diff options
author | Gary Lockyer <gary@catalyst.net.nz> | 2018-11-06 12:16:30 +1300 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2018-11-28 08:22:24 +0100 |
commit | 2b00f8fa9fdcecbd6951f09d528531c5585b9778 (patch) | |
tree | 761915b7403ff01f81faeb4a5f495007817d12ab /source4 | |
parent | c1d4033e09acd5f7edfbafaf04b3b410a5b8e574 (diff) | |
download | samba-2b00f8fa9fdcecbd6951f09d528531c5585b9778.tar.gz |
CVE-2018-16852 dcerpc dnsserver: Ensure properties are handled correctly
Fixes for
Bug 13669 - (CVE-2018-16852) NULL
pointer de-reference in Samba AD DC DNS management
The presence of the ZONE_MASTER_SERVERS property or the
ZONE_SCAVENGING_SERVERS property in a zone record causes the server to
follow a null pointer and terminate.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13669
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4')
-rw-r--r-- | source4/rpc_server/dnsserver/dnsutils.c | 64 |
1 files changed, 56 insertions, 8 deletions
diff --git a/source4/rpc_server/dnsserver/dnsutils.c b/source4/rpc_server/dnsserver/dnsutils.c index b3d8949f8ab..982b13bc2ac 100644 --- a/source4/rpc_server/dnsserver/dnsutils.c +++ b/source4/rpc_server/dnsserver/dnsutils.c @@ -209,6 +209,46 @@ struct dnsserver_serverinfo *dnsserver_init_serverinfo(TALLOC_CTX *mem_ctx, } +/* + * Helper function to copy a dnsp_ip4_array struct to an IP4_ARRAY struct. + * The new structure and it's data are allocated on the supplied talloc context + */ +static struct IP4_ARRAY *copy_ip4_array( + TALLOC_CTX *ctx, + const char *name, + struct dnsp_ip4_array array) { + + struct IP4_ARRAY *ip4_array = NULL; + unsigned int i; + + ip4_array = talloc_zero(ctx, struct IP4_ARRAY); + if (ip4_array == NULL) { + DBG_ERR("Out of memory copying property [%s]\n", + name); + return NULL; + } + + ip4_array->AddrCount = array.addrCount; + if (ip4_array->AddrCount == 0) { + return ip4_array; + } + + ip4_array->AddrArray = talloc_array(ip4_array, uint32_t, + ip4_array->AddrCount); + if (ip4_array->AddrArray == NULL) { + TALLOC_FREE(ip4_array); + DBG_ERR("Out of memory copying property [%s] values\n", + name); + return NULL; + } + + for (i = 0; i < ip4_array->AddrCount; i++) { + ip4_array->AddrArray[i] = array.addr[i]; + } + + return ip4_array; +} + struct dnsserver_zoneinfo *dnsserver_init_zoneinfo(struct dnsserver_zone *zone, struct dnsserver_serverinfo *serverinfo) { @@ -309,20 +349,28 @@ struct dnsserver_zoneinfo *dnsserver_init_zoneinfo(struct dnsserver_zone *zone, prop->aging_enabled; break; case DSPROPERTY_ZONE_SCAVENGING_SERVERS: - zoneinfo->aipScavengeServers->AddrCount = - prop->servers.addrCount; - zoneinfo->aipScavengeServers->AddrArray = - prop->servers.addr; + zoneinfo->aipScavengeServers = + copy_ip4_array(zoneinfo, + "ZONE_SCAVENGING_SERVERS", + prop->servers); + if (zoneinfo->aipScavengeServers == NULL) { + TALLOC_FREE(zoneinfo); + return NULL; + } break; case DSPROPERTY_ZONE_AGING_ENABLED_TIME: zoneinfo->dwAvailForScavengeTime = prop->next_scavenging_cycle_hours; break; case DSPROPERTY_ZONE_MASTER_SERVERS: - zoneinfo->aipLocalMasters->AddrCount = - prop->master_servers.addrCount; - zoneinfo->aipLocalMasters->AddrArray = - prop->master_servers.addr; + zoneinfo->aipLocalMasters = + copy_ip4_array(zoneinfo, + "ZONE_MASTER_SERVERS", + prop->master_servers); + if (zoneinfo->aipLocalMasters == NULL) { + TALLOC_FREE(zoneinfo); + return NULL; + } break; case DSPROPERTY_ZONE_EMPTY: case DSPROPERTY_ZONE_SECURE_TIME: |