CVE-2020-10745: dns_util/push: forbid names longer than 255 bytes

As per RFC 1035. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
author: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 2020-05-15 00:06:08 +1200
committer: Karolin Seeger <kseeger@samba.org> 2020-07-02 09:01:41 +0000
commit: c3fa8ada43e5383f8dec6cd93cbc21139df704f7 (patch)
tree: 707fcdd9fc4d318338c0c75e80abaae804a4a8e6 /librpc
parent: 51a4571849c5a84b994ce72908eac8141c2d72ed (diff)
download: samba-c3fa8ada43e5383f8dec6cd93cbc21139df704f7.tar.gz
1 files changed, 9 insertions, 1 deletions
diff --git a/librpc/ndr/ndr_dns_utils.c b/librpc/ndr/ndr_dns_utils.c
index 6931dac422d..b7f11dbab4e 100644
--- a/librpc/ndr/ndr_dns_utils.c
+++ b/librpc/ndr/ndr_dns_utils.c
@@ -11,6 +11,8 @@ enum ndr_err_code ndr_push_dns_string_list(struct ndr_push *ndr,
 					   int ndr_flags,
 					   const char *s)
 {
+	const char *start = s;
+
 	if (!(ndr_flags & NDR_SCALARS)) {
 		return NDR_ERR_SUCCESS;
 	}
@@ -84,7 +86,13 @@ enum ndr_err_code ndr_push_dns_string_list(struct ndr_push *ndr,
 		talloc_free(compname);
 
 		s += complen;
-		if (*s == '.') s++;
+		if (*s == '.') {
+			s++;
+		}
+		if (s - start > 255) {
+			return ndr_push_error(ndr, NDR_ERR_STRING,
+					      "name > 255 character long");
+		}
 	}
 
 	/* if we reach the end of the string and have pushed the last component
author	Douglas Bagnall <douglas.bagnall@catalyst.net.nz>	2020-05-15 00:06:08 +1200
committer	Karolin Seeger <kseeger@samba.org>	2020-07-02 09:01:41 +0000
commit	c3fa8ada43e5383f8dec6cd93cbc21139df704f7 (patch)
tree	707fcdd9fc4d318338c0c75e80abaae804a4a8e6 /librpc
parent	51a4571849c5a84b994ce72908eac8141c2d72ed (diff)
download	samba-c3fa8ada43e5383f8dec6cd93cbc21139df704f7.tar.gz