diff options
| author | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | 2019-05-22 12:58:01 +1200 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2019-06-19 07:01:12 +0000 |
| commit | 7ea74d55ad55027118ca8b32596f32ac4182dce6 (patch) | |
| tree | 2f5d8920b6dbe2334c84ee2ebc368a1a5bedc311 | |
| parent | f04260ce02cb3c5effd7f9866bcc332d061c25f4 (diff) | |
| download | samba-7ea74d55ad55027118ca8b32596f32ac4182dce6.tar.gz | |
CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation
We still want to return DOES_NOT_EXIST when request_filter is not 0.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
| -rw-r--r-- | python/samba/tests/dcerpc/dnsserver.py | 25 | ||||
| -rw-r--r-- | source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 7 |
2 files changed, 31 insertions, 1 deletions
diff --git a/python/samba/tests/dcerpc/dnsserver.py b/python/samba/tests/dcerpc/dnsserver.py index 8e485c540dd..bfe86323e0c 100644 --- a/python/samba/tests/dcerpc/dnsserver.py +++ b/python/samba/tests/dcerpc/dnsserver.py @@ -28,6 +28,7 @@ from samba.dcerpc import dnsp, dnsserver, security from samba.tests import RpcInterfaceTestCase, env_get_var_value from samba.netcmd.dns import ARecord, AAAARecord, PTRRecord, CNameRecord, NSRecord, MXRecord, SRVRecord, TXTRecord from samba import sd_utils, descriptor +from samba import WERRORError, werror class DnsserverTests(RpcInterfaceTestCase): @@ -707,6 +708,30 @@ class DnsserverTests(RpcInterfaceTestCase): 'ServerInfo') self.assertEquals(dnsserver.DNSSRV_TYPEID_SERVER_INFO, typeid) + + # This test is to confirm that we do not support multizone operations, + # which are designated by a non-zero dwContext value (the 3rd argument + # to DnssrvOperation). + def test_operation_invalid(self): + non_zone = 'a-zone-that-does-not-exist' + typeid = dnsserver.DNSSRV_TYPEID_NAME_AND_PARAM + name_and_param = dnsserver.DNS_RPC_NAME_AND_PARAM() + name_and_param.pszNodeName = 'AllowUpdate' + name_and_param.dwParam = dnsp.DNS_ZONE_UPDATE_SECURE + try: + res = self.conn.DnssrvOperation(self.server, + non_zone, + 1, + 'ResetDwordProperty', + typeid, + name_and_param) + except WERRORError as e: + if e.args[0] == werror.WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST: + return + + # We should always encounter a DOES_NOT_EXIST error. + self.fail() + def test_operation2(self): client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN rev_zone = '1.168.192.in-addr.arpa' diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c index 62a74127ecf..3bc6e2e3450 100644 --- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c +++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c @@ -2027,7 +2027,12 @@ static WERROR dcesrv_DnssrvOperation(struct dcesrv_call_state *dce_call, TALLOC_ &r->in.pData); } else { z = dnsserver_find_zone(dsstate->zones, r->in.pszZone); - if (z == NULL && request_filter == 0) { + /* + * In the case that request_filter is not 0 and z is NULL, + * the request is for a multizone operation, which we do not + * yet support, so just error on NULL zone name. + */ + if (z == NULL) { return WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST; } |