From 51894ab9e03fe2acccda023726ea1c749a6664e0 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 25 Jun 2020 11:59:54 +1200 Subject: [PATCH 1/2] CVE-2020-14303 Ensure an empty packet will not DoS the NBT server Signed-off-by: Andrew Bartlett (backported from master commit) [abartlet@samba.org: Remove f"" format string not supported in Python 3.4] [gary@catalyst.net.nz: - resolve merge conflicts - knownfail.d is not supported in 4.5 ] --- python/samba/tests/dns_packet.py | 18 ++++++++++++++++++ selftest/knownfail | 2 ++ 2 files changed, 20 insertions(+) diff --git a/python/samba/tests/dns_packet.py b/python/samba/tests/dns_packet.py index c8ff2f96926..bfd16e9ec25 100644 --- a/python/samba/tests/dns_packet.py +++ b/python/samba/tests/dns_packet.py @@ -156,6 +156,19 @@ class TestDnsPacketBase(TestCase): return expected_rcode == rcode + def _test_empty_packet(self): + + packet = b"" + s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + s.sendto(packet, self.server) + s.close() + + # It is reasonable not to reply to an empty packet + # but it is not reasonable to render the server + # unresponsive. + ok = self._known_good_query() + self.assertTrue(ok, "the server is unresponsive") + class TestDnsPackets(TestDnsPacketBase): server = (SERVER, 53) @@ -178,6 +191,9 @@ class TestDnsPackets(TestDnsPacketBase): ok = self._known_good_query() self.assertTrue(ok, "the server is unresponsive") + def test_empty_packet(self): + self._test_empty_packet() + class TestNbtPackets(TestDnsPacketBase): server = (SERVER, 137) qtype = 0x20 # NBT_QTYPE_NETBIOS @@ -217,3 +233,5 @@ class TestNbtPackets(TestDnsPacketBase): ok = self._known_good_query() self.assertTrue(ok, "the server is unresponsive") + def test_empty_packet(self): + self._test_empty_packet() diff --git a/selftest/knownfail b/selftest/knownfail index 56a2961b1ae..9bdce072537 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -294,3 +294,5 @@ ^samba4.ldap.vlv.python.*test_vlv_paged ^samba4.asq.python.*asq_vlv_paged +^samba.tests.dns_packet.samba.tests.dns_packet.TestNbtPackets.test_empty_packet +^samba.tests.dns_packet.samba.tests.dns_packet.TestNbtPackets.test_known_good -- 2.17.1 From 89a22f995046641159ad6155dbbd233cd224f081 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Wed, 24 Jun 2020 14:27:08 +1200 Subject: [PATCH 2/2] CVE-2020-14303: s4 nbt: fix busy loop on empty UDP packet An empty UDP packet put the nbt server into a busy loop that consumes 100% of a cpu. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14417 Signed-off-by: Gary Lockyer --- libcli/nbt/nbtsocket.c | 17 ++++++++++++++++- selftest/knownfail | 2 -- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/libcli/nbt/nbtsocket.c b/libcli/nbt/nbtsocket.c index dacacae9f50..ee018229860 100644 --- a/libcli/nbt/nbtsocket.c +++ b/libcli/nbt/nbtsocket.c @@ -170,8 +170,23 @@ static void nbt_name_socket_recv(struct nbt_name_socket *nbtsock) return; } + /* + * Given a zero length, data_blob_talloc() returns the + * NULL blob {NULL, 0}. + * + * We only want to error return here on a real out of memory condition + * (i.e. dsize != 0, so the UDP packet has data, but the return of the + * allocation failed, so blob.data==NULL). + * + * Given an actual zero length UDP packet having blob.data == NULL + * isn't an out of memory error condition, that's the defined semantics + * of data_blob_talloc() when asked for zero bytes. + * + * We still need to continue to do the zero-length socket_recvfrom() + * read in order to clear the "read pending" condition on the socket. + */ blob = data_blob_talloc(tmp_ctx, NULL, dsize); - if (blob.data == NULL) { + if (blob.data == NULL && dsize != 0) { talloc_free(tmp_ctx); return; } diff --git a/selftest/knownfail b/selftest/knownfail index 9bdce072537..56a2961b1ae 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -294,5 +294,3 @@ ^samba4.ldap.vlv.python.*test_vlv_paged ^samba4.asq.python.*asq_vlv_paged -^samba.tests.dns_packet.samba.tests.dns_packet.TestNbtPackets.test_empty_packet -^samba.tests.dns_packet.samba.tests.dns_packet.TestNbtPackets.test_known_good -- 2.17.1