mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
dnsserver: Tighten DNS name checking
Add checks for the maximum permitted length, maximum number of labels and the maximum label length. These extra checks will be used by the DNS wild card handling. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=12952
This commit is contained in:
parent
1184770a76
commit
34acf5a992
@ -18,6 +18,9 @@ import "misc.idl", "dnsp.idl";
|
|||||||
interface dns
|
interface dns
|
||||||
{
|
{
|
||||||
const int DNS_SERVICE_PORT = 53;
|
const int DNS_SERVICE_PORT = 53;
|
||||||
|
const int DNS_MAX_LABELS = 127;
|
||||||
|
const int DNS_MAX_DOMAIN_LENGTH = 253;
|
||||||
|
const int DNS_MAX_LABEL_LENGTH = 63;
|
||||||
|
|
||||||
typedef [public,bitmap16bit] bitmap {
|
typedef [public,bitmap16bit] bitmap {
|
||||||
DNS_RCODE = 0x000F,
|
DNS_RCODE = 0x000F,
|
||||||
|
@ -246,26 +246,49 @@ static int rec_cmp(const struct dnsp_DnssrvRpcRecord *r1,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Check for valid DNS names. These are names which are non-empty, do not
|
* Check for valid DNS names. These are names which:
|
||||||
* start with a dot and do not have any empty segments.
|
* - are non-empty
|
||||||
|
* - do not start with a dot
|
||||||
|
* - do not have any empty labels
|
||||||
|
* - have no more than 127 labels
|
||||||
|
* - are no longer than 253 characters
|
||||||
|
* - none of the labels exceed 63 characters
|
||||||
*/
|
*/
|
||||||
WERROR dns_name_check(TALLOC_CTX *mem_ctx, size_t len, const char *name)
|
WERROR dns_name_check(TALLOC_CTX *mem_ctx, size_t len, const char *name)
|
||||||
{
|
{
|
||||||
size_t i;
|
size_t i;
|
||||||
|
unsigned int labels = 0;
|
||||||
|
unsigned int label_len = 0;
|
||||||
|
|
||||||
if (len == 0) {
|
if (len == 0) {
|
||||||
return WERR_DS_INVALID_DN_SYNTAX;
|
return WERR_DS_INVALID_DN_SYNTAX;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (len > 1 && name[0] == '.') {
|
||||||
|
return WERR_DS_INVALID_DN_SYNTAX;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((len - 1) > DNS_MAX_DOMAIN_LENGTH) {
|
||||||
|
return WERR_DS_INVALID_DN_SYNTAX;
|
||||||
|
}
|
||||||
|
|
||||||
for (i = 0; i < len - 1; i++) {
|
for (i = 0; i < len - 1; i++) {
|
||||||
if (name[i] == '.' && name[i+1] == '.') {
|
if (name[i] == '.' && name[i+1] == '.') {
|
||||||
return WERR_DS_INVALID_DN_SYNTAX;
|
return WERR_DS_INVALID_DN_SYNTAX;
|
||||||
}
|
}
|
||||||
}
|
if (name[i] == '.') {
|
||||||
|
labels++;
|
||||||
if (len > 1 && name[0] == '.') {
|
if (labels > DNS_MAX_LABELS) {
|
||||||
return WERR_DS_INVALID_DN_SYNTAX;
|
return WERR_DS_INVALID_DN_SYNTAX;
|
||||||
}
|
}
|
||||||
|
label_len = 0;
|
||||||
|
} else {
|
||||||
|
label_len++;
|
||||||
|
if (label_len > DNS_MAX_LABEL_LENGTH) {
|
||||||
|
return WERR_DS_INVALID_DN_SYNTAX;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return WERR_OK;
|
return WERR_OK;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user