diff options
author | Andrew Bartlett <abartlet@samba.org> | 2019-10-30 11:50:57 +1300 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2019-11-29 11:55:44 +0100 |
commit | 90073f0abc495c4b5bd05322b71667c534ee9dd8 (patch) | |
tree | 6bd4c2546f2c73e5d3b0dca7a361cc805a3fcba7 | |
parent | 16405fecc403517574915a49de5f4abcaa964e21 (diff) | |
download | samba-90073f0abc495c4b5bd05322b71667c534ee9dd8.tar.gz |
CVE-2019-14861: Test to demonstrate the bug
This test does not fail every time, but when it does it casues a segfault which
takes out the rpc_server master process, as this hosts the dnsserver pipe.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | python/samba/tests/dcerpc/dnsserver.py | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/python/samba/tests/dcerpc/dnsserver.py b/python/samba/tests/dcerpc/dnsserver.py index 14ce308e38f..a9b8a4ace91 100644 --- a/python/samba/tests/dcerpc/dnsserver.py +++ b/python/samba/tests/dcerpc/dnsserver.py @@ -191,6 +191,53 @@ class DnsserverTests(RpcInterfaceTestCase): self.assertEqual(result.rec[4].dnsNodeName.str, "atestrecord-3") self.assertEqual(result.rec[5].dnsNodeName.str, "atestrecord-4") + def test_enum_is_sorted_with_zone_dup(self): + """ + Confirm the zone is sorted + """ + + record_str = "192.168.50.50" + record_type_str = "A" + self.add_record(self.custom_zone, "atestrecord-1", record_type_str, record_str) + self.add_record(self.custom_zone, "atestrecord-2", record_type_str, record_str) + self.add_record(self.custom_zone, "atestrecord-3", record_type_str, record_str) + self.add_record(self.custom_zone, "atestrecord-4", record_type_str, record_str) + self.add_record(self.custom_zone, "atestrecord-0", record_type_str, record_str) + + # This triggers a bug in old Samba + self.add_record(self.custom_zone, self.custom_zone + "1", record_type_str, record_str) + + dn, record = self.get_record_from_db(self.custom_zone, self.custom_zone + "1") + + new_dn = ldb.Dn(self.samdb, str(dn)) + new_dn.set_component(0, "dc", self.custom_zone) + self.samdb.rename(dn, new_dn) + + _, result = self.conn.DnssrvEnumRecords2(dnsserver.DNS_CLIENT_VERSION_LONGHORN, + 0, + self.server, + self.custom_zone, + "@", + None, + self.record_type_int(record_type_str), + dnsserver.DNS_RPC_VIEW_AUTHORITY_DATA, + None, + None) + + self.assertEqual(len(result.rec), 7) + self.assertEqual(result.rec[0].dnsNodeName.str, "") + self.assertEqual(result.rec[1].dnsNodeName.str, "atestrecord-0") + self.assertEqual(result.rec[2].dnsNodeName.str, "atestrecord-1") + self.assertEqual(result.rec[3].dnsNodeName.str, "atestrecord-2") + self.assertEqual(result.rec[4].dnsNodeName.str, "atestrecord-3") + self.assertEqual(result.rec[5].dnsNodeName.str, "atestrecord-4") + + # Windows doesn't reload the zone fast enough, but doesn't + # have the bug anyway, it will sort last on both names (where + # it should) + if result.rec[6].dnsNodeName.str != (self.custom_zone + "1"): + self.assertEqual(result.rec[6].dnsNodeName.str, self.custom_zone) + def test_enum_is_sorted_children_prefix_first(self): """ Confirm the zone returns the selected prefix first but no more |