Attachment 15579 Details for Bug 14138 – patch for master (v3)

[patch] patch for master (v3)

CVE-2019-14861-dnsserver-master.patch (text/plain), 5.34 KB, created by Andrew Bartlett on 2019-10-30 02:15:54 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Andrew Bartlett

Created: 2019-10-30 02:15:54 UTC

Size: 5.34 KB

patch

obsolete

>From ff8a414f42225e4db7dc0393f9bccb3b2dda458b Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Mon, 21 Oct 2019 12:08:01 +1300
>Subject: [PATCH 1/2] CVE-2019-14861: s4-rpc_server/dnsserver: Remove
> ldb_qsort() call from dnsserver_enumerate_records()
>
>The dns_name_compare() function attempts to prioritise @ and the searched domain to the top of the list
>but if both are found, this breaks the rules of how a comparison function should work and so
>breaks ldb_qsort() leading to a read of un-initialised memory.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138
>Signed-off-by: Andrew Bartlett <abartlet@samba.org>
>---
> source4/rpc_server/dnsserver/dcerpc_dnsserver.c |  4 --
> source4/rpc_server/dnsserver/dnsdata.c          | 68 -------------------------
> source4/rpc_server/dnsserver/dnsserver.h        |  2 -
> 3 files changed, 74 deletions(-)
>
>diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
>index 993e5dc4e56..0f635060f1a 100644
>--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
>+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
>@@ -1799,10 +1799,6 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
> 	recs = talloc_zero(mem_ctx, struct DNS_RPC_RECORDS_ARRAY);
> 	W_ERROR_HAVE_NO_MEMORY_AND_FREE(recs, tmp_ctx);
> 
>-	/* Sort the names, so that the first record is the parent record */
>-	ldb_qsort(res->msgs, res->count, sizeof(struct ldb_message *), name,
>-			(ldb_qsort_cmp_fn_t)dns_name_compare);
>-
> 	/* Build a tree of name components from dns name */
> 	if (strcasecmp(name, z->name) == 0) {
> 		tree = dns_build_tree(tmp_ctx, "@", res);
>diff --git a/source4/rpc_server/dnsserver/dnsdata.c b/source4/rpc_server/dnsserver/dnsdata.c
>index 2dc098a64a0..601f483e6b4 100644
>--- a/source4/rpc_server/dnsserver/dnsdata.c
>+++ b/source4/rpc_server/dnsserver/dnsdata.c
>@@ -1065,74 +1065,6 @@ WERROR dns_fill_records_array(TALLOC_CTX *mem_ctx,
> }
> 
> 
>-int dns_name_compare(const struct ldb_message **m1, const struct ldb_message **m2,
>-				char *search_name)
>-{
>-	const char *name1, *name2;
>-	const char *ptr1, *ptr2;
>-
>-	name1 = ldb_msg_find_attr_as_string(*m1, "name", NULL);
>-	name2 = ldb_msg_find_attr_as_string(*m2, "name", NULL);
>-	if (name1 == NULL || name2 == NULL) {
>-		return 0;
>-	}
>-
>-	/* '@' record and the search_name record gets preference */
>-	if (name1[0] == '@') {
>-		return -1;
>-	}
>-	if (search_name && strcasecmp(name1, search_name) == 0) {
>-		return -1;
>-	}
>-
>-	if (name2[0] == '@') {
>-		return 1;
>-	}
>-	if (search_name && strcasecmp(name2, search_name) == 0) {
>-		return 1;
>-	}
>-
>-	/* Compare the last components of names.
>-	 * If search_name is not NULL, compare the second last components of names */
>-	ptr1 = strrchr(name1, '.');
>-	if (ptr1 == NULL) {
>-		ptr1 = name1;
>-	} else {
>-		if (search_name && strcasecmp(ptr1+1, search_name) == 0) {
>-			ptr1--;
>-			while (ptr1 != name1) {
>-				ptr1--;
>-				if (*ptr1 == '.') {
>-					break;
>-				}
>-			}
>-		}
>-		if (*ptr1 == '.') {
>-			ptr1 = &ptr1[1];
>-		}
>-	}
>-
>-	ptr2 = strrchr(name2, '.');
>-	if (ptr2 == NULL) {
>-		ptr2 = name2;
>-	} else {
>-		if (search_name && strcasecmp(ptr2+1, search_name) == 0) {
>-			ptr2--;
>-			while (ptr2 != name2) {
>-				ptr2--;
>-				if (*ptr2 == '.') {
>-					break;
>-				}
>-			}
>-		}
>-		if (*ptr2 == '.') {
>-			ptr2 = &ptr2[1];
>-		}
>-	}
>-
>-	return strcasecmp(ptr1, ptr2);
>-}
>-
> bool dns_record_match(struct dnsp_DnssrvRpcRecord *rec1, struct dnsp_DnssrvRpcRecord *rec2)
> {
> 	bool status;
>diff --git a/source4/rpc_server/dnsserver/dnsserver.h b/source4/rpc_server/dnsserver/dnsserver.h
>index a8307ef836a..692f9ae2aef 100644
>--- a/source4/rpc_server/dnsserver/dnsserver.h
>+++ b/source4/rpc_server/dnsserver/dnsserver.h
>@@ -188,8 +188,6 @@ struct DNS_ADDR_ARRAY *dns_addr_array_copy(TALLOC_CTX *mem_ctx, struct DNS_ADDR_
> int dns_split_name_components(TALLOC_CTX *mem_ctx, const char *name, char ***components);
> char *dns_split_node_name(TALLOC_CTX *mem_ctx, const char *node_name, const char *zone_name);
> 
>-int dns_name_compare(const struct ldb_message **m1, const struct ldb_message **m2,
>-			char *search_name);
> bool dns_record_match(struct dnsp_DnssrvRpcRecord *rec1, struct dnsp_DnssrvRpcRecord *rec2);
> 
> void dnsp_to_dns_copy(TALLOC_CTX *mem_ctx, struct dnsp_DnssrvRpcRecord *dnsp,
>-- 
>2.11.0
>
>
>From a7a95cfa5eea5d1a203819e381aec04cd4191533 Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Mon, 21 Oct 2019 12:12:10 +1300
>Subject: [PATCH 2/2] CVE-2019-14861: s4-rpc_server: Remove special case for @
> in dns_build_tree()
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138
>Signed-off-by: Andrew Bartlett <abartlet@samba.org>
>---
> source4/rpc_server/dnsserver/dnsdata.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
>diff --git a/source4/rpc_server/dnsserver/dnsdata.c b/source4/rpc_server/dnsserver/dnsdata.c
>index 601f483e6b4..35103b2d517 100644
>--- a/source4/rpc_server/dnsserver/dnsdata.c
>+++ b/source4/rpc_server/dnsserver/dnsdata.c
>@@ -801,10 +801,11 @@ struct dns_tree *dns_build_tree(TALLOC_CTX *mem_ctx, const char *name, struct ld
> 			goto failed;
> 		}
> 
>-		if (strcmp(ptr, "@") == 0) {
>-			base->data = res->msgs[i];
>-			continue;
>-		} else if (strcasecmp(ptr, name) == 0) {
>+		/*
>+		 * This might be the sub-domain in the zone being
>+		 * requested, or @ for the root of the zone
>+		 */
>+		if (strcasecmp(ptr, name) == 0) {
> 			base->data = res->msgs[i];
> 			continue;
> 		}
>-- 
>2.11.0
>

Actions: View

Attachments on bug 14138: 15560 | 15574 | 15579 | 15580 | 15581 | 15582 | 15583 | 15584 | 15590 | 15591 | 15595 | 15596 | 15597 | 15598 | 15647 | 15649 | 15674