samba/0009-CVE-2022-32743-s4-rpc_server-netlogon-Remove-dNSHost.patch

From d07641fc5a7d2fa323e6d6fe3223da3a6d682405 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 2 Jun 2022 17:11:08 +1200
Subject: [PATCH 09/15] CVE-2022-32743 s4:rpc_server/netlogon: Remove
 dNSHostName prefix check

This check is not exhaustive (it does not check the suffix of the
dNSHostName), and should be covered by a validated write check in
acl_modify().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---
 selftest/knownfail.d/netlogon-dns-host-name   |  5 +++++
 source4/rpc_server/netlogon/dcerpc_netlogon.c | 21 ++-------------------
 2 files changed, 7 insertions(+), 19 deletions(-)

diff --git a/selftest/knownfail.d/netlogon-dns-host-name b/selftest/knownfail.d/netlogon-dns-host-name
index 0164a7c..d6a8aa2 100644
--- a/selftest/knownfail.d/netlogon-dns-host-name
+++ b/selftest/knownfail.d/netlogon-dns-host-name
@@ -1,4 +1,6 @@
 ^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_invalid_suffix\(
+^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_invalid_validated_write\(
+^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_invalid_write_property\(
 ^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_with_flag\(
 ^samba4.rpc.netlogon on ncacn_ip_tcp with bigendian.netlogon.GetDomainInfo\(
 ^samba4.rpc.netlogon on ncacn_ip_tcp with seal,padcheck.netlogon.GetDomainInfo\(
@@ -6,6 +8,9 @@
 ^samba4.rpc.netlogon on ncacn_np with bigendian.netlogon.GetDomainInfo\(
 ^samba4.rpc.netlogon on ncacn_np with seal,padcheck.netlogon.GetDomainInfo\(
 ^samba4.rpc.netlogon on ncacn_np with validate.netlogon.GetDomainInfo\(
+^samba4.rpc.netlogon on ncalrpc with bigendian.netlogon.GetDomainInfo\(
+^samba4.rpc.netlogon on ncalrpc with seal,padcheck.netlogon.GetDomainInfo\(
+^samba4.rpc.netlogon on ncalrpc with validate.netlogon.GetDomainInfo\(
 ^samba4.rpc.netlogon with bigendian.netlogon.GetDomainInfo\(
 ^samba4.rpc.netlogon with seal,padcheck.netlogon.GetDomainInfo\(
 ^samba4.rpc.netlogon with validate.netlogon.GetDomainInfo\(
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index eab57da..2d5fc8b 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -2413,7 +2413,7 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal
 	};
 	const char * const attrs2[] = { "sAMAccountName", "dNSHostName",
 		"msDS-SupportedEncryptionTypes", NULL };
-	const char *sam_account_name, *old_dns_hostname, *prefix1, *prefix2;
+	const char *sam_account_name, *old_dns_hostname;
 	struct ldb_context *sam_ctx;
 	const struct GUID *our_domain_guid = NULL;
 	struct lsa_TrustDomainInfoInfoEx *our_tdo = NULL;
@@ -2483,24 +2483,7 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal
 			return NT_STATUS_INTERNAL_DB_CORRUPTION;
 		}
 
-		/*
-		 * Checks that the sam account name without a possible "$"
-		 * matches as prefix with the DNS hostname in the workstation
-		 * info structure.
-		 */
-		prefix1 = talloc_strndup(mem_ctx, sam_account_name,
-					 strcspn(sam_account_name, "$"));
-		NT_STATUS_HAVE_NO_MEMORY(prefix1);
-		if (r->in.query->workstation_info->dns_hostname != NULL) {
-			prefix2 = talloc_strndup(mem_ctx,
-						 r->in.query->workstation_info->dns_hostname,
-						 strcspn(r->in.query->workstation_info->dns_hostname, "."));
-			NT_STATUS_HAVE_NO_MEMORY(prefix2);
-
-			if (strcasecmp(prefix1, prefix2) != 0) {
-				update_dns_hostname = false;
-			}
-		} else {
+		if (r->in.query->workstation_info->dns_hostname == NULL) {
 			update_dns_hostname = false;
 		}
 
-- 
1.8.3.1