The Samba-Bugzilla – Attachment 16080 Details for
Bug 14417
CVE-2020-14303 [SECURITY] Endless loop from empty UDP packet sent to AD DC nbt_server
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.12 to fix this issue (with tests, on CVE-2020-10745!) (v4)
CVE-2020-14303-nbt-loop-4.12-04.patch (text/plain), 4.11 KB, created by
Andrew Bartlett
on 2020-06-25 00:31:52 UTC
(
hide
)
Description:
patch for 4.12 to fix this issue (with tests, on CVE-2020-10745!) (v4)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2020-06-25 00:31:52 UTC
Size:
4.11 KB
patch
obsolete
>From a01490f0ced1ae8314efdf78871b935fef287700 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 25 Jun 2020 11:59:54 +1200 >Subject: [PATCH 1/2] CVE-2020-14303 Ensure an empty packet will not DoS the > NBT server > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > python/samba/tests/dns_packet.py | 19 +++++++++++++++++++ > selftest/knownfail.d/empty-nbt | 1 + > 2 files changed, 20 insertions(+) > create mode 100644 selftest/knownfail.d/empty-nbt > >diff --git a/python/samba/tests/dns_packet.py b/python/samba/tests/dns_packet.py >index c4f843eb613..ae7bcb3ad8c 100644 >--- a/python/samba/tests/dns_packet.py >+++ b/python/samba/tests/dns_packet.py >@@ -156,6 +156,19 @@ class TestDnsPacketBase(TestCase): > rcode = self.decode_reply(data)['rcode'] > return expected_rcode == rcode > >+ def _test_empty_packet(self): >+ >+ packet = b"" >+ s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) >+ s.sendto(packet, self.server) >+ s.close() >+ >+ # It is reasonable not to reply to an empty packet >+ # but it is not reasonable to render the server >+ # unresponsive. >+ ok = self._known_good_query() >+ self.assertTrue(ok, f"the server is unresponsive") >+ > > class TestDnsPackets(TestDnsPacketBase): > server = (SERVER, 53) >@@ -174,6 +187,9 @@ class TestDnsPackets(TestDnsPacketBase): > label = b'x.' * 31 + b'x' > self._test_many_repeated_components(label, 127) > >+ def test_empty_packet(self): >+ self._test_empty_packet() >+ > > class TestNbtPackets(TestDnsPacketBase): > server = (SERVER, 137) >@@ -209,3 +225,6 @@ class TestNbtPackets(TestDnsPacketBase): > def test_127_half_dotty_components(self): > label = b'x.' * 31 + b'x' > self._test_many_repeated_components(label, 127) >+ >+ def test_empty_packet(self): >+ self._test_empty_packet() >diff --git a/selftest/knownfail.d/empty-nbt b/selftest/knownfail.d/empty-nbt >new file mode 100644 >index 00000000000..e4bcccab4e5 >--- /dev/null >+++ b/selftest/knownfail.d/empty-nbt >@@ -0,0 +1 @@ >+^samba.tests.dns_packet.samba.tests.dns_packet.TestNbtPackets.test_empty_packet >\ No newline at end of file >-- >2.17.1 > > >From 71e3cfcdd518f11cfa9e6ead5e584a7edca59249 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Wed, 24 Jun 2020 14:27:08 +1200 >Subject: [PATCH 2/2] CVE-2020-14303: s4 nbt: fix busy loop on empty UDP packet > >An empty UDP packet put the nbt server into a busy loop that consumes >100% of a cpu. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14417 > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >--- > libcli/nbt/nbtsocket.c | 17 ++++++++++++++++- > selftest/knownfail.d/empty-nbt | 1 - > 2 files changed, 16 insertions(+), 2 deletions(-) > delete mode 100644 selftest/knownfail.d/empty-nbt > >diff --git a/libcli/nbt/nbtsocket.c b/libcli/nbt/nbtsocket.c >index 38a2192fbcd..4c6c20d4fe2 100644 >--- a/libcli/nbt/nbtsocket.c >+++ b/libcli/nbt/nbtsocket.c >@@ -167,8 +167,23 @@ static void nbt_name_socket_recv(struct nbt_name_socket *nbtsock) > return; > } > >+ /* >+ * Given a zero length, data_blob_talloc() returns the >+ * NULL blob {NULL, 0}. >+ * >+ * We only want to error return here on a real out of memory condition >+ * (i.e. dsize != 0, so the UDP packet has data, but the return of the >+ * allocation failed, so blob.data==NULL). >+ * >+ * Given an actual zero length UDP packet having blob.data == NULL >+ * isn't an out of memory error condition, that's the defined semantics >+ * of data_blob_talloc() when asked for zero bytes. >+ * >+ * We still need to continue to do the zero-length socket_recvfrom() >+ * read in order to clear the "read pending" condition on the socket. >+ */ > blob = data_blob_talloc(tmp_ctx, NULL, dsize); >- if (blob.data == NULL) { >+ if (blob.data == NULL && dsize != 0) { > talloc_free(tmp_ctx); > return; > } >diff --git a/selftest/knownfail.d/empty-nbt b/selftest/knownfail.d/empty-nbt >deleted file mode 100644 >index e4bcccab4e5..00000000000 >--- a/selftest/knownfail.d/empty-nbt >+++ /dev/null >@@ -1 +0,0 @@ >-^samba.tests.dns_packet.samba.tests.dns_packet.TestNbtPackets.test_empty_packet >\ No newline at end of file >-- >2.17.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
abartlet
:
review?
(
gary
)
gary
:
review+
abartlet
:
ci-passed+
Actions:
View
Attachments on
bug 14417
:
16070
|
16071
|
16072
|
16073
|
16075
|
16076
|
16077
|
16078
|
16079
| 16080 |
16081
|
16082
|
16083
|
16084
|
16085
|
16086
|
16087
|
16092