CVE-2020-10745: dns_util/push: forbid names longer than 255 bytes

As per RFC 1035.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/librpc/ndr/ndr_dns_utils.c b/librpc/ndr/ndr_dns_utils.c
index 6931dac422d038f16ebc3b8f1c5f563e547e1a0b..b7f11dbab4e967d892a0ff200dbdd978f1306fb5 100644 (file)
--- a/librpc/ndr/ndr_dns_utils.c
+++ b/librpc/ndr/ndr_dns_utils.c
@@ -11,6 +11,8 @@ enum ndr_err_code ndr_push_dns_string_list(struct ndr_push *ndr,
                                           int ndr_flags,
                                           const char *s)
 {
+       const char *start = s;
+
        if (!(ndr_flags & NDR_SCALARS)) {
                return NDR_ERR_SUCCESS;
        }
@@ -84,7 +86,13 @@ enum ndr_err_code ndr_push_dns_string_list(struct ndr_push *ndr,
                talloc_free(compname);
 
                s += complen;
-               if (*s == '.') s++;
+               if (*s == '.') {
+                       s++;
+               }
+               if (s - start > 255) {
+                       return ndr_push_error(ndr, NDR_ERR_STRING,
+                                             "name > 255 character long");
+               }
        }
 
        /* if we reach the end of the string and have pushed the last component

diff --git a/selftest/knownfail.d/ndr_dns_nbt b/selftest/knownfail.d/ndr_dns_nbt
index e11c121b7a7b7238a1a96c591763e975714fc497..603395c8c502bd48f959acd55bd7b0a92c3ff528 100644 (file)
--- a/selftest/knownfail.d/ndr_dns_nbt
+++ b/selftest/knownfail.d/ndr_dns_nbt
@@ -1,3 +1,2 @@
-librpc.ndr.ndr_dns_nbt.test_ndr_dns_string_half_dots
 librpc.ndr.ndr_dns_nbt.test_ndr_nbt_string_all_dots
 librpc.ndr.ndr_dns_nbt.test_ndr_nbt_string_half_dots