diff options
| author | Stefan Metzmacher <metze@samba.org> | 2015-08-07 11:36:47 +0200 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2016-03-10 06:52:24 +0100 |
| commit | ee8d777bbfa23e60e37e875a08335769de424b03 (patch) | |
| tree | f27008168273dbfb72af6ab30e143320768629e5 /source4/dns_server/dns_query.c | |
| parent | 1cc57a98d4ae2381e95bd7aa9c987e8b05dafb6e (diff) | |
| download | samba-ee8d777bbfa23e60e37e875a08335769de424b03.tar.gz | |
CVE-2016-0771: s4:dns_server: fix idl for dns_txt_record
From RFC 1035:
3.3.14. TXT RDATA format
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
/ TXT-DATA /
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
where:
TXT-DATA One or more <character-string>s.
TXT RRs are used to hold descriptive text. The semantics of the text
depends on the domain where it is found.
Each record contains an array of strings instead of just one string.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/dns_server/dns_query.c')
| -rw-r--r-- | source4/dns_server/dns_query.c | 23 |
1 files changed, 11 insertions, 12 deletions
diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c index 63c219a3eac..c251430a5ef 100644 --- a/source4/dns_server/dns_query.c +++ b/source4/dns_server/dns_query.c @@ -46,8 +46,7 @@ static WERROR add_response_rr(const char *name, { struct dns_res_rec *ans = *answers; uint16_t ai = talloc_array_length(ans); - char *tmp; - uint32_t i; + enum ndr_err_code ndr_err; if (ai == UINT16_MAX) { return WERR_BUFFER_OVERFLOW; @@ -114,14 +113,12 @@ static WERROR add_response_rr(const char *name, } break; case DNS_QTYPE_TXT: - tmp = talloc_asprintf(ans, "\"%s\"", rec->data.txt.str[0]); - W_ERROR_HAVE_NO_MEMORY(tmp); - for (i=1; i<rec->data.txt.count; i++) { - tmp = talloc_asprintf_append_buffer( - tmp, " \"%s\"", rec->data.txt.str[i]); - W_ERROR_HAVE_NO_MEMORY(tmp); + ndr_err = ndr_dnsp_string_list_copy(ans, + &rec->data.txt, + &ans[ai].rdata.txt_record.txt); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return WERR_NOMEM; } - ans[ai].rdata.txt_record.txt = tmp; break; default: DEBUG(0, ("Got unhandled type %u query.\n", rec->wType)); @@ -145,6 +142,7 @@ static WERROR add_dns_res_rec(struct dns_res_rec **pdst, { struct dns_res_rec *dst = *pdst; uint16_t di = talloc_array_length(dst); + enum ndr_err_code ndr_err; if (di == UINT16_MAX) { return WERR_BUFFER_OVERFLOW; @@ -248,9 +246,10 @@ static WERROR add_dns_res_rec(struct dns_res_rec **pdst, } break; case DNS_QTYPE_TXT: - dst[di].rdata.txt_record.txt = talloc_strdup( - dst, src->rdata.txt_record.txt); - if (dst[di].rdata.txt_record.txt == NULL) { + ndr_err = ndr_dnsp_string_list_copy(dst, + &src->rdata.txt_record.txt, + &dst[di].rdata.txt_record.txt); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { return WERR_NOMEM; } break; |