From 087f7be9788e8c8fae47da10664d0626f6dffb75 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 2 Dec 2019 11:20:31 +1300
Subject: [PATCH] librpc/idl/dnsserver.idl: Ensure DnsProperty id matches what
 is pulled from the stored buffer

There are two concerns here, assuming the attacker can place arbitary values
in a dnsProperty attribute over LDAP (eg is a DNS administrator).

This comes from the fact that id is used as the switch value at the C layer
but at the NDR layer the wDataLength value is considered first.

One concern is that a pull/push round-trip could include server memory:

 The previous switch_is() behaviour could store the server memory back
 into the attribute.

 However this pattern of pull/push only happens in ndrdump and fuzzing tools, as
 dnsserver_db_do_reset_dword() operates only on the uint32/bitmap union
 arms, and fully initialises those.

The other is that a pull of the attacker-supplied value could
cause the server to expose memory.

 This would be over the network via DNS or the RPC dnsserver protocols.
 However at all times the ndr_pull_struct_blob is passed zeroed memory.

The final concern (which fuzz_ndr_X found) is that in the ndr_size_dnsPropertyData()
the union descriminent is only id.

 This has no impact as only zeroed memory is used so there will be a
 zero value in all scalars, including data->d_ns_servers.AddrArray.

 Therefore the server will not crash processing the attacker-supplied blob

This was known as CVE-2019-14908 before being triaged back to a normal bug.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14206
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 librpc/idl/dnsp.idl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/librpc/idl/dnsp.idl b/librpc/idl/dnsp.idl
index 1bbcaca6bfa..47a51d540cc 100644
--- a/librpc/idl/dnsp.idl
+++ b/librpc/idl/dnsp.idl
@@ -256,8 +256,8 @@ interface dnsp
 		uint32   			namelength;
 		[value(0)] uint32   flag;
 		[value(1)] uint32   version;
-		dns_property_id     id;
-		[switch_is(wDataLength?id:DSPROPERTY_ZONE_EMPTY)]     dnsPropertyData data;
+		[range(DSPROPERTY_ZONE_EMPTY, (r->wDataLength > 0 ? DSPROPERTY_ZONE_NODE_DBFLAGS : 0))] dns_property_id     id;
+		[switch_is(id)]     dnsPropertyData data;
 		uint32              name;
 	} dnsp_DnsProperty;
 }
-- 
2.17.1