The Samba-Bugzilla – Attachment 15579 Details for
Bug 14138
CVE-2019-14861 [SECURITY] DNSServer RPC server crash
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for master (v3)
CVE-2019-14861-dnsserver-master.patch (text/plain), 5.34 KB, created by
Andrew Bartlett
on 2019-10-30 02:15:54 UTC
(
hide
)
Description:
patch for master (v3)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2019-10-30 02:15:54 UTC
Size:
5.34 KB
patch
obsolete
>From ff8a414f42225e4db7dc0393f9bccb3b2dda458b Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 21 Oct 2019 12:08:01 +1300 >Subject: [PATCH 1/2] CVE-2019-14861: s4-rpc_server/dnsserver: Remove > ldb_qsort() call from dnsserver_enumerate_records() > >The dns_name_compare() function attempts to prioritise @ and the searched domain to the top of the list >but if both are found, this breaks the rules of how a comparison function should work and so >breaks ldb_qsort() leading to a read of un-initialised memory. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138 >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 4 -- > source4/rpc_server/dnsserver/dnsdata.c | 68 ------------------------- > source4/rpc_server/dnsserver/dnsserver.h | 2 - > 3 files changed, 74 deletions(-) > >diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c >index 993e5dc4e56..0f635060f1a 100644 >--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c >+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c >@@ -1799,10 +1799,6 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, > recs = talloc_zero(mem_ctx, struct DNS_RPC_RECORDS_ARRAY); > W_ERROR_HAVE_NO_MEMORY_AND_FREE(recs, tmp_ctx); > >- /* Sort the names, so that the first record is the parent record */ >- ldb_qsort(res->msgs, res->count, sizeof(struct ldb_message *), name, >- (ldb_qsort_cmp_fn_t)dns_name_compare); >- > /* Build a tree of name components from dns name */ > if (strcasecmp(name, z->name) == 0) { > tree = dns_build_tree(tmp_ctx, "@", res); >diff --git a/source4/rpc_server/dnsserver/dnsdata.c b/source4/rpc_server/dnsserver/dnsdata.c >index 2dc098a64a0..601f483e6b4 100644 >--- a/source4/rpc_server/dnsserver/dnsdata.c >+++ b/source4/rpc_server/dnsserver/dnsdata.c >@@ -1065,74 +1065,6 @@ WERROR dns_fill_records_array(TALLOC_CTX *mem_ctx, > } > > >-int dns_name_compare(const struct ldb_message **m1, const struct ldb_message **m2, >- char *search_name) >-{ >- const char *name1, *name2; >- const char *ptr1, *ptr2; >- >- name1 = ldb_msg_find_attr_as_string(*m1, "name", NULL); >- name2 = ldb_msg_find_attr_as_string(*m2, "name", NULL); >- if (name1 == NULL || name2 == NULL) { >- return 0; >- } >- >- /* '@' record and the search_name record gets preference */ >- if (name1[0] == '@') { >- return -1; >- } >- if (search_name && strcasecmp(name1, search_name) == 0) { >- return -1; >- } >- >- if (name2[0] == '@') { >- return 1; >- } >- if (search_name && strcasecmp(name2, search_name) == 0) { >- return 1; >- } >- >- /* Compare the last components of names. >- * If search_name is not NULL, compare the second last components of names */ >- ptr1 = strrchr(name1, '.'); >- if (ptr1 == NULL) { >- ptr1 = name1; >- } else { >- if (search_name && strcasecmp(ptr1+1, search_name) == 0) { >- ptr1--; >- while (ptr1 != name1) { >- ptr1--; >- if (*ptr1 == '.') { >- break; >- } >- } >- } >- if (*ptr1 == '.') { >- ptr1 = &ptr1[1]; >- } >- } >- >- ptr2 = strrchr(name2, '.'); >- if (ptr2 == NULL) { >- ptr2 = name2; >- } else { >- if (search_name && strcasecmp(ptr2+1, search_name) == 0) { >- ptr2--; >- while (ptr2 != name2) { >- ptr2--; >- if (*ptr2 == '.') { >- break; >- } >- } >- } >- if (*ptr2 == '.') { >- ptr2 = &ptr2[1]; >- } >- } >- >- return strcasecmp(ptr1, ptr2); >-} >- > bool dns_record_match(struct dnsp_DnssrvRpcRecord *rec1, struct dnsp_DnssrvRpcRecord *rec2) > { > bool status; >diff --git a/source4/rpc_server/dnsserver/dnsserver.h b/source4/rpc_server/dnsserver/dnsserver.h >index a8307ef836a..692f9ae2aef 100644 >--- a/source4/rpc_server/dnsserver/dnsserver.h >+++ b/source4/rpc_server/dnsserver/dnsserver.h >@@ -188,8 +188,6 @@ struct DNS_ADDR_ARRAY *dns_addr_array_copy(TALLOC_CTX *mem_ctx, struct DNS_ADDR_ > int dns_split_name_components(TALLOC_CTX *mem_ctx, const char *name, char ***components); > char *dns_split_node_name(TALLOC_CTX *mem_ctx, const char *node_name, const char *zone_name); > >-int dns_name_compare(const struct ldb_message **m1, const struct ldb_message **m2, >- char *search_name); > bool dns_record_match(struct dnsp_DnssrvRpcRecord *rec1, struct dnsp_DnssrvRpcRecord *rec2); > > void dnsp_to_dns_copy(TALLOC_CTX *mem_ctx, struct dnsp_DnssrvRpcRecord *dnsp, >-- >2.11.0 > > >From a7a95cfa5eea5d1a203819e381aec04cd4191533 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 21 Oct 2019 12:12:10 +1300 >Subject: [PATCH 2/2] CVE-2019-14861: s4-rpc_server: Remove special case for @ > in dns_build_tree() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138 >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > source4/rpc_server/dnsserver/dnsdata.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > >diff --git a/source4/rpc_server/dnsserver/dnsdata.c b/source4/rpc_server/dnsserver/dnsdata.c >index 601f483e6b4..35103b2d517 100644 >--- a/source4/rpc_server/dnsserver/dnsdata.c >+++ b/source4/rpc_server/dnsserver/dnsdata.c >@@ -801,10 +801,11 @@ struct dns_tree *dns_build_tree(TALLOC_CTX *mem_ctx, const char *name, struct ld > goto failed; > } > >- if (strcmp(ptr, "@") == 0) { >- base->data = res->msgs[i]; >- continue; >- } else if (strcasecmp(ptr, name) == 0) { >+ /* >+ * This might be the sub-domain in the zone being >+ * requested, or @ for the root of the zone >+ */ >+ if (strcasecmp(ptr, name) == 0) { > base->data = res->msgs[i]; > continue; > } >-- >2.11.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14138
:
15560
|
15574
|
15579
|
15580
|
15581
|
15582
|
15583
|
15584
|
15590
|
15591
|
15595
|
15596
|
15597
|
15598
|
15647
|
15649
|
15674