Bug 5107 - DNS handling fails for large response sizes
DNS handling fails for large response sizes
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.25a
Sparc Solaris
: P3 major
: none
Assigned To: Gerald (Jerry) Carter
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-25 20:07 UTC by Edward Newman
Modified: 2008-04-30 09:57 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Edward Newman 2007-11-25 20:07:41 UTC
The dns_send_req function fails on Solaris 10 x86 when response packet has to switch to TCP. Issue is that res_search function does not return an answer length other than the buffer size passed in. Thus logic in function fails to cope with truncated packets since it never gets a larger buffer length. Possible fixes include test for truncation though ns_msg_getflag (only available in libresolv.a on Linux) or automtically increasing buffer size when resp_len == buf_len. There does not appear to be easy way to get required buffer size for truncated packet on Solaris (unlike equivalent on Linux). Test can occur just prior to while loop check.

Truncated packet data causes failure to resolve SRV records for domain if large number of domain controllers and thus failure to get logon servers (net ads testjoin fails).
Comment 1 David Leonard (550 5.7.1 Unable to deliver) 2008-01-28 22:57:25 UTC
Untested patch:

--- libads/dns.c        (revision 293)
+++ libads/dns.c        (working copy)
@@ -303,6 +303,18 @@
                        }
                        return NT_STATUS_UNSUCCESSFUL;
                }
+               /* Possible buffer overflow */
+               if ( resp_len == buf_len ) {
+                       if (resp_len * 2 < MAX_DNS_PACKET_SIZE - 1)
+                           resp_len *= 2;
+                       else if (resp_len < MAX_DNS_PACKET_SIZE - 1)
+                           resp_len = MAX_DNS_PACKET_SIZE - 1;
+                       else {
+                           DEBUG(3,("ads_dns_lookup_srv: response too big resolving %s\n", name));
+                           TALLOC_FREE( buffer );
+                           return NT_STATUS_UNSUCCESSFUL;
+                       }
+               }
        } while ( buf_len < resp_len && resp_len < MAX_DNS_PACKET_SIZE );
 
        *buf = buffer;
Comment 2 Gerald (Jerry) Carter 2008-04-30 09:57:18 UTC
Confirmed issue on AIX as well.    Fix in in all 3.x branches