diff options
author | Kai Blin <kai@samba.org> | 2014-05-13 08:13:29 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2014-05-20 13:54:40 +0200 |
commit | bb0871c3ec44f6fb5fbd01e0f1522dfd7934cfe5 (patch) | |
tree | 411db69d8efe3d0e4f9b928a60b57c77e40ec37e /python | |
parent | 60dbfbdadf7bce70cb2f74a79afe04017da3035d (diff) | |
download | samba-bb0871c3ec44f6fb5fbd01e0f1522dfd7934cfe5.tar.gz |
bug #10609: CVE-2014-0239 Don't reply to replies
Due to insufficient input checking, the DNS server will reply to a packet that
has the "reply" bit set. Over UDP, this allows to send a packet with a spoofed
sender address and have two servers DOS each other with circular replies.
This patch fixes bug #10609 and adds a test to make sure we don't regress.
CVE-2014-2039 has been assigned to this issue.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10609
Signed-off-by: Kai Blin <kai@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Kai Blin <kai@samba.org>
Autobuild-Date(master): Tue May 20 04:15:44 CEST 2014 on sn-devel-104
(cherry picked from commit 392ec4d241eb19c812cd49ff73bd32b2b09d8533)
Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-1-test): Tue May 20 13:54:40 CEST 2014 on sn-devel-104
Diffstat (limited to 'python')
-rw-r--r-- | python/samba/tests/dns.py | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py index f2c5685b3f0..79e4158b67b 100644 --- a/python/samba/tests/dns.py +++ b/python/samba/tests/dns.py @@ -833,6 +833,35 @@ class TestInvalidQueries(DNSTest): self.assertEquals(response.answers[0].rdata, os.getenv('SERVER_IP')) + def test_one_a_reply(self): + "send a reply instead of a query" + + p = self.make_name_packet(dns.DNS_OPCODE_QUERY) + questions = [] + + name = "%s.%s" % ('fakefakefake', self.get_dns_domain()) + q = self.make_name_question(name, dns.DNS_QTYPE_A, dns.DNS_QCLASS_IN) + print "asking for ", q.name + questions.append(q) + + self.finish_name_packet(p, questions) + p.operation |= dns.DNS_FLAG_REPLY + s = None + try: + send_packet = ndr.ndr_pack(p) + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) + host=os.getenv('SERVER_IP') + s.connect((host, 53)) + tcp_packet = struct.pack('!H', len(send_packet)) + tcp_packet += send_packet + s.send(tcp_packet, 0) + recv_packet = s.recv(0xffff + 2, 0) + self.assertEquals(0, len(recv_packet)) + finally: + if s is not None: + s.close() + + if __name__ == "__main__": import unittest unittest.main() |