mirror of
https://github.com/samba-team/samba.git
synced 2025-01-08 21:18:16 +03:00
bug #10609: CVE-2014-0239 Don't reply to replies
Due to insufficient input checking, the DNS server will reply to a packet that has the "reply" bit set. Over UDP, this allows to send a packet with a spoofed sender address and have two servers DOS each other with circular replies. This patch fixes bug #10609 and adds a test to make sure we don't regress. CVE-2014-2039 has been assigned to this issue. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10609 Signed-off-by: Kai Blin <kai@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Kai Blin <kai@samba.org> Autobuild-Date(master): Tue May 20 04:15:44 CEST 2014 on sn-devel-104
This commit is contained in:
parent
e5649ef6ee
commit
392ec4d241
@ -833,6 +833,35 @@ class TestInvalidQueries(DNSTest):
|
||||
self.assertEquals(response.answers[0].rdata,
|
||||
os.getenv('SERVER_IP'))
|
||||
|
||||
def test_one_a_reply(self):
|
||||
"send a reply instead of a query"
|
||||
|
||||
p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
|
||||
questions = []
|
||||
|
||||
name = "%s.%s" % ('fakefakefake', self.get_dns_domain())
|
||||
q = self.make_name_question(name, dns.DNS_QTYPE_A, dns.DNS_QCLASS_IN)
|
||||
print "asking for ", q.name
|
||||
questions.append(q)
|
||||
|
||||
self.finish_name_packet(p, questions)
|
||||
p.operation |= dns.DNS_FLAG_REPLY
|
||||
s = None
|
||||
try:
|
||||
send_packet = ndr.ndr_pack(p)
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
|
||||
host=os.getenv('SERVER_IP')
|
||||
s.connect((host, 53))
|
||||
tcp_packet = struct.pack('!H', len(send_packet))
|
||||
tcp_packet += send_packet
|
||||
s.send(tcp_packet, 0)
|
||||
recv_packet = s.recv(0xffff + 2, 0)
|
||||
self.assertEquals(0, len(recv_packet))
|
||||
finally:
|
||||
if s is not None:
|
||||
s.close()
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
import unittest
|
||||
unittest.main()
|
||||
|
@ -156,6 +156,12 @@ static struct tevent_req *dns_process_send(TALLOC_CTX *mem_ctx,
|
||||
return tevent_req_post(req, ev);
|
||||
}
|
||||
|
||||
if (state->in_packet.operation & DNS_FLAG_REPLY) {
|
||||
DEBUG(1, ("Won't reply to replies.\n"));
|
||||
tevent_req_werror(req, WERR_INVALID_PARAM);
|
||||
return tevent_req_post(req, ev);
|
||||
}
|
||||
|
||||
state->state.flags = state->in_packet.operation;
|
||||
state->state.flags |= DNS_FLAG_REPLY;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user