diff options
author | Aaron Haslett <aaronhaslett@catalyst.net.nz> | 2018-10-23 17:25:51 +1300 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2018-11-28 08:22:23 +0100 |
commit | 97b426babaa2a812946c77bd841a33c1a9399ab5 (patch) | |
tree | d66b7c873ecc6f887fb1a6607c122c6735dd04c4 /source4 | |
parent | c3f6085991938488b9e48611b4beb5bdc9cbfb04 (diff) | |
download | samba-97b426babaa2a812946c77bd841a33c1a9399ab5.tar.gz |
CVE-2018-14629 dns: CNAME loop prevention using counter
Count number of answers generated by internal DNS query routine and stop at
20 to match Microsoft's loop prevention mechanism.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Diffstat (limited to 'source4')
-rw-r--r-- | source4/dns_server/dns_query.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c index 923f7233eb9..65faeac3b6a 100644 --- a/source4/dns_server/dns_query.c +++ b/source4/dns_server/dns_query.c @@ -40,6 +40,7 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_DNS +#define MAX_Q_RECURSION_DEPTH 20 struct forwarder_string { const char *forwarder; @@ -419,6 +420,11 @@ static struct tevent_req *handle_dnsrpcrec_send( state->answers = answers; state->nsrecs = nsrecs; + if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) { + tevent_req_done(req); + return tevent_req_post(req, ev); + } + resolve_cname = ((rec->wType == DNS_TYPE_CNAME) && ((question->question_type == DNS_QTYPE_A) || (question->question_type == DNS_QTYPE_AAAA))); |