CVE-2020-10745: ndr_dns: do not allow consecutive dots

The empty subdomain component is reserved for the root domain, which we should only (and always) see at the end of the list. That is, we expect "example.com.", but never "example..com". BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
author: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 2020-04-25 11:10:18 +1200
committer: Karolin Seeger <kseeger@samba.org> 2020-07-02 09:01:41 +0000
commit: 51a4571849c5a84b994ce72908eac8141c2d72ed (patch)
tree: ffad7e62a3c9fac070eab0d09c75723e82a2061c /librpc
parent: bb6373790567ed56a56ea968cfee8da2f92e5cc6 (diff)
download: samba-51a4571849c5a84b994ce72908eac8141c2d72ed.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/librpc/ndr/ndr_dns_utils.c b/librpc/ndr/ndr_dns_utils.c
index 2ce300863bc..6931dac422d 100644
--- a/librpc/ndr/ndr_dns_utils.c
+++ b/librpc/ndr/ndr_dns_utils.c
@@ -58,6 +58,12 @@ enum ndr_err_code ndr_push_dns_string_list(struct ndr_push *ndr,
 					      (unsigned)complen);
 		}
 
+		if (complen == 0 && s[complen] == '.') {
+			return ndr_push_error(ndr, NDR_ERR_STRING,
+					      "component length is 0 "
+					      "(consecutive dots)");
+		}
+
 		compname = talloc_asprintf(ndr, "%c%*.*s",
 						(unsigned char)complen,
 						(unsigned char)complen,
author	Douglas Bagnall <douglas.bagnall@catalyst.net.nz>	2020-04-25 11:10:18 +1200
committer	Karolin Seeger <kseeger@samba.org>	2020-07-02 09:01:41 +0000
commit	51a4571849c5a84b994ce72908eac8141c2d72ed (patch)
tree	ffad7e62a3c9fac070eab0d09c75723e82a2061c /librpc
parent	bb6373790567ed56a56ea968cfee8da2f92e5cc6 (diff)
download	samba-51a4571849c5a84b994ce72908eac8141c2d72ed.tar.gz