1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

CVE-2022-32743 s4:rpc_server/netlogon: Remove dNSHostName prefix check

This check is not exhaustive (it does not check the suffix of the
dNSHostName), and should be covered by a validated write check in
acl_modify().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This commit is contained in:
Joseph Sutton 2022-06-02 17:11:08 +12:00 committed by Douglas Bagnall
parent f9831259b9
commit d07641fc5a
2 changed files with 7 additions and 19 deletions

View File

@ -1,4 +1,6 @@
^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_invalid_suffix\(
^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_invalid_validated_write\(
^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_invalid_write_property\(
^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_with_flag\(
^samba4.rpc.netlogon on ncacn_ip_tcp with bigendian.netlogon.GetDomainInfo\(
^samba4.rpc.netlogon on ncacn_ip_tcp with seal,padcheck.netlogon.GetDomainInfo\(
@ -6,6 +8,9 @@
^samba4.rpc.netlogon on ncacn_np with bigendian.netlogon.GetDomainInfo\(
^samba4.rpc.netlogon on ncacn_np with seal,padcheck.netlogon.GetDomainInfo\(
^samba4.rpc.netlogon on ncacn_np with validate.netlogon.GetDomainInfo\(
^samba4.rpc.netlogon on ncalrpc with bigendian.netlogon.GetDomainInfo\(
^samba4.rpc.netlogon on ncalrpc with seal,padcheck.netlogon.GetDomainInfo\(
^samba4.rpc.netlogon on ncalrpc with validate.netlogon.GetDomainInfo\(
^samba4.rpc.netlogon with bigendian.netlogon.GetDomainInfo\(
^samba4.rpc.netlogon with seal,padcheck.netlogon.GetDomainInfo\(
^samba4.rpc.netlogon with validate.netlogon.GetDomainInfo\(

View File

@ -2413,7 +2413,7 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal
};
const char * const attrs2[] = { "sAMAccountName", "dNSHostName",
"msDS-SupportedEncryptionTypes", NULL };
const char *sam_account_name, *old_dns_hostname, *prefix1, *prefix2;
const char *sam_account_name, *old_dns_hostname;
struct ldb_context *sam_ctx;
const struct GUID *our_domain_guid = NULL;
struct lsa_TrustDomainInfoInfoEx *our_tdo = NULL;
@ -2483,24 +2483,7 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
/*
* Checks that the sam account name without a possible "$"
* matches as prefix with the DNS hostname in the workstation
* info structure.
*/
prefix1 = talloc_strndup(mem_ctx, sam_account_name,
strcspn(sam_account_name, "$"));
NT_STATUS_HAVE_NO_MEMORY(prefix1);
if (r->in.query->workstation_info->dns_hostname != NULL) {
prefix2 = talloc_strndup(mem_ctx,
r->in.query->workstation_info->dns_hostname,
strcspn(r->in.query->workstation_info->dns_hostname, "."));
NT_STATUS_HAVE_NO_MEMORY(prefix2);
if (strcasecmp(prefix1, prefix2) != 0) {
update_dns_hostname = false;
}
} else {
if (r->in.query->workstation_info->dns_hostname == NULL) {
update_dns_hostname = false;
}