diff options
author | Kai Blin <kai@samba.org> | 2014-05-13 08:13:29 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2014-05-26 14:54:32 +0200 |
commit | 97a32749b4c567890a92de97aaf8b85d5ec0134b (patch) | |
tree | 384d0bdb7223c8c500fdbae65ccb9103039ed812 | |
parent | d4b0b741427e6d5ec9626f26eff4068399d8f771 (diff) | |
download | samba-97a32749b4c567890a92de97aaf8b85d5ec0134b.tar.gz |
bug #10609: CVE-2014-0239 Don't reply to replies
Due to insufficient input checking, the DNS server will reply to a packet that
has the "reply" bit set. Over UDP, this allows to send a packet with a spoofed
sender address and have two servers DOS each other with circular replies.
This patch fixes bug #10609 and adds a test to make sure we don't regress.
CVE-2014-2039 has been assigned to this issue.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10609
Signed-off-by: Kai Blin <kai@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Kai Blin <kai@samba.org>
Autobuild-Date(master): Tue May 20 04:15:44 CEST 2014 on sn-devel-104
(cherry picked from commit 392ec4d241eb19c812cd49ff73bd32b2b09d8533)
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Mon May 26 14:54:32 CEST 2014 on sn-devel-104
-rw-r--r-- | python/samba/tests/dns.py | 29 | ||||
-rw-r--r-- | source4/dns_server/dns_server.c | 6 |
2 files changed, 35 insertions, 0 deletions
diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py index f2c5685b3f0..79e4158b67b 100644 --- a/python/samba/tests/dns.py +++ b/python/samba/tests/dns.py @@ -833,6 +833,35 @@ class TestInvalidQueries(DNSTest): self.assertEquals(response.answers[0].rdata, os.getenv('SERVER_IP')) + def test_one_a_reply(self): + "send a reply instead of a query" + + p = self.make_name_packet(dns.DNS_OPCODE_QUERY) + questions = [] + + name = "%s.%s" % ('fakefakefake', self.get_dns_domain()) + q = self.make_name_question(name, dns.DNS_QTYPE_A, dns.DNS_QCLASS_IN) + print "asking for ", q.name + questions.append(q) + + self.finish_name_packet(p, questions) + p.operation |= dns.DNS_FLAG_REPLY + s = None + try: + send_packet = ndr.ndr_pack(p) + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) + host=os.getenv('SERVER_IP') + s.connect((host, 53)) + tcp_packet = struct.pack('!H', len(send_packet)) + tcp_packet += send_packet + s.send(tcp_packet, 0) + recv_packet = s.recv(0xffff + 2, 0) + self.assertEquals(0, len(recv_packet)) + finally: + if s is not None: + s.close() + + if __name__ == "__main__": import unittest unittest.main() diff --git a/source4/dns_server/dns_server.c b/source4/dns_server/dns_server.c index 95a2db4dd68..cd18c311616 100644 --- a/source4/dns_server/dns_server.c +++ b/source4/dns_server/dns_server.c @@ -153,6 +153,12 @@ static struct tevent_req *dns_process_send(TALLOC_CTX *mem_ctx, return tevent_req_post(req, ev); } + if (state->in_packet.operation & DNS_FLAG_REPLY) { + DEBUG(1, ("Won't reply to replies.\n")); + tevent_req_werror(req, WERR_INVALID_PARAM); + return tevent_req_post(req, ev); + } + state->state.flags = state->in_packet.operation; state->state.flags |= DNS_FLAG_REPLY; |