CVE-2018-14629 dns: CNAME loop prevention using counter

Count number of answers generated by internal DNS query routine and stop at 20 to match Microsoft's loop prevention mechanism. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600 Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
author: Aaron Haslett <aaronhaslett@catalyst.net.nz> 2018-10-23 17:25:51 +1300
committer: Karolin Seeger <kseeger@samba.org> 2018-11-28 08:22:23 +0100
commit: 97b426babaa2a812946c77bd841a33c1a9399ab5 (patch)
tree: d66b7c873ecc6f887fb1a6607c122c6735dd04c4 /source4
parent: c3f6085991938488b9e48611b4beb5bdc9cbfb04 (diff)
download: samba-97b426babaa2a812946c77bd841a33c1a9399ab5.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c
index 923f7233eb9..65faeac3b6a 100644
--- a/source4/dns_server/dns_query.c
+++ b/source4/dns_server/dns_query.c
@@ -40,6 +40,7 @@
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_DNS
+#define MAX_Q_RECURSION_DEPTH 20
 
 struct forwarder_string {
 	const char *forwarder;
@@ -419,6 +420,11 @@ static struct tevent_req *handle_dnsrpcrec_send(
 	state->answers = answers;
 	state->nsrecs = nsrecs;
 
+	if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) {
+		tevent_req_done(req);
+		return tevent_req_post(req, ev);
+	}
+
 	resolve_cname = ((rec->wType == DNS_TYPE_CNAME) &&
 			 ((question->question_type == DNS_QTYPE_A) ||
 			  (question->question_type == DNS_QTYPE_AAAA)));
author	Aaron Haslett <aaronhaslett@catalyst.net.nz>	2018-10-23 17:25:51 +1300
committer	Karolin Seeger <kseeger@samba.org>	2018-11-28 08:22:23 +0100
commit	97b426babaa2a812946c77bd841a33c1a9399ab5 (patch)
tree	d66b7c873ecc6f887fb1a6607c122c6735dd04c4 /source4
parent	c3f6085991938488b9e48611b4beb5bdc9cbfb04 (diff)
download	samba-97b426babaa2a812946c77bd841a33c1a9399ab5.tar.gz