diff options
author | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | 2020-05-15 00:06:08 +1200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2020-06-25 13:04:45 +0200 |
commit | d266802a3fd75b91848b41f2b347de2e27fee5f9 (patch) | |
tree | b2f5105db701999e27203d11a3ad560949d3afa9 | |
parent | dbde3431f70ec0cf9c0da7abe7bc53fd4e5d3a63 (diff) | |
download | samba-d266802a3fd75b91848b41f2b347de2e27fee5f9.tar.gz |
CVE-2020-10745: dns_util/push: forbid names longer than 255 bytes
As per RFC 1035.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
-rw-r--r-- | librpc/ndr/ndr_dns_utils.c | 10 | ||||
-rw-r--r-- | selftest/knownfail.d/ndr_dns_nbt | 1 |
2 files changed, 9 insertions, 2 deletions
diff --git a/librpc/ndr/ndr_dns_utils.c b/librpc/ndr/ndr_dns_utils.c index 6931dac422d..b7f11dbab4e 100644 --- a/librpc/ndr/ndr_dns_utils.c +++ b/librpc/ndr/ndr_dns_utils.c @@ -11,6 +11,8 @@ enum ndr_err_code ndr_push_dns_string_list(struct ndr_push *ndr, int ndr_flags, const char *s) { + const char *start = s; + if (!(ndr_flags & NDR_SCALARS)) { return NDR_ERR_SUCCESS; } @@ -84,7 +86,13 @@ enum ndr_err_code ndr_push_dns_string_list(struct ndr_push *ndr, talloc_free(compname); s += complen; - if (*s == '.') s++; + if (*s == '.') { + s++; + } + if (s - start > 255) { + return ndr_push_error(ndr, NDR_ERR_STRING, + "name > 255 character long"); + } } /* if we reach the end of the string and have pushed the last component diff --git a/selftest/knownfail.d/ndr_dns_nbt b/selftest/knownfail.d/ndr_dns_nbt index e11c121b7a7..603395c8c50 100644 --- a/selftest/knownfail.d/ndr_dns_nbt +++ b/selftest/knownfail.d/ndr_dns_nbt @@ -1,3 +1,2 @@ -librpc.ndr.ndr_dns_nbt.test_ndr_dns_string_half_dots librpc.ndr.ndr_dns_nbt.test_ndr_nbt_string_all_dots librpc.ndr.ndr_dns_nbt.test_ndr_nbt_string_half_dots |