Created attachment 14225 [details] Parts of samba log level 10 related to dns query Xerox Workcentre 7830 printer sends DNS query with escapes characters in names (see log attached) which makes both of our samba dc crash at the same time. I don't know why it queries such a name. Normals DNS clients refused escape codes in DNS names, so I can't reproduce the problem. However, it may be security issue if we can reproduced this query using a C program.
Hi Laurent, Thanks for the report. We'll certainly have to fix the crash, even if regular clients don't let you send these queries.
As a quick update, in my initial tests against the master branch, I can't reproduce the crash, the DNS server returns an NXDOMAIN error code and happily keeps running.
Finally I can reproduce the crash using a java program that sends the same dns udp packet as in log file. (Java code from https://stackoverflow.com/questions/36743226/java-send-udp-packet-to-dns-server) Added as attachment.
Created attachment 14228 [details] Java code to reproduce the bug
Hi Laurent, thanks for the reproducer. On the first try, this didn't crash for me, but I still need to try with your domain name provisioned.
Ok, I can reproduce the crash now. Thanks again for the reproducer.
I now have a python-based test that reproduces this as well.
This is a bug in LDB, not the DNS server.
I've reproduced the bug in master now.
Created attachment 14229 [details] patch for master
Created attachment 14230 [details] patch for 4.8
Karo: as mentioned yesterday, this should be address in a security update soon. This is a DOS bug that can be triggered by a single UDP packet.
(In reply to Björn Jacke from comment #12) Ok, thanks for the heads-up!
Not sure if I can make time to write a cmocka test for this in the near future.
Could someone provide an advisory, please?
This is 'just' another instance of bug #13374 but just with broader consequences. *** This bug has been marked as a duplicate of bug 13374 ***
I'm re-opening this for the subtle distinction that while LDB should not crash, neither did the DNS server do strict input validation on the DN being constructed. The fix is still tagged for the CVE-2018-1140 but this bug number covers preventative input validation that can be done.
Created attachment 14288 [details] patch to followup to CVE-2018-1140 to harden the DNS server This needs to be applied to master after CVE-2018-1140 is published, but is NOT considered a security bug itself.
Created attachment 14294 [details] patch to followup to CVE-2018-1140 to harden the DNS server This patch uses a new API in LDB ldb_dn_add_child_val() to harden the DNS server by avoiding printf format strings.
Now that CVE-2018-1140 is out, open up the bug with the hardening ideas.
a fixed crash bug being open is confising. Additiona enhancement request should go into a new enhancement bug report.