From 7aeb3a7251dd8fd799b52088a9cce20a55a841b8 Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Mon, 5 Aug 2013 11:16:22 -0700 Subject: [PATCH 1/2] FSCTL_GET_SHADOW_COPY_DATA: Initialize output array to zero Otherwise num_volumes and the end marker can return uninitialized data to the client. Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison Reviewed-by: Simo Sorce (cherry picked from commit 30e724cbff1ecd90e5a676831902d1e41ec1b347) --- source3/modules/vfs_default.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c index 82d059c..efb0204 100644 --- a/source3/modules/vfs_default.c +++ b/source3/modules/vfs_default.c @@ -1151,7 +1151,7 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle, return NT_STATUS_BUFFER_TOO_SMALL; } - cur_pdata = talloc_array(ctx, char, *out_len); + cur_pdata = talloc_zero_array(ctx, char, *out_len); if (cur_pdata == NULL) { TALLOC_FREE(shadow_data); return NT_STATUS_NO_MEMORY; -- 1.8.4.5 From 7d7d40522123066ecc80852f172e81b7c76f8fc6 Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Mon, 5 Aug 2013 11:21:59 -0700 Subject: [PATCH 2/2] FSCTL_GET_SHADOW_COPY_DATA: Don't return 4 extra bytes at end labels_data_count already accounts for the unicode null character at the end of the array. There is no need in adding space for it again. Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison Reviewed-by: Simo Sorce Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Tue Aug 6 04:03:17 CEST 2013 on sn-devel-104 (cherry picked from commit eb50fb8f3bf670bd7d1cf8fd4368ef4a73083696) --- source3/modules/vfs_default.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c index efb0204..304ef37 100644 --- a/source3/modules/vfs_default.c +++ b/source3/modules/vfs_default.c @@ -1141,7 +1141,7 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle, if (!labels) { *out_len = 16; } else { - *out_len = 12 + labels_data_count + 4; + *out_len = 12 + labels_data_count; } if (max_out_len < *out_len) { @@ -1168,7 +1168,7 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle, } /* needed_data_count 4 bytes */ - SIVAL(cur_pdata, 8, labels_data_count + 4); + SIVAL(cur_pdata, 8, labels_data_count); cur_pdata += 12; -- 1.8.4.5 From 9009a3c23e31d0323440af1edbc5bb3d2b6eaa79 Mon Sep 17 00:00:00 2001 From: Kai Blin Date: Tue, 13 May 2014 08:13:29 +0200 Subject: [PATCH] bug #10609: CVE-2014-0239 Don't reply to replies Due to insufficient input checking, the DNS server will reply to a packet that has the "reply" bit set. Over UDP, this allows to send a packet with a spoofed sender address and have two servers DOS each other with circular replies. This patch fixes bug #10609 and adds a test to make sure we don't regress. CVE-2014-2039 has been assigned to this issue. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10609 Signed-off-by: Kai Blin Reviewed-by: Stefan Metzmacher Autobuild-User(master): Kai Blin Autobuild-Date(master): Tue May 20 04:15:44 CEST 2014 on sn-devel-104 (cherry picked from commit 392ec4d241eb19c812cd49ff73bd32b2b09d8533) --- python/samba/tests/dns.py | 29 +++++++++++++++++++++++++++++ source4/dns_server/dns_server.c | 6 ++++++ 2 files changed, 35 insertions(+) diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py index f2c5685..79e4158 100644 --- a/python/samba/tests/dns.py +++ b/python/samba/tests/dns.py @@ -833,6 +833,35 @@ class TestInvalidQueries(DNSTest): self.assertEquals(response.answers[0].rdata, os.getenv('SERVER_IP')) + def test_one_a_reply(self): + "send a reply instead of a query" + + p = self.make_name_packet(dns.DNS_OPCODE_QUERY) + questions = [] + + name = "%s.%s" % ('fakefakefake', self.get_dns_domain()) + q = self.make_name_question(name, dns.DNS_QTYPE_A, dns.DNS_QCLASS_IN) + print "asking for ", q.name + questions.append(q) + + self.finish_name_packet(p, questions) + p.operation |= dns.DNS_FLAG_REPLY + s = None + try: + send_packet = ndr.ndr_pack(p) + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) + host=os.getenv('SERVER_IP') + s.connect((host, 53)) + tcp_packet = struct.pack('!H', len(send_packet)) + tcp_packet += send_packet + s.send(tcp_packet, 0) + recv_packet = s.recv(0xffff + 2, 0) + self.assertEquals(0, len(recv_packet)) + finally: + if s is not None: + s.close() + + if __name__ == "__main__": import unittest unittest.main() diff --git a/source4/dns_server/dns_server.c b/source4/dns_server/dns_server.c index 976774d..60ce27c 100644 --- a/source4/dns_server/dns_server.c +++ b/source4/dns_server/dns_server.c @@ -156,6 +156,12 @@ static struct tevent_req *dns_process_send(TALLOC_CTX *mem_ctx, return tevent_req_post(req, ev); } + if (state->in_packet.operation & DNS_FLAG_REPLY) { + DEBUG(1, ("Won't reply to replies.\n")); + tevent_req_werror(req, WERR_INVALID_PARAM); + return tevent_req_post(req, ev); + } + state->state.flags = state->in_packet.operation; state->state.flags |= DNS_FLAG_REPLY; -- 1.9.1