| From ff17443fe761eda864d13957bec45f5bac478fe3 Mon Sep 17 00:00:00 2001 |
| From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> |
| Date: Fri, 11 Dec 2020 14:34:31 +0900 |
| Subject: [PATCH] CVE-2020-14383: s4/dns: Ensure variable initialization with |
| NULL. do not crash when additional data not found |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| Found by Francis Brosnan Blázquez <francis@aspl.es>. |
| Based on patches from Francis Brosnan Blázquez <francis@aspl.es> |
| and Jeremy Allison <jra@samba.org> |
| |
| BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472 |
| BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795 |
| |
| Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> |
| Reviewed-by: Jeremy Allison <jra@samba.org> |
| |
| Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> |
| Autobuild-Date(master): Mon Aug 24 00:21:41 UTC 2020 on sn-devel-184 |
| |
| (based on commit df98e7db04c901259dd089e20cd557bdbdeaf379) |
| (based on commit 7afe449e7201be92bed8e53cbb37b74af720ef4e |
| |
| Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> |
| --- |
| .../rpc_server/dnsserver/dcerpc_dnsserver.c | 31 ++++++++++--------- |
| 1 file changed, 17 insertions(+), 14 deletions(-) |
| |
| diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c |
| index 910de9a1..618c7096 100644 |
| --- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c |
| +++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c |
| @@ -1754,15 +1754,17 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, |
| TALLOC_CTX *tmp_ctx; |
| char *name; |
| const char * const attrs[] = { "name", "dnsRecord", NULL }; |
| - struct ldb_result *res; |
| - struct DNS_RPC_RECORDS_ARRAY *recs; |
| + struct ldb_result *res = NULL; |
| + struct DNS_RPC_RECORDS_ARRAY *recs = NULL; |
| char **add_names = NULL; |
| - char *rname; |
| + char *rname = NULL; |
| const char *preference_name = NULL; |
| int add_count = 0; |
| int i, ret, len; |
| WERROR status; |
| - struct dns_tree *tree, *base, *node; |
| + struct dns_tree *tree = NULL; |
| + struct dns_tree *base = NULL; |
| + struct dns_tree *node = NULL; |
| |
| tmp_ctx = talloc_new(mem_ctx); |
| W_ERROR_HAVE_NO_MEMORY(tmp_ctx); |
| @@ -1845,15 +1847,15 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, |
| } |
| } |
| |
| - talloc_free(res); |
| - talloc_free(tree); |
| - talloc_free(name); |
| + TALLOC_FREE(res); |
| + TALLOC_FREE(tree); |
| + TALLOC_FREE(name); |
| |
| /* Add any additional records */ |
| if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) { |
| for (i=0; i<add_count; i++) { |
| - struct dnsserver_zone *z2; |
| - |
| + struct dnsserver_zone *z2 = NULL; |
| + struct ldb_message *msg = NULL; |
| /* Search all the available zones for additional name */ |
| for (z2 = dsstate->zones; z2; z2 = z2->next) { |
| char *encoded_name; |
| @@ -1865,14 +1867,15 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, |
| LDB_SCOPE_ONELEVEL, attrs, |
| "(&(objectClass=dnsNode)(name=%s)(!(dNSTombstoned=TRUE)))", |
| encoded_name); |
| - talloc_free(name); |
| + TALLOC_FREE(name); |
| if (ret != LDB_SUCCESS) { |
| continue; |
| } |
| if (res->count == 1) { |
| + msg = res->msgs[0]; |
| break; |
| } else { |
| - talloc_free(res); |
| + TALLOC_FREE(res); |
| continue; |
| } |
| } |
| @@ -1885,10 +1888,10 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, |
| } |
| status = dns_fill_records_array(tmp_ctx, NULL, DNS_TYPE_A, |
| select_flag, rname, |
| - res->msgs[0], 0, recs, |
| + msg, 0, recs, |
| NULL, NULL); |
| - talloc_free(rname); |
| - talloc_free(res); |
| + TALLOC_FREE(rname); |
| + TALLOC_FREE(res); |
| } |
| } |
| |
| -- |
| 2.25.1 |
| |