The Samba-Bugzilla – Attachment 16077 Details for
Bug 14417
CVE-2020-14303 [SECURITY] Endless loop from empty UDP packet sent to AD DC nbt_server
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for V4.11
CVE-2020-14303-V4-11.patch (text/plain), 1.55 KB, created by
Gary Lockyer
on 2020-06-24 22:34:03 UTC
(
hide
)
Description:
Patch for V4.11
Filename:
MIME Type:
Creator:
Gary Lockyer
Created:
2020-06-24 22:34:03 UTC
Size:
1.55 KB
patch
obsolete
>From a3d75d3f354b79481a2dc902d82ed0cb1cf0a20a Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Wed, 24 Jun 2020 14:27:08 +1200 >Subject: [PATCH] CVE-2020-14303: s4 nbt: fix busy loop on empty UDP packet > >An empty UDP packet put the nbt server into a busy loop that consumes >100% of a cpu. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14417 > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >--- > libcli/nbt/nbtsocket.c | 17 ++++++++++++++++- > 1 file changed, 16 insertions(+), 1 deletion(-) > >diff --git a/libcli/nbt/nbtsocket.c b/libcli/nbt/nbtsocket.c >index 33d53fba993..8aecaf73247 100644 >--- a/libcli/nbt/nbtsocket.c >+++ b/libcli/nbt/nbtsocket.c >@@ -167,8 +167,23 @@ static void nbt_name_socket_recv(struct nbt_name_socket *nbtsock) > return; > } > >+ /* >+ * Given a zero length, data_blob_talloc() returns the >+ * NULL blob {NULL, 0}. >+ * >+ * We only want to error return here on a real out of memory condition >+ * (i.e. dsize != 0, so the UDP packet has data, but the return of the >+ * allocation failed, so blob.data==NULL). >+ * >+ * Given an actual zero length UDP packet having blob.data == NULL >+ * isn't an out of memory error condition, that's the defined semantics >+ * of data_blob_talloc() when asked for zero bytes. >+ * >+ * We still need to continue to do the zero-length socket_recvfrom() >+ * read in order to clear the "read pending" condition on the socket. >+ */ > blob = data_blob_talloc(tmp_ctx, NULL, dsize); >- if (blob.data == NULL) { >+ if (blob.data == NULL && dsize != 0) { > talloc_free(tmp_ctx); > return; > } >-- >2.17.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16077">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
abartlet
:
review+
gary
:
ci-passed+
Actions:
View
Attachments on
bug 14417
:
16070
|
16071
|
16072
|
16073
|
16075
|
16076
| 16077 |
16078
|
16079
|
16080
|
16081
|
16082
|
16083
|
16084
|
16085
|
16086
|
16087
|
16092