The Samba-Bugzilla – Attachment 16092 Details for
Bug 14417
CVE-2020-14303 [SECURITY] Endless loop from empty UDP packet sent to AD DC nbt_server
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for V4.5 (with tests)
CVE-2020-14303-V4-5-v2.patch (text/plain), 4.33 KB, created by
Gary Lockyer
on 2020-06-26 03:16:45 UTC
(
hide
)
Description:
Patch for V4.5 (with tests)
Filename:
MIME Type:
Creator:
Gary Lockyer
Created:
2020-06-26 03:16:45 UTC
Size:
4.33 KB
patch
obsolete
>From 51894ab9e03fe2acccda023726ea1c749a6664e0 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 25 Jun 2020 11:59:54 +1200 >Subject: [PATCH 1/2] CVE-2020-14303 Ensure an empty packet will not DoS the > NBT server > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> > >(backported from master commit) >[abartlet@samba.org: Remove f"" format string not supported in > Python 3.4] >[gary@catalyst.net.nz: > - resolve merge conflicts > - knownfail.d is not supported in 4.5 >] >--- > python/samba/tests/dns_packet.py | 18 ++++++++++++++++++ > selftest/knownfail | 2 ++ > 2 files changed, 20 insertions(+) > >diff --git a/python/samba/tests/dns_packet.py b/python/samba/tests/dns_packet.py >index c8ff2f96926..bfd16e9ec25 100644 >--- a/python/samba/tests/dns_packet.py >+++ b/python/samba/tests/dns_packet.py >@@ -156,6 +156,19 @@ class TestDnsPacketBase(TestCase): > > return expected_rcode == rcode > >+ def _test_empty_packet(self): >+ >+ packet = b"" >+ s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) >+ s.sendto(packet, self.server) >+ s.close() >+ >+ # It is reasonable not to reply to an empty packet >+ # but it is not reasonable to render the server >+ # unresponsive. >+ ok = self._known_good_query() >+ self.assertTrue(ok, "the server is unresponsive") >+ > > class TestDnsPackets(TestDnsPacketBase): > server = (SERVER, 53) >@@ -178,6 +191,9 @@ class TestDnsPackets(TestDnsPacketBase): > ok = self._known_good_query() > self.assertTrue(ok, "the server is unresponsive") > >+ def test_empty_packet(self): >+ self._test_empty_packet() >+ > class TestNbtPackets(TestDnsPacketBase): > server = (SERVER, 137) > qtype = 0x20 # NBT_QTYPE_NETBIOS >@@ -217,3 +233,5 @@ class TestNbtPackets(TestDnsPacketBase): > ok = self._known_good_query() > self.assertTrue(ok, "the server is unresponsive") > >+ def test_empty_packet(self): >+ self._test_empty_packet() >diff --git a/selftest/knownfail b/selftest/knownfail >index 56a2961b1ae..9bdce072537 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -294,3 +294,5 @@ > ^samba4.ldap.vlv.python.*test_vlv_paged > ^samba4.asq.python.*asq_vlv_paged > >+^samba.tests.dns_packet.samba.tests.dns_packet.TestNbtPackets.test_empty_packet >+^samba.tests.dns_packet.samba.tests.dns_packet.TestNbtPackets.test_known_good >-- >2.17.1 > > >From 89a22f995046641159ad6155dbbd233cd224f081 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Wed, 24 Jun 2020 14:27:08 +1200 >Subject: [PATCH 2/2] CVE-2020-14303: s4 nbt: fix busy loop on empty UDP packet > >An empty UDP packet put the nbt server into a busy loop that consumes >100% of a cpu. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14417 > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >--- > libcli/nbt/nbtsocket.c | 17 ++++++++++++++++- > selftest/knownfail | 2 -- > 2 files changed, 16 insertions(+), 3 deletions(-) > >diff --git a/libcli/nbt/nbtsocket.c b/libcli/nbt/nbtsocket.c >index dacacae9f50..ee018229860 100644 >--- a/libcli/nbt/nbtsocket.c >+++ b/libcli/nbt/nbtsocket.c >@@ -170,8 +170,23 @@ static void nbt_name_socket_recv(struct nbt_name_socket *nbtsock) > return; > } > >+ /* >+ * Given a zero length, data_blob_talloc() returns the >+ * NULL blob {NULL, 0}. >+ * >+ * We only want to error return here on a real out of memory condition >+ * (i.e. dsize != 0, so the UDP packet has data, but the return of the >+ * allocation failed, so blob.data==NULL). >+ * >+ * Given an actual zero length UDP packet having blob.data == NULL >+ * isn't an out of memory error condition, that's the defined semantics >+ * of data_blob_talloc() when asked for zero bytes. >+ * >+ * We still need to continue to do the zero-length socket_recvfrom() >+ * read in order to clear the "read pending" condition on the socket. >+ */ > blob = data_blob_talloc(tmp_ctx, NULL, dsize); >- if (blob.data == NULL) { >+ if (blob.data == NULL && dsize != 0) { > talloc_free(tmp_ctx); > return; > } >diff --git a/selftest/knownfail b/selftest/knownfail >index 9bdce072537..56a2961b1ae 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -294,5 +294,3 @@ > ^samba4.ldap.vlv.python.*test_vlv_paged > ^samba4.asq.python.*asq_vlv_paged > >-^samba.tests.dns_packet.samba.tests.dns_packet.TestNbtPackets.test_empty_packet >-^samba.tests.dns_packet.samba.tests.dns_packet.TestNbtPackets.test_known_good >-- >2.17.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
abartlet
:
review+
Actions:
View
Attachments on
bug 14417
:
16070
|
16071
|
16072
|
16073
|
16075
|
16076
|
16077
|
16078
|
16079
|
16080
|
16081
|
16082
|
16083
|
16084
|
16085
|
16086
|
16087
| 16092