The branch, v4-11-stable has been updated via c9fa9874747 VERSION: Disable GIT_SNAPSHOT for the 4.11.11 release. via 1fa951943b5 Add release notes for Samba 4.11.11. via df599b6b790 CVE-2020-10760 dsdb: Add tests for paged_results and VLV over the Global Catalog port via 4def2dc5547 CVE-2020-10760 dsdb: Ensure a proper talloc tree for saved controls via 153c8db09b2 CVE-2020-14303: s4 nbt: fix busy loop on empty UDP packet via 11034ea33fc CVE-2020-14303 Ensure an empty packet will not DoS the NBT server via 23e9eb71052 CVE-2020-10745: ndr/dns-utils: prepare for NBT compatibility via 83b00656ea0 CVE-2020-10745: dns_util/push: forbid names longer than 255 bytes via 507503f80e8 CVE-2020-10745: ndr_dns: do not allow consecutive dots via b687813ac36 CVE-2020-10745: ndr/dns_utils: correct a comment via 37cacb8f41b CVE-2020-10745: ndr_dns: move ndr_push_dns_string core into sharable function via ddeabf87957 CVE-2020-10745: librpc/tests: cmocka tests of dns and ndr strings via ddd3ed7ce2e CVE-2020-10745: pytests: hand-rolled invalid dns/nbt packet tests via c9fd1dbb131 ldb: Bump version to 2.0.12 via 303947c58ab CVE-2020-10730: lib ldb: Check if ldb_lock_backend_callback called twice via ae6e9445ac8 CVE-2020-10730: s4 dsdb vlv_pagination: Prevent repeat call of ldb_module_done via dcf713038ff CVE-2020-10730: s4 dsdb paged_results: Prevent repeat call of ldb_module_done via 0c8cd0a9fbd CVE-2020-10730: dsdb: Ban the combination of paged_results and VLV via c7608e43c93 CVE-2020-10730: dsdb: Fix crash when vlv and paged_results are combined via 01cce3d1fc6 CVE-2020-10730: selftest: Add test to show that VLV and paged_results are incompatible via 3fd7ce69761 CVE-2020-10730: vlv: Another workaround for mixing ASQ and VLV via cf10f9b9a9a CVE-2020-10730: selftest: Add test to confirm VLV interaction with ASQ via 2041c05d9b4 CVE-2020-10730: vlv: Do not re-ASQ search the results of an ASQ search with VLV via b8628cb4476 CVE-2020-10730: vlv: Use strcmp(), not strncmp() checking the NULL terminated control OIDs via a29be4ffa3b VERSION: Bump version up to 4.11.11... from a905508e09e VERSION: Disable GIT_SNAPSHOT for the 4.11.10 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-11-stable - Log ----------------------------------------------------------------- commit c9fa9874747bac838f60b320d201be2f6175ba8b Author: Karolin Seeger <ksee...@samba.org> Date: Wed Jul 1 10:14:05 2020 +0200 VERSION: Disable GIT_SNAPSHOT for the 4.11.11 release. This is a security release in order to address the following CVEs: o CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC LDAP Server with ASQ, VLV and paged_results. o CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume excessive CPU. o CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with paged_results and VLV. o CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd. Signed-off-by: Karolin Seeger <ksee...@samba.org> commit 1fa951943b512c20e2c71b09aa01cdadd4d563a4 Author: Karolin Seeger <ksee...@samba.org> Date: Wed Jul 1 10:13:42 2020 +0200 Add release notes for Samba 4.11.11. Signed-off-by: Karolin Seeger <ksee...@samba.org> commit df599b6b79010759279eb7f52486f1d0a59d06d3 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Jun 8 16:32:14 2020 +1200 CVE-2020-10760 dsdb: Add tests for paged_results and VLV over the Global Catalog port This should avoid a regression. (backported from master patch) [abart...@samba.org: sort=True parameter on test_paged_delete_during_search is not in 4.11] Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 4def2dc554754033174c60f5860f51b46d8502c1 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Jun 5 22:14:48 2020 +1200 CVE-2020-10760 dsdb: Ensure a proper talloc tree for saved controls Otherwise a paged search on the GC port will fail as the ->data was not kept around for the second page of searches. An example command to produce this is bin/ldbsearch --paged -H ldap://$SERVER:3268 -U$USERNAME%$PASSWORD This shows up later in the partition module as: ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00151ef20 at pc 0x7fec3f801aac bp 0x7ffe8472c270 sp 0x7ffe8472c260 READ of size 4 at 0x60b00151ef20 thread T0 (ldap(0)) #0 0x7fec3f801aab in talloc_chunk_from_ptr ../../lib/talloc/talloc.c:526 #1 0x7fec3f801aab in __talloc_get_name ../../lib/talloc/talloc.c:1559 #2 0x7fec3f801aab in talloc_check_name ../../lib/talloc/talloc.c:1582 #3 0x7fec1b86b2e1 in partition_search ../../source4/dsdb/samdb/ldb_modules/partition.c:780 or smb_panic_default: PANIC (pid 13287): Bad talloc magic value - unknown value (from source4/dsdb/samdb/ldb_modules/partition.c:780) BUG: https://bugzilla.samba.org/show_bug.cgi?id=14402 Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 153c8db09b26455aa9802ff95943dd8a75f31893 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Wed Jun 24 14:27:08 2020 +1200 CVE-2020-14303: s4 nbt: fix busy loop on empty UDP packet An empty UDP packet put the nbt server into a busy loop that consumes 100% of a cpu. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14417 Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> commit 11034ea33fca9b8a1c2e14480e70069b55fca6a2 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Jun 25 11:59:54 2020 +1200 CVE-2020-14303 Ensure an empty packet will not DoS the NBT server Signed-off-by: Andrew Bartlett <abart...@samba.org> commit 23e9eb71052e02aecf726609db0256c0d93e0b57 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri May 15 10:52:45 2020 +1200 CVE-2020-10745: ndr/dns-utils: prepare for NBT compatibility NBT has a funny thing where it sometimes needs to send a trailing dot as part of the last component, because the string representation is a user name. In DNS, "example.com", and "example.com." are the same, both having three components ("example", "com", ""); in NBT, we want to treat them differently, with the second form having the three components ("example", "com.", ""). This retains the logic of e6e2ec0001fe3c010445e26cc0efddbc1f73416b. Also DNS compression cannot be turned off for NBT. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378 Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 83b00656ea0e8cfdce8a9c1cef71e41477e8e6f0 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri May 15 00:06:08 2020 +1200 CVE-2020-10745: dns_util/push: forbid names longer than 255 bytes As per RFC 1035. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378 Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 507503f80e8913450364dcd8ab080f3211b6f855 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Sat Apr 25 11:10:18 2020 +1200 CVE-2020-10745: ndr_dns: do not allow consecutive dots The empty subdomain component is reserved for the root domain, which we should only (and always) see at the end of the list. That is, we expect "example.com.", but never "example..com". BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378 Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit b687813ac362ff71085d192a4b7821235345feea Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Sat Apr 25 11:03:30 2020 +1200 CVE-2020-10745: ndr/dns_utils: correct a comment BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378 Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 37cacb8f41b9b2ea19a9c1bbfade4ea250dced46 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Sat Apr 25 11:02:08 2020 +1200 CVE-2020-10745: ndr_dns: move ndr_push_dns_string core into sharable function This is because ndr_nbt.c does almost exactly the same thing with almost exactly the same code, and they both do it wrong. Soon they will both be using the better version that this will become. Though in this patch we just move the code, not fix it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378 Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit ddeabf87957ce73e12030977948418c93436a05c Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Jun 12 14:26:38 2020 +1200 CVE-2020-10745: librpc/tests: cmocka tests of dns and ndr strings These time the push and pull function in isolation. Timing should be under 0.0001 seconds on even quite old hardware; we assert it must be under 0.2 seconds. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378 (backported from master commit) [abart...@samba.org: backported due to differences in pre-existing tests - eg test_ndr - mentioned in wscript_build and tests.py] Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit ddd3ed7ce2e2776839c463010bd975f01dd0977d Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Jun 11 17:38:51 2020 +1200 CVE-2020-10745: pytests: hand-rolled invalid dns/nbt packet tests The client libraries don't allow us to make packets that are broken in certain ways, so we need to construct them as byte strings. These tests all fail at present, proving the server is rendered unresponsive, which is the crux of CVE-2020-10745. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378 Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit c9fd1dbb13175fcda45826f687e834a6d67df4cc Author: Gary Lockyer <g...@catalyst.net.nz> Date: Fri May 22 09:52:12 2020 +1200 ldb: Bump version to 2.0.12 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 303947c58abf9311a666fe63ebd4ce26655ff36e Author: Gary Lockyer <g...@catalyst.net.nz> Date: Wed May 13 10:56:56 2020 +1200 CVE-2020-10730: lib ldb: Check if ldb_lock_backend_callback called twice Prevent use after free issues if ldb_lock_backend_callback is called twice, usually due to ldb_module_done being called twice. This can happen if a module ignores the return value from function a function that calls ldb_module_done as part of it's error handling. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ae6e9445ac8bf8f6870a8caa24406153cd2ee2bf Author: Gary Lockyer <g...@catalyst.net.nz> Date: Mon May 18 12:37:39 2020 +1200 CVE-2020-10730: s4 dsdb vlv_pagination: Prevent repeat call of ldb_module_done Check the return code from vlv_results, if it is not LDB_SUCCESS ldb_module_done has already been called, and SHOULD NOT be called again. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit dcf713038ff10e35a74ee255f1634be81103e360 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Mon May 18 12:36:57 2020 +1200 CVE-2020-10730: s4 dsdb paged_results: Prevent repeat call of ldb_module_done Check the return code from paged_results, if it is not LDB_SUCCESS ldb_module_done has already been called, and SHOULD NOT be called again. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0c8cd0a9fbd9d17c1d7219f977ca35f88f0a2ea3 Author: Andrew Bartlett <abart...@samba.org> Date: Wed May 6 16:18:19 2020 +1200 CVE-2020-10730: dsdb: Ban the combination of paged_results and VLV This (two different paging controls) makes no sense and fails against Windows Server 1709. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> commit c7608e43c933d9a33d94e32371080e64cc1d4fcb Author: Andrew Bartlett <abart...@samba.org> Date: Wed May 6 17:05:30 2020 +1200 CVE-2020-10730: dsdb: Fix crash when vlv and paged_results are combined The GUID is not returned in the DN for some reason in this (to be banned) combination. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> commit 01cce3d1fc69f04cdc237425b2f2ad1f2ac973d4 Author: Andrew Bartlett <abart...@samba.org> Date: Wed May 6 16:19:01 2020 +1200 CVE-2020-10730: selftest: Add test to show that VLV and paged_results are incompatible As tested against Windows Server 1709 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> commit 3fd7ce69761fd2e21a85101772196aafc5ae57df Author: Andrew Bartlett <abart...@samba.org> Date: Tue May 5 16:34:11 2020 +1200 CVE-2020-10730: vlv: Another workaround for mixing ASQ and VLV This is essentially an alternative patch, but without the correct behaviour. Instead this just avoids a segfault. Included in case we have something simialr again in another module. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> commit cf10f9b9a9a2f94afc526995a4034c1c6f05f5b4 Author: Andrew Bartlett <abart...@samba.org> Date: Tue May 5 13:16:48 2020 +1200 CVE-2020-10730: selftest: Add test to confirm VLV interaction with ASQ Tested against Windows 1709. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> commit 2041c05d9b41fb0255c3492d118628c14a0c4b3d Author: Andrew Bartlett <abart...@samba.org> Date: Tue May 5 12:55:57 2020 +1200 CVE-2020-10730: vlv: Do not re-ASQ search the results of an ASQ search with VLV This is a silly combination, but at least try and keep the results sensible and avoid a double-dereference. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> commit b8628cb44766ac4c4817b1a50f09ca316425bd8b Author: Andrew Bartlett <abart...@samba.org> Date: Tue May 5 12:54:59 2020 +1200 CVE-2020-10730: vlv: Use strcmp(), not strncmp() checking the NULL terminated control OIDs The end result is the same, as sizeof() includes the trailing NUL, but this avoids having to think about that. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> commit a29be4ffa3bf9adcfe8ac73429f60bc9270ad2e8 Author: Karolin Seeger <ksee...@samba.org> Date: Wed Jun 24 12:35:39 2020 +0200 VERSION: Bump version up to 4.11.11... and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger <ksee...@samba.org> (cherry picked from commit 08a51254198537395e9a6ea7a98fd627a491bf15) ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 88 +++++++- lib/ldb/ABI/{ldb-2.0.10.sigs => ldb-2.0.12.sigs} | 0 ...ldb-util-1.1.10.sigs => pyldb-util-2.0.12.sigs} | 0 lib/ldb/common/ldb.c | 9 +- lib/ldb/wscript | 2 +- libcli/nbt/nbtsocket.c | 17 +- librpc/ndr/ndr_dns.c | 80 +------ librpc/ndr/ndr_dns_utils.c | 134 ++++++++++++ librpc/ndr/ndr_dns_utils.h | 6 + librpc/ndr/ndr_nbt.c | 72 +------ librpc/tests/test_ndr_dns_nbt.c | 236 +++++++++++++++++++++ librpc/wscript_build | 16 +- python/samba/tests/dns_packet.py | 230 ++++++++++++++++++++ .../__init__.py => selftest/knownfail.d/dns_packet | 0 selftest/knownfail.d/vlv | 2 +- source4/dsdb/samdb/ldb_modules/paged_results.c | 65 +++++- source4/dsdb/samdb/ldb_modules/vlv_pagination.c | 102 +++++++-- source4/dsdb/tests/python/asq.py | 54 +++++ source4/dsdb/tests/python/vlv.py | 184 ++++++++++------ source4/selftest/tests.py | 12 ++ 21 files changed, 1076 insertions(+), 235 deletions(-) copy lib/ldb/ABI/{ldb-2.0.10.sigs => ldb-2.0.12.sigs} (100%) copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-2.0.12.sigs} (100%) create mode 100644 librpc/ndr/ndr_dns_utils.c create mode 100644 librpc/ndr/ndr_dns_utils.h create mode 100644 librpc/tests/test_ndr_dns_nbt.c create mode 100644 python/samba/tests/dns_packet.py copy buildtools/wafsamba/__init__.py => selftest/knownfail.d/dns_packet (100%) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index a365113cf15..54f3b5842d6 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=11 -SAMBA_VERSION_RELEASE=10 +SAMBA_VERSION_RELEASE=11 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index c3f04c7993a..b9a6ac2e537 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,87 @@ + =============================== + Release Notes for Samba 4.11.11 + July 02, 2020 + =============================== + + +This is a security release in order to address the following defects: + +o CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC + LDAP Server with ASQ, VLV and paged_results. +o CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume + excessive CPU +o CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with + paged_results and VLV. +o CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd. + + +======= +Details +======= + +o CVE-2020-10730: + A client combining the 'ASQ' and 'VLV' LDAP controls can cause a NULL pointer + de-reference and further combinations with the LDAP paged_results feature can + give a use-after-free in Samba's AD DC LDAP server. + +o CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume + excessive CPU. + +o CVE-2020-10760: + The use of the paged_results or VLV controls against the Global Catalog LDAP + server on the AD DC will cause a use-after-free. + +o CVE-2020-14303: + The AD DC NBT server in Samba 4.0 will enter a CPU spin and not process + further requests once it receives an empty (zero-length) UDP packet to + port 137. + +For more details, please refer to the security advisories. + + +Changes since 4.11.10 +--------------------- + +o Douglas Bagnall <douglas.bagn...@catalyst.net.nz> + * BUG 14378: CVE-2020-10745: Invalid DNS or NBT queries containing dots use + several seconds of CPU each. + +o Andrew Bartlett <abart...@samba.org> + * BUG 14364: CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ + and VLV combined. + * BUG 14402: CVE-2020-10760: Fix use-after-free in AD DC Global Catalog LDAP + server with paged_result or VLV. + * BUG 14417: CVE-2020-14303: Fix endless loop from empty UDP packet sent to + AD DC nbt_server. + +o Gary Lockyer <g...@catalyst.net.nz> + * BUG 14364: CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ + and VLV combined, ldb: Bump version to 2.1.4. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + =============================== Release Notes for Samba 4.11.10 June 30, 2020 @@ -54,8 +138,8 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- + ============================== Release Notes for Samba 4.11.9 diff --git a/lib/ldb/ABI/ldb-2.0.10.sigs b/lib/ldb/ABI/ldb-2.0.12.sigs similarity index 100% copy from lib/ldb/ABI/ldb-2.0.10.sigs copy to lib/ldb/ABI/ldb-2.0.12.sigs diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util-2.0.12.sigs similarity index 100% copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs copy to lib/ldb/ABI/pyldb-util-2.0.12.sigs diff --git a/lib/ldb/common/ldb.c b/lib/ldb/common/ldb.c index 95e9138a56b..2d0926ffaf9 100644 --- a/lib/ldb/common/ldb.c +++ b/lib/ldb/common/ldb.c @@ -1018,6 +1018,13 @@ static int ldb_lock_backend_callback(struct ldb_request *req, struct ldb_db_lock_context *lock_context; int ret; + if (req->context == NULL) { + /* + * The usual way to get here is to ignore the return codes + * and continuing processing after an error. + */ + abort(); + } lock_context = talloc_get_type(req->context, struct ldb_db_lock_context); @@ -1032,7 +1039,7 @@ static int ldb_lock_backend_callback(struct ldb_request *req, * If this is a LDB_REPLY_DONE or an error, unlock the * DB by calling the destructor on this context */ - talloc_free(lock_context); + TALLOC_FREE(req->context); return ret; } diff --git a/lib/ldb/wscript b/lib/ldb/wscript index aeb6cfa6c45..da2b935d102 100644 --- a/lib/ldb/wscript +++ b/lib/ldb/wscript @@ -1,7 +1,7 @@ #!/usr/bin/env python APPNAME = 'ldb' -VERSION = '2.0.11' +VERSION = '2.0.12' import sys, os diff --git a/libcli/nbt/nbtsocket.c b/libcli/nbt/nbtsocket.c index 33d53fba993..8aecaf73247 100644 --- a/libcli/nbt/nbtsocket.c +++ b/libcli/nbt/nbtsocket.c @@ -167,8 +167,23 @@ static void nbt_name_socket_recv(struct nbt_name_socket *nbtsock) return; } + /* + * Given a zero length, data_blob_talloc() returns the + * NULL blob {NULL, 0}. + * + * We only want to error return here on a real out of memory condition + * (i.e. dsize != 0, so the UDP packet has data, but the return of the + * allocation failed, so blob.data==NULL). + * + * Given an actual zero length UDP packet having blob.data == NULL + * isn't an out of memory error condition, that's the defined semantics + * of data_blob_talloc() when asked for zero bytes. + * + * We still need to continue to do the zero-length socket_recvfrom() + * read in order to clear the "read pending" condition on the socket. + */ blob = data_blob_talloc(tmp_ctx, NULL, dsize); - if (blob.data == NULL) { + if (blob.data == NULL && dsize != 0) { talloc_free(tmp_ctx); return; } diff --git a/librpc/ndr/ndr_dns.c b/librpc/ndr/ndr_dns.c index d37c8cc2ece..966e0b59786 100644 --- a/librpc/ndr/ndr_dns.c +++ b/librpc/ndr/ndr_dns.c @@ -33,6 +33,7 @@ #include "librpc/gen_ndr/ndr_dnsp.h" #include "system/locale.h" #include "lib/util/util_net.h" +#include "ndr_dns_utils.h" /* don't allow an unlimited number of name components */ #define MAX_COMPONENTS 128 @@ -159,80 +160,11 @@ _PUBLIC_ enum ndr_err_code ndr_push_dns_string(struct ndr_push *ndr, int ndr_flags, const char *s) { - if (!(ndr_flags & NDR_SCALARS)) { - return NDR_ERR_SUCCESS; - } - - while (s && *s) { - enum ndr_err_code ndr_err; - char *compname; - size_t complen; - uint32_t offset; - - if (!(ndr->flags & LIBNDR_FLAG_NO_COMPRESSION)) { - /* see if we have pushed the remaining string already, - * if so we use a label pointer to this string - */ - ndr_err = ndr_token_retrieve_cmp_fn(&ndr->dns_string_list, s, - &offset, - (comparison_fn_t)strcmp, - false); - if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - uint8_t b[2]; - - if (offset > 0x3FFF) { - return ndr_push_error(ndr, NDR_ERR_STRING, - "offset for dns string " \ - "label pointer " \ - "%u[%08X] > 0x00003FFF", - offset, offset); - } - - b[0] = 0xC0 | (offset>>8); - b[1] = (offset & 0xFF); - - return ndr_push_bytes(ndr, b, 2); - } - } - - complen = strcspn(s, "."); - - /* we need to make sure the length fits into 6 bytes */ - if (complen > 0x3F) { - return ndr_push_error(ndr, NDR_ERR_STRING, - "component length %u[%08X] > " \ - "0x0000003F", - (unsigned)complen, - (unsigned)complen); - } - - compname = talloc_asprintf(ndr, "%c%*.*s", - (unsigned char)complen, - (unsigned char)complen, - (unsigned char)complen, s); - NDR_ERR_HAVE_NO_MEMORY(compname); - - /* remember the current component + the rest of the string - * so it can be reused later - */ - if (!(ndr->flags & LIBNDR_FLAG_NO_COMPRESSION)) { - NDR_CHECK(ndr_token_store(ndr, &ndr->dns_string_list, s, - ndr->offset)); - } - - /* push just this component into the blob */ - NDR_CHECK(ndr_push_bytes(ndr, (const uint8_t *)compname, - complen+1)); - talloc_free(compname); - - s += complen; - if (*s == '.') s++; - } - - /* if we reach the end of the string and have pushed the last component - * without using a label pointer, we need to terminate the string - */ - return ndr_push_bytes(ndr, (const uint8_t *)"", 1); + return ndr_push_dns_string_list(ndr, + &ndr->dns_string_list, + ndr_flags, + s, + false); } _PUBLIC_ enum ndr_err_code ndr_pull_dns_txt_record(struct ndr_pull *ndr, int ndr_flags, struct dns_txt_record *r) diff --git a/librpc/ndr/ndr_dns_utils.c b/librpc/ndr/ndr_dns_utils.c new file mode 100644 index 00000000000..325d9c68bea --- /dev/null +++ b/librpc/ndr/ndr_dns_utils.c @@ -0,0 +1,134 @@ +#include "includes.h" +#include "../librpc/ndr/libndr.h" +#include "ndr_dns_utils.h" + + +/** + push a dns/nbt string list to the wire +*/ +enum ndr_err_code ndr_push_dns_string_list(struct ndr_push *ndr, + struct ndr_token_list *string_list, + int ndr_flags, + const char *s, + bool is_nbt) +{ + const char *start = s; + bool use_compression; + size_t max_length; + if (is_nbt) { + use_compression = true; + /* + * Max length is longer in NBT/Wins, because Windows counts + * the semi-decompressed size of the netbios name (16 bytes) + * rather than the wire size of 32, which is what you'd expect + * if it followed RFC1002 (it uses the short form in + * [MS-WINSRA]). In other words the maximum size of the + * "scope" is 237, not 221. + * + * We make the size limit slightly larger than 255 + 16, + * because the 237 scope limit is already enforced in the + * winsserver code with a specific return value; bailing out + * here would muck with that. + */ + max_length = 274; + } else { + use_compression = !(ndr->flags & LIBNDR_FLAG_NO_COMPRESSION); + max_length = 255; + } + + if (!(ndr_flags & NDR_SCALARS)) { + return NDR_ERR_SUCCESS; + } + + while (s && *s) { + enum ndr_err_code ndr_err; + char *compname; + size_t complen; + uint32_t offset; + + if (use_compression) { + /* see if we have pushed the remaining string already, + * if so we use a label pointer to this string + */ + ndr_err = ndr_token_retrieve_cmp_fn(string_list, s, + &offset, + (comparison_fn_t)strcmp, + false); + if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + uint8_t b[2]; + + if (offset > 0x3FFF) { + return ndr_push_error(ndr, NDR_ERR_STRING, + "offset for dns string " \ + "label pointer " \ + "%u[%08X] > 0x00003FFF", + offset, offset); + } + + b[0] = 0xC0 | (offset>>8); + b[1] = (offset & 0xFF); + + return ndr_push_bytes(ndr, b, 2); + } + } + + complen = strcspn(s, "."); + + /* the length must fit into 6 bits (i.e. <= 63) */ + if (complen > 0x3F) { + return ndr_push_error(ndr, NDR_ERR_STRING, + "component length %u[%08X] > " \ + "0x0000003F", + (unsigned)complen, + (unsigned)complen); + } + + if (complen == 0 && s[complen] == '.') { + return ndr_push_error(ndr, NDR_ERR_STRING, + "component length is 0 " + "(consecutive dots)"); + } + + if (is_nbt && s[complen] == '.' && s[complen + 1] == '\0') { + /* nbt names are sometimes usernames, and we need to + * keep a trailing dot to ensure it is byte-identical, + * (not just semantically identical given DNS + * semantics). */ + complen++; + } + + compname = talloc_asprintf(ndr, "%c%*.*s", + (unsigned char)complen, + (unsigned char)complen, + (unsigned char)complen, s); + NDR_ERR_HAVE_NO_MEMORY(compname); + + /* remember the current component + the rest of the string + * so it can be reused later + */ + if (use_compression) { + NDR_CHECK(ndr_token_store(ndr, string_list, s, + ndr->offset)); + } + + /* push just this component into the blob */ + NDR_CHECK(ndr_push_bytes(ndr, (const uint8_t *)compname, + complen+1)); + talloc_free(compname); + + s += complen; + if (*s == '.') { + s++; + } + if (s - start > max_length) { + return ndr_push_error(ndr, NDR_ERR_STRING, + "name > %zu character long", + max_length); + } + } + + /* if we reach the end of the string and have pushed the last component + * without using a label pointer, we need to terminate the string + */ + return ndr_push_bytes(ndr, (const uint8_t *)"", 1); +} diff --git a/librpc/ndr/ndr_dns_utils.h b/librpc/ndr/ndr_dns_utils.h new file mode 100644 index 00000000000..71a65433bbb --- /dev/null +++ b/librpc/ndr/ndr_dns_utils.h @@ -0,0 +1,6 @@ + +enum ndr_err_code ndr_push_dns_string_list(struct ndr_push *ndr, + struct ndr_token_list *string_list, + int ndr_flags, + const char *s, + bool is_nbt); diff --git a/librpc/ndr/ndr_nbt.c b/librpc/ndr/ndr_nbt.c index 838f947a168..e8dd7549a53 100644 --- a/librpc/ndr/ndr_nbt.c +++ b/librpc/ndr/ndr_nbt.c @@ -25,6 +25,8 @@ #include "includes.h" #include "../libcli/nbt/libnbt.h" #include "../libcli/netlogon/netlogon.h" +#include "ndr_dns_utils.h" + /* don't allow an unlimited number of name components */ #define MAX_COMPONENTS 128 @@ -141,71 +143,11 @@ _PUBLIC_ enum ndr_err_code ndr_pull_nbt_string(struct ndr_pull *ndr, int ndr_fla */ _PUBLIC_ enum ndr_err_code ndr_push_nbt_string(struct ndr_push *ndr, int ndr_flags, const char *s) { - if (!(ndr_flags & NDR_SCALARS)) { - return NDR_ERR_SUCCESS; - } - - while (s && *s) { - enum ndr_err_code ndr_err; - char *compname; - size_t complen; - uint32_t offset; - - /* see if we have pushed the remaining string already, - * if so we use a label pointer to this string - */ - ndr_err = ndr_token_retrieve_cmp_fn(&ndr->nbt_string_list, s, &offset, (comparison_fn_t)strcmp, false); - if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - uint8_t b[2]; - - if (offset > 0x3FFF) { - return ndr_push_error(ndr, NDR_ERR_STRING, - "offset for nbt string label pointer %u[%08X] > 0x00003FFF", - offset, offset); - } - - b[0] = 0xC0 | (offset>>8); - b[1] = (offset & 0xFF); - - return ndr_push_bytes(ndr, b, 2); - } - - complen = strcspn(s, "."); - - /* we need to make sure the length fits into 6 bytes */ - if (complen > 0x3F) { - return ndr_push_error(ndr, NDR_ERR_STRING, - "component length %u[%08X] > 0x0000003F", - (unsigned)complen, (unsigned)complen); - } - - if (s[complen] == '.' && s[complen+1] == '\0') { - complen++; -- Samba Shared Repository