diff options
author | Douglas Bagnall <douglas.bagnall@catalyst.net.nz> | 2020-04-25 11:10:18 +1200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2020-07-02 09:01:41 +0000 |
commit | 51a4571849c5a84b994ce72908eac8141c2d72ed (patch) | |
tree | ffad7e62a3c9fac070eab0d09c75723e82a2061c /librpc | |
parent | bb6373790567ed56a56ea968cfee8da2f92e5cc6 (diff) | |
download | samba-51a4571849c5a84b994ce72908eac8141c2d72ed.tar.gz |
CVE-2020-10745: ndr_dns: do not allow consecutive dots
The empty subdomain component is reserved for the root domain, which we
should only (and always) see at the end of the list. That is, we expect
"example.com.", but never "example..com".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Diffstat (limited to 'librpc')
-rw-r--r-- | librpc/ndr/ndr_dns_utils.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/librpc/ndr/ndr_dns_utils.c b/librpc/ndr/ndr_dns_utils.c index 2ce300863bc..6931dac422d 100644 --- a/librpc/ndr/ndr_dns_utils.c +++ b/librpc/ndr/ndr_dns_utils.c @@ -58,6 +58,12 @@ enum ndr_err_code ndr_push_dns_string_list(struct ndr_push *ndr, (unsigned)complen); } + if (complen == 0 && s[complen] == '.') { + return ndr_push_error(ndr, NDR_ERR_STRING, + "component length is 0 " + "(consecutive dots)"); + } + compname = talloc_asprintf(ndr, "%c%*.*s", (unsigned char)complen, (unsigned char)complen, |