CVE-2020-10745: ndr_dns: do not allow consecutive dots

The empty subdomain component is reserved for the root domain, which we
should only (and always) see at the end of the list. That is, we expect
"example.com.", but never "example..com".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

3 files changed, 6 insertions, 2 deletions

diff --git a/librpc/ndr/ndr_dns_utils.c b/librpc/ndr/ndr_dns_utils.c
index 2ce300863bc..6931dac422d 100644
--- a/librpc/ndr/ndr_dns_utils.c
+++ b/librpc/ndr/ndr_dns_utils.c
@@ -58,6 +58,12 @@ enum ndr_err_code ndr_push_dns_string_list(struct ndr_push *ndr,
 					      (unsigned)complen);
 		}
 
+		if (complen == 0 && s[complen] == '.') {
+			return ndr_push_error(ndr, NDR_ERR_STRING,
+					      "component length is 0 "
+					      "(consecutive dots)");
+		}
+
 		compname = talloc_asprintf(ndr, "%c%*.*s",
 						(unsigned char)complen,
 						(unsigned char)complen,
diff --git a/selftest/knownfail.d/dns_packet b/selftest/knownfail.d/dns_packet
index 6e2e5a699de..0662266f689 100644
--- a/selftest/knownfail.d/dns_packet
+++ b/selftest/knownfail.d/dns_packet
@@ -1,2 +1 @@
-samba.tests.dns_packet.samba.tests.dns_packet.TestDnsPackets.test_127_very_dotty_components
 samba.tests.dns_packet.samba.tests.dns_packet.TestNbtPackets.test_127_very_dotty_components
diff --git a/selftest/knownfail.d/ndr_dns_nbt b/selftest/knownfail.d/ndr_dns_nbt
index f30217c4033..e11c121b7a7 100644
--- a/selftest/knownfail.d/ndr_dns_nbt
+++ b/selftest/knownfail.d/ndr_dns_nbt
@@ -1,4 +1,3 @@
-librpc.ndr.ndr_dns_nbt.test_ndr_dns_string_all_dots
 librpc.ndr.ndr_dns_nbt.test_ndr_dns_string_half_dots
 librpc.ndr.ndr_dns_nbt.test_ndr_nbt_string_all_dots
 librpc.ndr.ndr_dns_nbt.test_ndr_nbt_string_half_dots