IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Feb 16 20:43:55 UTC 2022 on sn-devel-184
MS-DNSP uses the term "EntombedTime" in e.g. "2.2.2.2.4.23 DNS_RPC_RECORD_TS"
which is more descriptive than the generic "timestamp", and less likely to be
confused with dwTimestamp, which has been our curse. Let's make it grep-able,
google-able, and evocative.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
This will be used by a test and the DNS server code to parse short dnsProperty
records which come from Windows servers.
This example is from the value that caused Samba to fail as it
can not be parsed as a normal dnsp_DnsProperty
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14310
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
There are two concerns here, assuming the attacker can place arbitary values
in a dnsProperty attribute over LDAP (eg is a DNS administrator).
This comes from the fact that id is used as the switch value at the C layer
but at the NDR layer the wDataLength value is considered first.
One concern is that a pull/push round-trip could include server memory:
The previous switch_is() behaviour could store the server memory back
into the attribute.
However this pattern of pull/push only happens in ndrdump and fuzzing tools, as
dnsserver_db_do_reset_dword() operates only on the uint32/bitmap union
arms, and fully initialises those.
The other is that a pull of the attacker-supplied value could
cause the server to expose memory.
This would be over the network via DNS or the RPC dnsserver protocols.
However at all times the ndr_pull_struct_blob is passed zeroed memory.
The final concern (which fuzz_ndr_X found) is that in the ndr_size_dnsPropertyData()
the union descriminent is only id.
This has no impact as only zeroed memory is used so there will be a
zero value in all scalars, including data->d_ns_servers.AddrArray.
Therefore the server will not crash processing the attacker-supplied blob
[MS-DNSP] 2.3.2.1 dnsProperty has no mention of this special behaviour.
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/445c7843-e4a1-4222-8c0f-630c230a4c80
This was known as CVE-2019-14908 before being triaged back to a normal bug.
Found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X fuzzer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14206
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jun 21 11:02:21 UTC 2019 on sn-devel-184
The endian changes are needed in order to get the following result
from the blobs Windows generated (see the torture test):
AddrArray: ARRAY(3)
AddrArray: struct dnsp_dns_addr
family : 0x0002 (2)
port : 0x0035 (53)
ipv4 : 172.31.99.33
ipv6 : 0000:0000:0000:0000:0000:0000:0000:0000
[MS-DNSP] states that the port is supposed to be ignored, but it's still
good to decode it as port '53' (0x0035) instead of '13568' (0x3500).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
In future we should use ipv4address, but that would result in a much
larger change.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Remove the decode_* functions as they are no longer needed, and this
will reduce the amount of untested automatically generated code.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
this fills in the functions and structures for the dnsserver RPC
protocol. This protocol is used during a subdomain join to add the NS
glue record to the parent domain
based on new WSPP docs from Bryan Burgin
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Dec 22 04:45:46 CET 2010 on sn-devel-104
