The Samba-Bugzilla – Attachment 15176 Details for
Bug 13922
CVE-2019-12435 [SECURITY] zone operations can crash rpc server
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for master
patch-for-master.txt (text/plain), 5.60 KB, created by
Douglas Bagnall
on 2019-05-22 01:34:54 UTC
(
hide
)
Description:
patch for master
Filename:
MIME Type:
Creator:
Douglas Bagnall
Created:
2019-05-22 01:34:54 UTC
Size:
5.60 KB
patch
obsolete
>From 72392c88a7ee8f15e9842553bc144e77dd30c1ec Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Wed, 22 May 2019 12:58:01 +1200 >Subject: [PATCH 1/2] rpc/dns: avoid NULL deference if zone not found in > DnssrvOperation > >We still want to return DOES_NOT_EXIST when request_filter is not 0. > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > python/samba/tests/dcerpc/dnsserver.py | 23 ++++++++++++++++++- > .../rpc_server/dnsserver/dcerpc_dnsserver.c | 2 +- > 2 files changed, 23 insertions(+), 2 deletions(-) > >diff --git a/python/samba/tests/dcerpc/dnsserver.py b/python/samba/tests/dcerpc/dnsserver.py >index 8e485c540dd..3a267689e17 100644 >--- a/python/samba/tests/dcerpc/dnsserver.py >+++ b/python/samba/tests/dcerpc/dnsserver.py >@@ -28,7 +28,7 @@ from samba.dcerpc import dnsp, dnsserver, security > from samba.tests import RpcInterfaceTestCase, env_get_var_value > from samba.netcmd.dns import ARecord, AAAARecord, PTRRecord, CNameRecord, NSRecord, MXRecord, SRVRecord, TXTRecord > from samba import sd_utils, descriptor >- >+from samba import WERRORError, werror > > class DnsserverTests(RpcInterfaceTestCase): > >@@ -707,6 +707,27 @@ class DnsserverTests(RpcInterfaceTestCase): > 'ServerInfo') > self.assertEquals(dnsserver.DNSSRV_TYPEID_SERVER_INFO, typeid) > >+ >+ def test_operation_invalid(self): >+ non_zone = 'a-zone-that-does-not-exist' >+ typeid = dnsserver.DNSSRV_TYPEID_NAME_AND_PARAM >+ name_and_param = dnsserver.DNS_RPC_NAME_AND_PARAM() >+ name_and_param.pszNodeName = 'AllowUpdate' >+ name_and_param.dwParam = dnsp.DNS_ZONE_UPDATE_SECURE >+ try: >+ res = self.conn.DnssrvOperation(self.server, >+ non_zone, >+ 1, >+ 'ResetDwordProperty', >+ typeid, >+ name_and_param) >+ except WERRORError as e: >+ if e.args[0] == werror.WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST: >+ return >+ >+ # We should always encounter a DOES_NOT_EXIST error. >+ self.fail() >+ > def test_operation2(self): > client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN > rev_zone = '1.168.192.in-addr.arpa' >diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c >index 841557814a0..4aa4150a698 100644 >--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c >+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c >@@ -2018,7 +2018,7 @@ static WERROR dcesrv_DnssrvOperation(struct dcesrv_call_state *dce_call, TALLOC_ > &r->in.pData); > } else { > z = dnsserver_find_zone(dsstate->zones, r->in.pszZone); >- if (z == NULL && request_filter == 0) { >+ if (z == NULL) { > return WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST; > } > >-- >2.17.1 > > >From b4b6c8ee8f63348a072b17d8ce98a7215e9167d2 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Wed, 22 May 2019 13:23:25 +1200 >Subject: [PATCH 2/2] rpc/dns: avoid NULL deference if zone not found in > DnssrvOperation2 > >We still want to return DOES_NOT_EXIST when request_filter is not 0. > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > python/samba/tests/dcerpc/dnsserver.py | 23 +++++++++++++++++++ > .../rpc_server/dnsserver/dcerpc_dnsserver.c | 2 +- > 2 files changed, 24 insertions(+), 1 deletion(-) > >diff --git a/python/samba/tests/dcerpc/dnsserver.py b/python/samba/tests/dcerpc/dnsserver.py >index 3a267689e17..52c2122876b 100644 >--- a/python/samba/tests/dcerpc/dnsserver.py >+++ b/python/samba/tests/dcerpc/dnsserver.py >@@ -728,6 +728,29 @@ class DnsserverTests(RpcInterfaceTestCase): > # We should always encounter a DOES_NOT_EXIST error. > self.fail() > >+ def test_operation2_invalid(self): >+ client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN >+ non_zone = 'a-zone-that-does-not-exist' >+ typeid = dnsserver.DNSSRV_TYPEID_NAME_AND_PARAM >+ name_and_param = dnsserver.DNS_RPC_NAME_AND_PARAM() >+ name_and_param.pszNodeName = 'AllowUpdate' >+ name_and_param.dwParam = dnsp.DNS_ZONE_UPDATE_SECURE >+ try: >+ res = self.conn.DnssrvOperation2(client_version, >+ 0, >+ self.server, >+ non_zone, >+ 1, >+ 'ResetDwordProperty', >+ typeid, >+ name_and_param) >+ except WERRORError as e: >+ if e.args[0] == werror.WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST: >+ return >+ >+ # We should always encounter a DOES_NOT_EXIST error. >+ self.fail() >+ > def test_operation2(self): > client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN > rev_zone = '1.168.192.in-addr.arpa' >diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c >index 4aa4150a698..f2e6146fe54 100644 >--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c >+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c >@@ -2225,7 +2225,7 @@ static WERROR dcesrv_DnssrvOperation2(struct dcesrv_call_state *dce_call, TALLOC > &r->in.pData); > } else { > z = dnsserver_find_zone(dsstate->zones, r->in.pszZone); >- if (z == NULL && request_filter == 0) { >+ if (z == NULL) { > return WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST; > } > >-- >2.17.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 13922
:
15168
|
15176
|
15200
|
15201
|
15208
|
15209
|
15210
|
15229
|
15232
|
15233
|
15234
|
15246