From a01490f0ced1ae8314efdf78871b935fef287700 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 25 Jun 2020 11:59:54 +1200 Subject: [PATCH 1/2] CVE-2020-14303 Ensure an empty packet will not DoS the NBT server Signed-off-by: Andrew Bartlett --- python/samba/tests/dns_packet.py | 19 +++++++++++++++++++ selftest/knownfail.d/empty-nbt | 1 + 2 files changed, 20 insertions(+) create mode 100644 selftest/knownfail.d/empty-nbt diff --git a/python/samba/tests/dns_packet.py b/python/samba/tests/dns_packet.py index c4f843eb613..ae7bcb3ad8c 100644 --- a/python/samba/tests/dns_packet.py +++ b/python/samba/tests/dns_packet.py @@ -156,6 +156,19 @@ class TestDnsPacketBase(TestCase): rcode = self.decode_reply(data)['rcode'] return expected_rcode == rcode + def _test_empty_packet(self): + + packet = b"" + s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + s.sendto(packet, self.server) + s.close() + + # It is reasonable not to reply to an empty packet + # but it is not reasonable to render the server + # unresponsive. + ok = self._known_good_query() + self.assertTrue(ok, f"the server is unresponsive") + class TestDnsPackets(TestDnsPacketBase): server = (SERVER, 53) @@ -174,6 +187,9 @@ class TestDnsPackets(TestDnsPacketBase): label = b'x.' * 31 + b'x' self._test_many_repeated_components(label, 127) + def test_empty_packet(self): + self._test_empty_packet() + class TestNbtPackets(TestDnsPacketBase): server = (SERVER, 137) @@ -209,3 +225,6 @@ class TestNbtPackets(TestDnsPacketBase): def test_127_half_dotty_components(self): label = b'x.' * 31 + b'x' self._test_many_repeated_components(label, 127) + + def test_empty_packet(self): + self._test_empty_packet() diff --git a/selftest/knownfail.d/empty-nbt b/selftest/knownfail.d/empty-nbt new file mode 100644 index 00000000000..e4bcccab4e5 --- /dev/null +++ b/selftest/knownfail.d/empty-nbt @@ -0,0 +1 @@ +^samba.tests.dns_packet.samba.tests.dns_packet.TestNbtPackets.test_empty_packet \ No newline at end of file -- 2.17.1 From 71e3cfcdd518f11cfa9e6ead5e584a7edca59249 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Wed, 24 Jun 2020 14:27:08 +1200 Subject: [PATCH 2/2] CVE-2020-14303: s4 nbt: fix busy loop on empty UDP packet An empty UDP packet put the nbt server into a busy loop that consumes 100% of a cpu. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14417 Signed-off-by: Gary Lockyer --- libcli/nbt/nbtsocket.c | 17 ++++++++++++++++- selftest/knownfail.d/empty-nbt | 1 - 2 files changed, 16 insertions(+), 2 deletions(-) delete mode 100644 selftest/knownfail.d/empty-nbt diff --git a/libcli/nbt/nbtsocket.c b/libcli/nbt/nbtsocket.c index 38a2192fbcd..4c6c20d4fe2 100644 --- a/libcli/nbt/nbtsocket.c +++ b/libcli/nbt/nbtsocket.c @@ -167,8 +167,23 @@ static void nbt_name_socket_recv(struct nbt_name_socket *nbtsock) return; } + /* + * Given a zero length, data_blob_talloc() returns the + * NULL blob {NULL, 0}. + * + * We only want to error return here on a real out of memory condition + * (i.e. dsize != 0, so the UDP packet has data, but the return of the + * allocation failed, so blob.data==NULL). + * + * Given an actual zero length UDP packet having blob.data == NULL + * isn't an out of memory error condition, that's the defined semantics + * of data_blob_talloc() when asked for zero bytes. + * + * We still need to continue to do the zero-length socket_recvfrom() + * read in order to clear the "read pending" condition on the socket. + */ blob = data_blob_talloc(tmp_ctx, NULL, dsize); - if (blob.data == NULL) { + if (blob.data == NULL && dsize != 0) { talloc_free(tmp_ctx); return; } diff --git a/selftest/knownfail.d/empty-nbt b/selftest/knownfail.d/empty-nbt deleted file mode 100644 index e4bcccab4e5..00000000000 --- a/selftest/knownfail.d/empty-nbt +++ /dev/null @@ -1 +0,0 @@ -^samba.tests.dns_packet.samba.tests.dns_packet.TestNbtPackets.test_empty_packet \ No newline at end of file -- 2.17.1