ldb/wscript b/lib/ldb/wscript >index c9c9663d987..001981c7356 100644 >--- a/lib/ldb/wscript >+++ b/lib/ldb/wscript >@@ -488,6 +488,11 @@ def build(bld): > deps='cmocka ldb', > install=False) > >+ bld.SAMBA_BINARY('test_ldb_dn', >+ source='tests/test_ldb_dn.c', >+ deps='cmocka ldb', >+ install=False) >+ > if bld.CONFIG_SET('HAVE_LMDB'): > bld.SAMBA_BINARY('ldb_mdb_mod_op_test', > source='tests/ldb_mod_op_test.c', >@@ -544,6 +549,7 @@ def test(ctx): > > cmocka_ret = 0 > test_exes = ['test_ldb_qsort', >+ 'test_ldb_dn', > 'ldb_msg_test', > 'ldb_tdb_mod_op_test', > 'ldb_tdb_guid_mod_op_test', >-- >2.11.0 > > >From 0d1705741d4d67153657872c488d7542c11b694f Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 3 Jul 2018 15:18:25 +1200 >Subject: [PATCH 7/7] dns_server: Avoid ldb_dn_add_child_fmt() on untrusted > input > >By using the new ldb_dn_add_child_val() we ensure that the user-controlled values are >not parsed as DN seperators. > >Additionally, the casefold DN is obtained before the search to trigger >a full parse of the DN before being handled to the LDB search. > >This is not normally required but is done here due to the nature >of the untrusted input. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > source4/dns_server/dlz_bind9.c | 156 ++++++++++++++++++++++++++++++-- > source4/dns_server/dnsserver_common.c | 13 +-- > source4/rpc_server/dnsserver/dnsdb.c | 11 ++- > source4/rpc_server/dnsserver/dnsutils.c | 14 ++- > 4 files changed, 172 insertions(+), 22 deletions(-) > >diff --git a/source4/dns_server/dlz_bind9.c b/source4/dns_server/dlz_bind9.c >index ac785f0d4f3..94f3110f9b8 100644 >--- a/source4/dns_server/dlz_bind9.c >+++ b/source4/dns_server/dlz_bind9.c >@@ -776,8 +776,11 @@ static isc_result_t b9_find_zone_dn(struct dlz_bind9_data *state, const char *zo > int i; > > for (i=0; zone_prefixes[i]; i++) { >+ const char *casefold; > struct ldb_dn *dn; > struct ldb_result *res; >+ struct ldb_val zone_name_val >+ = data_blob_string_const(zone_name); > > dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb)); > if (dn == NULL) { >@@ -785,11 +788,40 @@ static isc_result_t b9_find_zone_dn(struct dlz_bind9_data *state, const char *zo > return ISC_R_NOMEMORY; > } > >- if (!ldb_dn_add_child_fmt(dn, "DC=%s,%s", zone_name, zone_prefixes[i])) { >+ /* >+ * This dance ensures that it is not possible to put >+ * (eg) an extra DC=x, into the DNS name being >+ * queried >+ */ >+ >+ if (!ldb_dn_add_child_fmt(dn, >+ "DC=X,%s", >+ zone_prefixes[i])) { >+ talloc_free(tmp_ctx); >+ return ISC_R_NOMEMORY; >+ } >+ >+ ret = ldb_dn_set_component(dn, >+ 0, >+ "DC", >+ zone_name_val); >+ if (ret != LDB_SUCCESS) { > talloc_free(tmp_ctx); > return ISC_R_NOMEMORY; > } > >+ /* >+ * Check if this is a plausibly valid DN early >+ * (time spent here will be saved during the >+ * search due to an internal cache) >+ */ >+ casefold = ldb_dn_get_casefold(dn); >+ >+ if (casefold == NULL) { >+ talloc_free(tmp_ctx); >+ return ISC_R_NOTFOUND; >+ } >+ > ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_BASE, attrs, "objectClass=dnsZone"); > if (ret == LDB_SUCCESS) { > if (zone_dn != NULL) { >@@ -820,19 +852,42 @@ static isc_result_t b9_find_name_dn(struct dlz_bind9_data *state, const char *na > isc_result_t result; > result = b9_find_zone_dn(state, p, mem_ctx, dn); > if (result == ISC_R_SUCCESS) { >+ const char *casefold; >+ > /* we found a zone, now extend the DN to get > * the full DN > */ > bool ret; > if (p == name) { > ret = ldb_dn_add_child_fmt(*dn, "DC=@"); >+ if (ret == false) { >+ talloc_free(*dn); >+ return ISC_R_NOMEMORY; >+ } > } else { >- ret = ldb_dn_add_child_fmt(*dn, "DC=%.*s", (int)(p-name)-1, name); >+ struct ldb_val name_val >+ = data_blob_const(name, >+ (int)(p-name)-1); >+ >+ if (!ldb_dn_add_child_val(*dn, >+ "DC", >+ name_val)) { >+ talloc_free(*dn); >+ return ISC_R_NOMEMORY; >+ } > } >- if (!ret) { >- talloc_free(*dn); >- return ISC_R_NOMEMORY; >+ >+ /* >+ * Check if this is a plausibly valid DN early >+ * (time spent here will be saved during the >+ * search due to an internal cache) >+ */ >+ casefold = ldb_dn_get_casefold(*dn); >+ >+ if (casefold == NULL) { >+ return ISC_R_NOTFOUND; > } >+ > return ISC_R_SUCCESS; > } > p = strchr(p, '.'); >@@ -874,19 +929,63 @@ static isc_result_t dlz_lookup_types(struct dlz_bind9_data *state, > WERROR werr = WERR_DNS_ERROR_NAME_DOES_NOT_EXIST; > struct dnsp_DnssrvRpcRecord *records = NULL; > uint16_t num_records = 0, i; >+ struct ldb_val zone_name_val >+ = data_blob_string_const(zone); >+ struct ldb_val name_val >+ = data_blob_string_const(name); > > for (i=0; zone_prefixes[i]; i++) { >+ int ret; >+ const char *casefold; > dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb)); > if (dn == NULL) { > talloc_free(tmp_ctx); > return ISC_R_NOMEMORY; > } > >- if (!ldb_dn_add_child_fmt(dn, "DC=%s,DC=%s,%s", name, zone, zone_prefixes[i])) { >+ /* >+ * This dance ensures that it is not possible to put >+ * (eg) an extra DC=x, into the DNS name being >+ * queried >+ */ >+ >+ if (!ldb_dn_add_child_fmt(dn, >+ "DC=X,DC=X,%s", >+ zone_prefixes[i])) { >+ talloc_free(tmp_ctx); >+ return ISC_R_NOMEMORY; >+ } >+ >+ ret = ldb_dn_set_component(dn, >+ 1, >+ "DC", >+ zone_name_val); >+ if (ret != LDB_SUCCESS) { > talloc_free(tmp_ctx); > return ISC_R_NOMEMORY; > } > >+ ret = ldb_dn_set_component(dn, >+ 0, >+ "DC", >+ name_val); >+ if (ret != LDB_SUCCESS) { >+ talloc_free(tmp_ctx); >+ return ISC_R_NOMEMORY; >+ } >+ >+ /* >+ * Check if this is a plausibly valid DN early >+ * (time spent here will be saved during the >+ * search due to an internal cache) >+ */ >+ casefold = ldb_dn_get_casefold(dn); >+ >+ if (casefold == NULL) { >+ talloc_free(tmp_ctx); >+ return ISC_R_NOTFOUND; >+ } >+ > werr = dns_common_wildcard_lookup(state->samdb, tmp_ctx, dn, > &records, &num_records); > if (W_ERROR_IS_OK(werr)) { >@@ -953,19 +1052,50 @@ _PUBLIC_ isc_result_t dlz_allnodes(const char *zone, void *dbdata, > struct ldb_dn *dn; > struct ldb_result *res; > TALLOC_CTX *tmp_ctx = talloc_new(state); >+ struct ldb_val zone_name_val = data_blob_string_const(zone); > > for (i=0; zone_prefixes[i]; i++) { >+ const char *casefold; >+ > dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb)); > if (dn == NULL) { > talloc_free(tmp_ctx); > return ISC_R_NOMEMORY; > } > >- if (!ldb_dn_add_child_fmt(dn, "DC=%s,%s", zone, zone_prefixes[i])) { >+ /* >+ * This dance ensures that it is not possible to put >+ * (eg) an extra DC=x, into the DNS name being >+ * queried >+ */ >+ >+ if (!ldb_dn_add_child_fmt(dn, >+ "DC=X,%s", >+ zone_prefixes[i])) { >+ talloc_free(tmp_ctx); >+ return ISC_R_NOMEMORY; >+ } >+ >+ ret = ldb_dn_set_component(dn, >+ 0, >+ "DC", >+ zone_name_val); >+ if (ret != LDB_SUCCESS) { > talloc_free(tmp_ctx); > return ISC_R_NOMEMORY; > } > >+ /* >+ * Check if this is a plausibly valid DN early >+ * (time spent here will be saved during the >+ * search due to an internal cache) >+ */ >+ casefold = ldb_dn_get_casefold(dn); >+ >+ if (casefold == NULL) { >+ return ISC_R_NOTFOUND; >+ } >+ > ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_SUBTREE, > attrs, "objectClass=dnsNode"); > if (ret == LDB_SUCCESS) { >@@ -1118,8 +1248,18 @@ static bool b9_has_soa(struct dlz_bind9_data *state, struct ldb_dn *dn, const ch > WERROR werr; > struct dnsp_DnssrvRpcRecord *records = NULL; > uint16_t num_records = 0, i; >+ struct ldb_val zone_name_val >+ = data_blob_string_const(zone); >+ >+ /* >+ * This dance ensures that it is not possible to put >+ * (eg) an extra DC=x, into the DNS name being >+ * queried >+ */ > >- if (!ldb_dn_add_child_fmt(dn, "DC=@,DC=%s", zone)) { >+ if (!ldb_dn_add_child_val(dn, >+ "DC", >+ zone_name_val)) { > talloc_free(tmp_ctx); > return false; > } >diff --git a/source4/dns_server/dnsserver_common.c b/source4/dns_server/dnsserver_common.c >index ec3b917be80..e214a9f37ec 100644 >--- a/source4/dns_server/dnsserver_common.c >+++ b/source4/dns_server/dnsserver_common.c >@@ -918,7 +918,6 @@ WERROR dns_common_name2dn(struct ldb_context *samdb, > struct ldb_val host_part; > WERROR werr; > bool ok; >- int ret; > const char *casefold = NULL; > > if (name == NULL) { >@@ -975,17 +974,11 @@ WERROR dns_common_name2dn(struct ldb_context *samdb, > return WERR_NOT_ENOUGH_MEMORY; > } > >- ok = ldb_dn_add_child_fmt(dn, "DC=X"); >- >- if (ok == false) { >- TALLOC_FREE(dn); >- return WERR_NOT_ENOUGH_MEMORY; >- } >- > host_part = data_blob_const(name, host_part_len); > >- ret = ldb_dn_set_component(dn, 0, "DC", host_part); >- if (ret != LDB_SUCCESS) { >+ ok = ldb_dn_add_child_val(dn, "DC", host_part); >+ >+ if (ok == false) { > TALLOC_FREE(dn); > return WERR_NOT_ENOUGH_MEMORY; > } >diff --git a/source4/rpc_server/dnsserver/dnsdb.c b/source4/rpc_server/dnsserver/dnsdb.c >index 81a2d2070a0..6ecc0b2a581 100644 >--- a/source4/rpc_server/dnsserver/dnsdb.c >+++ b/source4/rpc_server/dnsserver/dnsdb.c >@@ -365,6 +365,7 @@ WERROR dnsserver_db_add_empty_node(TALLOC_CTX *mem_ctx, > struct ldb_result *res; > struct ldb_dn *dn; > char *encoded_name = ldb_binary_encode_string(mem_ctx, name); >+ struct ldb_val name_val = data_blob_string_const(name); > int ret; > > ret = ldb_search(samdb, mem_ctx, &res, z->zone_dn, LDB_SCOPE_BASE, attrs, >@@ -382,7 +383,7 @@ WERROR dnsserver_db_add_empty_node(TALLOC_CTX *mem_ctx, > dn = ldb_dn_copy(mem_ctx, z->zone_dn); > W_ERROR_HAVE_NO_MEMORY(dn); > >- if (!ldb_dn_add_child_fmt(dn, "DC=%s", name)) { >+ if (!ldb_dn_add_child_val(dn, "DC", name_val)) { > return WERR_NOT_ENOUGH_MEMORY; > } > >@@ -886,6 +887,7 @@ WERROR dnsserver_db_create_zone(struct ldb_context *samdb, > struct dnsp_DnssrvRpcRecord *dns_rec; > struct dnsp_soa soa; > char *tmpstr, *server_fqdn, *soa_email; >+ struct ldb_val name_val = data_blob_string_const(zone->name); > NTTIME t; > > /* We only support primary zones for now */ >@@ -912,7 +914,12 @@ WERROR dnsserver_db_create_zone(struct ldb_context *samdb, > dn = ldb_dn_copy(tmp_ctx, p->partition_dn); > W_ERROR_HAVE_NO_MEMORY_AND_FREE(dn, tmp_ctx); > >- if(!ldb_dn_add_child_fmt(dn, "DC=%s,CN=MicrosoftDNS", zone->name)) { >+ if (!ldb_dn_add_child_fmt(dn, "CN=MicrosoftDNS")) { >+ talloc_free(tmp_ctx); >+ return WERR_NOT_ENOUGH_MEMORY; >+ } >+ >+ if (!ldb_dn_add_child_val(dn, "DC", name_val)) { > talloc_free(tmp_ctx); > return WERR_NOT_ENOUGH_MEMORY; > } >diff --git a/source4/rpc_server/dnsserver/dnsutils.c b/source4/rpc_server/dnsserver/dnsutils.c >index 72b47f72b4f..ece8f02c4d0 100644 >--- a/source4/rpc_server/dnsserver/dnsutils.c >+++ b/source4/rpc_server/dnsserver/dnsutils.c >@@ -313,6 +313,8 @@ struct ldb_dn *dnsserver_name_to_dn(TALLOC_CTX *mem_ctx, struct dnsserver_zone * > { > struct ldb_dn *dn; > bool ret; >+ struct ldb_val name_val = >+ data_blob_string_const(name); > > dn = ldb_dn_copy(mem_ctx, z->zone_dn); > if (dn == NULL) { >@@ -320,9 +322,17 @@ struct ldb_dn *dnsserver_name_to_dn(TALLOC_CTX *mem_ctx, struct dnsserver_zone * > } > if (strcasecmp(name, z->name) == 0) { > ret = ldb_dn_add_child_fmt(dn, "DC=@"); >- } else { >- ret = ldb_dn_add_child_fmt(dn, "DC=%s", name); >+ if (!ret) { >+ talloc_free(dn); >+ return NULL; >+ } >+ return dn; > } >+ >+ ret = ldb_dn_add_child_val(dn, >+ "DC", >+ name_val); >+ > if (!ret) { > talloc_free(dn); > return NULL; >-- >2.11.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 13466
:
14228
|
14229
|
14230
|
14288
|
14294