samba/0002-CVE-2020-14383.patch

From 8e09649351e9e8143b4bd0b76bcbd2cfb4d2f281 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Fri, 21 Aug 2020 17:23:17 +1200
Subject: [PATCH] CVE-2020-14383: s4/dns: do not crash when additional data not
 found
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Found by Francis Brosnan BlÃ¡zquez <francis@aspl.es>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Mon Aug 24 00:21:41 UTC 2020 on sn-devel-184

(based on commit df98e7db04c901259dd089e20cd557bdbdeaf379)
---
 source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
index ec610168266..88efc01f154 100644
--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
@@ -1859,8 +1859,8 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
 	/* Add any additional records */
 	if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) {
 		for (i=0; i<add_count; i++) {
-			struct dnsserver_zone *z2;
-
+			struct dnsserver_zone *z2 = NULL;
+			struct ldb_message *msg = NULL;
 			/* Search all the available zones for additional name */
 			for (z2 = dsstate->zones; z2; z2 = z2->next) {
 				char *encoded_name;
@@ -1877,6 +1877,7 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
 					continue;
 				}
 				if (res->count == 1) {
+					msg = res->msgs[0];
 					break;
 				} else {
 					TALLOC_FREE(res);
@@ -1892,7 +1893,7 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
 			}
 			status = dns_fill_records_array(tmp_ctx, NULL, DNS_TYPE_A,
 							select_flag, rname,
-							res->msgs[0], 0, recs,
+							msg, 0, recs,
 							NULL, NULL);
 			TALLOC_FREE(rname);
 			TALLOC_FREE(res);
-- 
2.29.2
fix CVE-2020-14318 CVE-2020-14323 CVE-2020-14383 2021-03-27 09:46:39 +08:00			`From 8e09649351e9e8143b4bd0b76bcbd2cfb4d2f281 Mon Sep 17 00:00:00 2001`
			`From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>`
			`Date: Fri, 21 Aug 2020 17:23:17 +1200`
			`Subject: [PATCH] CVE-2020-14383: s4/dns: do not crash when additional data not`
			`found`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=utf8`
			`Content-Transfer-Encoding: 8bit`

			`Found by Francis Brosnan BlÃ¡zquez <francis@aspl.es>.`

			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472`
			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795`

			`Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>`
			`Reviewed-by: Jeremy Allison <jra@samba.org>`

			`Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>`
			`Autobuild-Date(master): Mon Aug 24 00:21:41 UTC 2020 on sn-devel-184`

			`(based on commit df98e7db04c901259dd089e20cd557bdbdeaf379)`
			`---`
			`source4/rpc_server/dnsserver/dcerpc_dnsserver.c \| 7 ++++---`
			`1 file changed, 4 insertions(+), 3 deletions(-)`

			`diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c`
			`index ec610168266..88efc01f154 100644`
			`--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c`
			`+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c`
			`@@ -1859,8 +1859,8 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,`
			`/* Add any additional records */`
			`if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) {`
			`for (i=0; i<add_count; i++) {`
			`- struct dnsserver_zone *z2;`
			`-`
			`+ struct dnsserver_zone *z2 = NULL;`
			`+ struct ldb_message *msg = NULL;`
			`/* Search all the available zones for additional name */`
			`for (z2 = dsstate->zones; z2; z2 = z2->next) {`
			`char *encoded_name;`
			`@@ -1877,6 +1877,7 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,`
			`continue;`
			`}`
			`if (res->count == 1) {`
			`+ msg = res->msgs[0];`
			`break;`
			`} else {`
			`TALLOC_FREE(res);`
			`@@ -1892,7 +1893,7 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,`
			`}`
			`status = dns_fill_records_array(tmp_ctx, NULL, DNS_TYPE_A,`
			`select_flag, rname,`
			`- res->msgs[0], 0, recs,`
			`+ msg, 0, recs,`
			`NULL, NULL);`
			`TALLOC_FREE(rname);`
			`TALLOC_FREE(res);`
			`--`
			`2.29.2`