Bug 5107 - DNS handling fails for large response sizes
Summary: DNS handling fails for large response sizes
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.25a
Hardware: Sparc Solaris
: P3 major
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
Depends on:
Reported: 2007-11-25 20:07 UTC by Edward Newman
Modified: 2008-04-30 09:57 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Edward Newman 2007-11-25 20:07:41 UTC
The dns_send_req function fails on Solaris 10 x86 when response packet has to switch to TCP. Issue is that res_search function does not return an answer length other than the buffer size passed in. Thus logic in function fails to cope with truncated packets since it never gets a larger buffer length. Possible fixes include test for truncation though ns_msg_getflag (only available in libresolv.a on Linux) or automtically increasing buffer size when resp_len == buf_len. There does not appear to be easy way to get required buffer size for truncated packet on Solaris (unlike equivalent on Linux). Test can occur just prior to while loop check.

Truncated packet data causes failure to resolve SRV records for domain if large number of domain controllers and thus failure to get logon servers (net ads testjoin fails).
Comment 1 David Leonard (550 5.7.1 Unable to deliver) 2008-01-28 22:57:25 UTC
Untested patch:

--- libads/dns.c        (revision 293)
+++ libads/dns.c        (working copy)
@@ -303,6 +303,18 @@
                        return NT_STATUS_UNSUCCESSFUL;
+               /* Possible buffer overflow */
+               if ( resp_len == buf_len ) {
+                       if (resp_len * 2 < MAX_DNS_PACKET_SIZE - 1)
+                           resp_len *= 2;
+                       else if (resp_len < MAX_DNS_PACKET_SIZE - 1)
+                           resp_len = MAX_DNS_PACKET_SIZE - 1;
+                       else {
+                           DEBUG(3,("ads_dns_lookup_srv: response too big resolving %s\n", name));
+                           TALLOC_FREE( buffer );
+                           return NT_STATUS_UNSUCCESSFUL;
+                       }
+               }
        } while ( buf_len < resp_len && resp_len < MAX_DNS_PACKET_SIZE );
        *buf = buffer;
Comment 2 Gerald (Jerry) Carter (dead mail address) 2008-04-30 09:57:18 UTC
Confirmed issue on AIX as well.    Fix in in all 3.x branches