mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
CVE-2022-32743 s4:rpc_server/netlogon: Remove dNSHostName prefix check
This check is not exhaustive (it does not check the suffix of the dNSHostName), and should be covered by a validated write check in acl_modify(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This commit is contained in:
parent
f9831259b9
commit
d07641fc5a
@ -1,4 +1,6 @@
|
||||
^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_invalid_suffix\(
|
||||
^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_invalid_validated_write\(
|
||||
^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_invalid_write_property\(
|
||||
^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_set_dns_hostname_with_flag\(
|
||||
^samba4.rpc.netlogon on ncacn_ip_tcp with bigendian.netlogon.GetDomainInfo\(
|
||||
^samba4.rpc.netlogon on ncacn_ip_tcp with seal,padcheck.netlogon.GetDomainInfo\(
|
||||
@ -6,6 +8,9 @@
|
||||
^samba4.rpc.netlogon on ncacn_np with bigendian.netlogon.GetDomainInfo\(
|
||||
^samba4.rpc.netlogon on ncacn_np with seal,padcheck.netlogon.GetDomainInfo\(
|
||||
^samba4.rpc.netlogon on ncacn_np with validate.netlogon.GetDomainInfo\(
|
||||
^samba4.rpc.netlogon on ncalrpc with bigendian.netlogon.GetDomainInfo\(
|
||||
^samba4.rpc.netlogon on ncalrpc with seal,padcheck.netlogon.GetDomainInfo\(
|
||||
^samba4.rpc.netlogon on ncalrpc with validate.netlogon.GetDomainInfo\(
|
||||
^samba4.rpc.netlogon with bigendian.netlogon.GetDomainInfo\(
|
||||
^samba4.rpc.netlogon with seal,padcheck.netlogon.GetDomainInfo\(
|
||||
^samba4.rpc.netlogon with validate.netlogon.GetDomainInfo\(
|
||||
|
@ -2413,7 +2413,7 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal
|
||||
};
|
||||
const char * const attrs2[] = { "sAMAccountName", "dNSHostName",
|
||||
"msDS-SupportedEncryptionTypes", NULL };
|
||||
const char *sam_account_name, *old_dns_hostname, *prefix1, *prefix2;
|
||||
const char *sam_account_name, *old_dns_hostname;
|
||||
struct ldb_context *sam_ctx;
|
||||
const struct GUID *our_domain_guid = NULL;
|
||||
struct lsa_TrustDomainInfoInfoEx *our_tdo = NULL;
|
||||
@ -2483,24 +2483,7 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal
|
||||
return NT_STATUS_INTERNAL_DB_CORRUPTION;
|
||||
}
|
||||
|
||||
/*
|
||||
* Checks that the sam account name without a possible "$"
|
||||
* matches as prefix with the DNS hostname in the workstation
|
||||
* info structure.
|
||||
*/
|
||||
prefix1 = talloc_strndup(mem_ctx, sam_account_name,
|
||||
strcspn(sam_account_name, "$"));
|
||||
NT_STATUS_HAVE_NO_MEMORY(prefix1);
|
||||
if (r->in.query->workstation_info->dns_hostname != NULL) {
|
||||
prefix2 = talloc_strndup(mem_ctx,
|
||||
r->in.query->workstation_info->dns_hostname,
|
||||
strcspn(r->in.query->workstation_info->dns_hostname, "."));
|
||||
NT_STATUS_HAVE_NO_MEMORY(prefix2);
|
||||
|
||||
if (strcasecmp(prefix1, prefix2) != 0) {
|
||||
update_dns_hostname = false;
|
||||
}
|
||||
} else {
|
||||
if (r->in.query->workstation_info->dns_hostname == NULL) {
|
||||
update_dns_hostname = false;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user