[Pkg-samba-maint] [Git][samba-team/samba][stretch-security] 9 commits: CVE-2018-14629 dns: CNAME loop prevention using counter
Mathieu Parent
gitlab at salsa.debian.org
Wed Nov 28 07:18:31 GMT 2018
Mathieu Parent pushed to branch stretch-security at Debian Samba Team / samba
Commits:
bed48072 by Aaron Haslett at 2018-11-23T21:58:45Z
CVE-2018-14629 dns: CNAME loop prevention using counter
Count number of answers generated by internal DNS query routine and stop at
20 to match Microsoft's loop prevention mechanism.
(backport to Samba 4.5)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600
Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
- - - - -
07f588bf by Garming Sam at 2018-11-23T21:58:46Z
tests/dns_forwarder: Wait for port for 15 seconds
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 668e4e4a436756d73d64790fd0a7e79fa4769ffe)
- - - - -
12d46bca by Garming Sam at 2018-11-23T21:58:46Z
tests/dns_forwarder: Check that the subprocess is still living
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ad3b3e978ebf0692580166f9deba0368a922362d)
- - - - -
2a5f1343 by Garming Sam at 2018-11-23T21:58:46Z
tests/dns_forwarder: Fail out with an assertion instead OOB error
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Garming Sam <garming at samba.org>
Autobuild-Date(master): Tue Sep 6 15:41:54 CEST 2016 on sn-devel-144
(cherry picked from commit 451907739cc14717c12875b88fbbe63a53e9cbec)
- - - - -
70eb7ecc by Andrew Bartlett at 2018-11-23T21:58:46Z
CVE-2018-16841 heimdal: Fix segfault on PKINIT with mis-matching principal
In Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free
mem_ctx.
This was introduced in 9a0263a7c316112caf0265237bfb2cfb3a3d370d for the
MIT KDC effort.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
- - - - -
24906f1c by Andrew Bartlett at 2018-11-23T21:58:47Z
CVE-2018-16841 selftest: Check for mismatching principal in certficate compared with principal in AS-REQ
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
- - - - -
229dae30 by Garming Sam at 2018-11-23T21:58:47Z
CVE-2018-16851 ldap_server: Check ret before manipulating blob
In the case of hitting the talloc ~256MB limit, this causes a crash in
the server.
Note that you would actually need to load >256MB of data into the LDAP.
Although there is some generated/hidden data which would help you reach that
limit (descriptors and RMD blobs).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
4d0080e0 by Mathieu Parent at 2018-11-23T21:58:47Z
Add patches for previous fixes
- - - - -
9014cb54 by Mathieu Parent at 2018-11-23T21:58:47Z
Release 2:4.5.12+dfsg-2+deb9u4 to stretch-security
- - - - -
12 changed files:
- debian/changelog
- + debian/patches/CVE-2018-14629-v4-5.patch
- + debian/patches/CVE-2018-16841-master.patch
- + debian/patches/CVE-2018-16851-master.patch
- debian/patches/series
- python/samba/tests/dns.py
- python/samba/tests/dns_forwarder.py
- + selftest/knownfail.d/dns
- source4/dns_server/dns_query.c
- source4/kdc/db-glue.c
- source4/ldap_server/ldap_server.c
- testprogs/blackbox/test_pkinit_heimdal.sh
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,13 @@
+samba (2:4.5.12+dfsg-2+deb9u4) stretch-security; urgency=high
+
+ * New upstream security release
+ - CVE-2018-14629 Unprivileged adding of CNAME record causing loop in AD
+ Internal DNS server
+ - CVE-2018-16841 Double-free in Samba AD DC KDC with PKINIT
+ - CVE-2018-16851 NULL pointer de-reference in Samba AD DC LDAP server
+
+ -- Mathieu Parent <sathieu at debian.org> Thu, 22 Nov 2018 07:04:59 +0100
+
samba (2:4.5.12+dfsg-2+deb9u3) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
=====================================
debian/patches/CVE-2018-14629-v4-5.patch
=====================================
@@ -0,0 +1,193 @@
+From 6d3da1eb00a31e7b0a30415d81c1ac4508da2aad Mon Sep 17 00:00:00 2001
+From: Aaron Haslett <aaronhaslett at catalyst.net.nz>
+Date: Tue, 23 Oct 2018 17:25:51 +1300
+Subject: [PATCH 1/4] CVE-2018-14629 dns: CNAME loop prevention using counter
+
+Count number of answers generated by internal DNS query routine and stop at
+20 to match Microsoft's loop prevention mechanism.
+
+(backport to Samba 4.5)
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600
+
+Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet at samba.org>
+Reviewed-by: Garming Sam <garming at catalyst.net.nz>
+---
+ python/samba/tests/dns.py | 23 +++++++++++++++++++++++
+ selftest/knownfail.d/dns | 5 +++++
+ source4/dns_server/dns_query.c | 6 ++++++
+ 3 files changed, 34 insertions(+)
+ create mode 100644 selftest/knownfail.d/dns
+
+diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py
+index babf898afd7..102269c7156 100644
+--- a/python/samba/tests/dns.py
++++ b/python/samba/tests/dns.py
+@@ -896,6 +896,29 @@ class TestComplexQueries(DNSTest):
+ self.assertEquals(response.answers[1].name, name2)
+ self.assertEquals(response.answers[1].rdata, name3)
+
++ def test_cname_loop(self):
++ cname1 = "cnamelooptestrec." + self.get_dns_domain()
++ cname2 = "cnamelooptestrec2." + self.get_dns_domain()
++ cname3 = "cnamelooptestrec3." + self.get_dns_domain()
++ self.make_dns_update(cname1, cname2, dnsp.DNS_TYPE_CNAME)
++ self.make_dns_update(cname2, cname3, dnsp.DNS_TYPE_CNAME)
++ self.make_dns_update(cname3, cname1, dnsp.DNS_TYPE_CNAME)
++
++ p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
++ questions = []
++
++ q = self.make_name_question(cname1,
++ dns.DNS_QTYPE_A,
++ dns.DNS_QCLASS_IN)
++ questions.append(q)
++ self.finish_name_packet(p, questions)
++
++ response = self.dns_transaction_udp(p, host=self.server_ip)
++
++ max_recursion_depth = 20
++ self.assertEquals(len(response.answers), max_recursion_depth)
++
++
+ class TestInvalidQueries(DNSTest):
+
+ def test_one_a_query(self):
+diff --git a/selftest/knownfail.d/dns b/selftest/knownfail.d/dns
+new file mode 100644
+index 00000000000..916afc1af85
+--- /dev/null
++++ b/selftest/knownfail.d/dns
+@@ -0,0 +1,5 @@
++#
++# rodc and vampire_dc require signed dns updates, so the test setup
++# fails, but the test does run on fl2003dc
++^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(rodc:local\)
++^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(vampire_dc:local\)
+diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c
+index 3e9359ee666..0c26f9f8fb5 100644
+--- a/source4/dns_server/dns_query.c
++++ b/source4/dns_server/dns_query.c
+@@ -40,6 +40,7 @@
+
+ #undef DBGC_CLASS
+ #define DBGC_CLASS DBGC_DNS
++#define MAX_Q_RECURSION_DEPTH 20
+
+ struct forwarder_string {
+ const char *forwarder;
+@@ -470,6 +471,11 @@ static struct tevent_req *handle_dnsrpcrec_send(
+ state->answers = answers;
+ state->nsrecs = nsrecs;
+
++ if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) {
++ tevent_req_done(req);
++ return tevent_req_post(req, ev);
++ }
++
+ resolve_cname = ((rec->wType == DNS_TYPE_CNAME) &&
+ ((question->question_type == DNS_QTYPE_A) ||
+ (question->question_type == DNS_QTYPE_AAAA)));
+--
+2.11.0
+
+
+From 5104d30c53be7161d03c853f480223b24115874a Mon Sep 17 00:00:00 2001
+From: Garming Sam <garming at catalyst.net.nz>
+Date: Tue, 6 Sep 2016 10:48:57 +1200
+Subject: [PATCH 2/4] tests/dns_forwarder: Wait for port for 15 seconds
+
+Signed-off-by: Garming Sam <garming at catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet at samba.org>
+(cherry picked from commit 668e4e4a436756d73d64790fd0a7e79fa4769ffe)
+---
+ python/samba/tests/dns_forwarder.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/python/samba/tests/dns_forwarder.py b/python/samba/tests/dns_forwarder.py
+index de36de9c979..1d598662a83 100644
+--- a/python/samba/tests/dns_forwarder.py
++++ b/python/samba/tests/dns_forwarder.py
+@@ -185,8 +185,8 @@ class TestDnsForwarding(DNSTest):
+ host, str(port), id])
+ self.subprocesses.append(p)
+ s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, 0)
+- for i in xrange(30):
+- time.sleep(0.01)
++ for i in xrange(300):
++ time.sleep(0.05)
+ s.connect((host, port))
+ try:
+ s.send('timeout 0', 0)
+--
+2.11.0
+
+
+From c66c90469efe920d8273df041c1c46698ffb1a21 Mon Sep 17 00:00:00 2001
+From: Garming Sam <garming at catalyst.net.nz>
+Date: Thu, 7 Jul 2016 16:58:27 +1200
+Subject: [PATCH 3/4] tests/dns_forwarder: Check that the subprocess is still
+ living
+
+Signed-off-by: Garming Sam <garming at catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet at samba.org>
+(cherry picked from commit ad3b3e978ebf0692580166f9deba0368a922362d)
+---
+ python/samba/tests/dns_forwarder.py | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/python/samba/tests/dns_forwarder.py b/python/samba/tests/dns_forwarder.py
+index 1d598662a83..bef21f6bdaf 100644
+--- a/python/samba/tests/dns_forwarder.py
++++ b/python/samba/tests/dns_forwarder.py
+@@ -193,6 +193,10 @@ class TestDnsForwarding(DNSTest):
+ except socket.error, e:
+ if e.errno in (errno.ECONNREFUSED, errno.EHOSTUNREACH):
+ continue
++
++ if p.returncode is not None:
++ self.fail("Toy server has managed to die already!")
++
+ return s
+
+ def tearDown(self):
+--
+2.11.0
+
+
+From dec2a328b3262b131f147c339fa17112f998ca39 Mon Sep 17 00:00:00 2001
+From: Garming Sam <garming at samba.org>
+Date: Thu, 9 Jun 2016 03:52:38 +0200
+Subject: [PATCH 4/4] tests/dns_forwarder: Fail out with an assertion instead
+ OOB error
+
+Signed-off-by: Garming Sam <garming at catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet at samba.org>
+
+Autobuild-User(master): Garming Sam <garming at samba.org>
+Autobuild-Date(master): Tue Sep 6 15:41:54 CEST 2016 on sn-devel-144
+
+(cherry picked from commit 451907739cc14717c12875b88fbbe63a53e9cbec)
+---
+ python/samba/tests/dns_forwarder.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/python/samba/tests/dns_forwarder.py b/python/samba/tests/dns_forwarder.py
+index bef21f6bdaf..51a86198b54 100644
+--- a/python/samba/tests/dns_forwarder.py
++++ b/python/samba/tests/dns_forwarder.py
+@@ -466,8 +466,9 @@ class TestDnsForwarding(DNSTest):
+ try:
+ data = ad.recv(0xffff + 2, 0)
+ data = ndr.ndr_unpack(dns.name_packet, data)
+- self.assertEqual('forwarder1', data.answers[0].rdata)
+ self.assert_dns_rcode_equals(data, dns.DNS_RCODE_OK)
++ self.assertEqual(len(data.answers), 1)
++ self.assertEqual('forwarder1', data.answers[0].rdata)
+ except socket.timeout:
+ self.fail("DNS server is too slow (timeout %s)" % timeout)
+
+--
+2.11.0
+
=====================================
debian/patches/CVE-2018-16841-master.patch
=====================================
@@ -0,0 +1,81 @@
+From 55d782d3b63f04124efa99c56a53aa57efa1a4b7 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet at samba.org>
+Date: Tue, 23 Oct 2018 17:33:46 +1300
+Subject: [PATCH 1/2] CVE-2018-16841 heimdal: Fix segfault on PKINIT with
+ mis-matching principal
+
+In Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free
+mem_ctx.
+
+This was introduced in 9a0263a7c316112caf0265237bfb2cfb3a3d370d for the
+MIT KDC effort.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628
+
+Signed-off-by: Andrew Bartlett <abartlet at samba.org>
+Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
+---
+ source4/kdc/db-glue.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
+index acd24ec0c83..969f4f6b556 100644
+--- a/source4/kdc/db-glue.c
++++ b/source4/kdc/db-glue.c
+@@ -2610,10 +2610,10 @@ samba_kdc_check_pkinit_ms_upn_match(krb5_context context,
+ * comparison */
+ if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) {
+ talloc_free(mem_ctx);
+-#ifdef KRB5_KDC_ERR_CLIENT_NAME_MISMATCH /* Heimdal */
+- return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
+-#elif defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */
++#if defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */
+ return KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
++#else /* Heimdal (where this is an enum) */
++ return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
+ #endif
+ }
+
+--
+2.11.0
+
+
+From 574caed5a3e2e600696f2b2f28743b08d1ff7e9c Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet at samba.org>
+Date: Wed, 24 Oct 2018 15:41:28 +1300
+Subject: [PATCH 2/2] CVE-2018-16841 selftest: Check for mismatching principal
+ in certficate compared with principal in AS-REQ
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628
+Signed-off-by: Andrew Bartlett <abartlet at samba.org>
+Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
+---
+ testprogs/blackbox/test_pkinit_heimdal.sh | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/testprogs/blackbox/test_pkinit_heimdal.sh b/testprogs/blackbox/test_pkinit_heimdal.sh
+index 0a13aa293e7..0912e0dbfe8 100755
+--- a/testprogs/blackbox/test_pkinit_heimdal.sh
++++ b/testprogs/blackbox/test_pkinit_heimdal.sh
+@@ -75,10 +75,18 @@ testit "STEP1 kinit with pkinit (name specified) " $samba4kinit $enctype --reque
+ testit "STEP1 kinit renew ticket (name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1`
+ test_smbclient "STEP1 Test login with kerberos ccache (name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+
++testit_expect_failure "STEP1 kinit with pkinit (wrong name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER not$USERNAME@$REALM || failed=`expr $failed + 1`
++
++testit_expect_failure "STEP1 kinit with pkinit (wrong name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER $SERVER@$REALM || failed=`expr $failed + 1`
++
+ testit "STEP1 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || failed=`expr $failed + 1`
+ testit "STEP1 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1`
+ test_smbclient "STEP1 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+
++testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise not$USERNAME@$REALM || failed=`expr $failed + 1`
++
++testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $SERVER$@$REALM || failed=`expr $failed + 1`
++
+ testit "STEP1 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed=`expr $failed + 1`
+ testit "STEP1 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R || failed=`expr $failed + 1`
+ test_smbclient "STEP1 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+--
+2.11.0
+
=====================================
debian/patches/CVE-2018-16851-master.patch
=====================================
@@ -0,0 +1,44 @@
+From 90c319ec77d27b7d9eeae9e5c7a41407f00caf23 Mon Sep 17 00:00:00 2001
+From: Garming Sam <garming at catalyst.net.nz>
+Date: Mon, 5 Nov 2018 16:18:18 +1300
+Subject: [PATCH] CVE-2018-16851 ldap_server: Check ret before manipulating
+ blob
+
+In the case of hitting the talloc ~256MB limit, this causes a crash in
+the server.
+
+Note that you would actually need to load >256MB of data into the LDAP.
+Although there is some generated/hidden data which would help you reach that
+limit (descriptors and RMD blobs).
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674
+
+Signed-off-by: Garming Sam <garming at catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet at samba.org>
+---
+ source4/ldap_server/ldap_server.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c
+index b5251e3623e..bc2f54bc146 100644
+--- a/source4/ldap_server/ldap_server.c
++++ b/source4/ldap_server/ldap_server.c
+@@ -690,13 +690,13 @@ static void ldapsrv_call_writev_start(struct ldapsrv_call *call)
+ ret = data_blob_append(call, &blob, b.data, b.length);
+ data_blob_free(&b);
+
+- talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
+-
+ if (!ret) {
+ ldapsrv_terminate_connection(conn, "data_blob_append failed");
+ return;
+ }
+
++ talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
++
+ DLIST_REMOVE(call->replies, call->replies);
+ }
+
+--
+2.11.0
+
=====================================
debian/patches/series
=====================================
@@ -25,3 +25,6 @@ CVE-2018-1050-11343-4.5.patch
CVE-2018-1057-v4-5.metze01.patches.txt
CVE-2018-10919.patch
CVE-2018-10858-4.6.patch
+CVE-2018-14629-v4-5.patch
+CVE-2018-16841-master.patch
+CVE-2018-16851-master.patch
=====================================
python/samba/tests/dns.py
=====================================
@@ -896,6 +896,29 @@ class TestComplexQueries(DNSTest):
self.assertEquals(response.answers[1].name, name2)
self.assertEquals(response.answers[1].rdata, name3)
+ def test_cname_loop(self):
+ cname1 = "cnamelooptestrec." + self.get_dns_domain()
+ cname2 = "cnamelooptestrec2." + self.get_dns_domain()
+ cname3 = "cnamelooptestrec3." + self.get_dns_domain()
+ self.make_dns_update(cname1, cname2, dnsp.DNS_TYPE_CNAME)
+ self.make_dns_update(cname2, cname3, dnsp.DNS_TYPE_CNAME)
+ self.make_dns_update(cname3, cname1, dnsp.DNS_TYPE_CNAME)
+
+ p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
+ questions = []
+
+ q = self.make_name_question(cname1,
+ dns.DNS_QTYPE_A,
+ dns.DNS_QCLASS_IN)
+ questions.append(q)
+ self.finish_name_packet(p, questions)
+
+ response = self.dns_transaction_udp(p, host=self.server_ip)
+
+ max_recursion_depth = 20
+ self.assertEquals(len(response.answers), max_recursion_depth)
+
+
class TestInvalidQueries(DNSTest):
def test_one_a_query(self):
=====================================
python/samba/tests/dns_forwarder.py
=====================================
@@ -185,14 +185,18 @@ class TestDnsForwarding(DNSTest):
host, str(port), id])
self.subprocesses.append(p)
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, 0)
- for i in xrange(30):
- time.sleep(0.01)
+ for i in xrange(300):
+ time.sleep(0.05)
s.connect((host, port))
try:
s.send('timeout 0', 0)
except socket.error, e:
if e.errno in (errno.ECONNREFUSED, errno.EHOSTUNREACH):
continue
+
+ if p.returncode is not None:
+ self.fail("Toy server has managed to die already!")
+
return s
def tearDown(self):
@@ -462,8 +466,9 @@ class TestDnsForwarding(DNSTest):
try:
data = ad.recv(0xffff + 2, 0)
data = ndr.ndr_unpack(dns.name_packet, data)
- self.assertEqual('forwarder1', data.answers[0].rdata)
self.assert_dns_rcode_equals(data, dns.DNS_RCODE_OK)
+ self.assertEqual(len(data.answers), 1)
+ self.assertEqual('forwarder1', data.answers[0].rdata)
except socket.timeout:
self.fail("DNS server is too slow (timeout %s)" % timeout)
=====================================
selftest/knownfail.d/dns
=====================================
@@ -0,0 +1,5 @@
+#
+# rodc and vampire_dc require signed dns updates, so the test setup
+# fails, but the test does run on fl2003dc
+^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(rodc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(vampire_dc:local\)
=====================================
source4/dns_server/dns_query.c
=====================================
@@ -40,6 +40,7 @@
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_DNS
+#define MAX_Q_RECURSION_DEPTH 20
struct forwarder_string {
const char *forwarder;
@@ -470,6 +471,11 @@ static struct tevent_req *handle_dnsrpcrec_send(
state->answers = answers;
state->nsrecs = nsrecs;
+ if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) {
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+
resolve_cname = ((rec->wType == DNS_TYPE_CNAME) &&
((question->question_type == DNS_QTYPE_A) ||
(question->question_type == DNS_QTYPE_AAAA)));
=====================================
source4/kdc/db-glue.c
=====================================
@@ -2487,10 +2487,10 @@ samba_kdc_check_pkinit_ms_upn_match(krb5_context context,
* comparison */
if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) {
talloc_free(mem_ctx);
-#ifdef KRB5_KDC_ERR_CLIENT_NAME_MISMATCH /* Heimdal */
- return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
-#elif defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */
+#if defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */
return KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
+#else /* Heimdal (where this is an enum) */
+ return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
#endif
}
=====================================
source4/ldap_server/ldap_server.c
=====================================
@@ -601,13 +601,13 @@ static void ldapsrv_call_process_done(struct tevent_req *subreq)
ret = data_blob_append(call, &blob, b.data, b.length);
data_blob_free(&b);
- talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
-
if (!ret) {
ldapsrv_terminate_connection(conn, "data_blob_append failed");
return;
}
+ talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
+
DLIST_REMOVE(call->replies, call->replies);
}
=====================================
testprogs/blackbox/test_pkinit_heimdal.sh
=====================================
@@ -75,10 +75,18 @@ testit "STEP1 kinit with pkinit (name specified) " $samba4kinit $enctype --reque
testit "STEP1 kinit renew ticket (name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1`
test_smbclient "STEP1 Test login with kerberos ccache (name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+testit_expect_failure "STEP1 kinit with pkinit (wrong name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER not$USERNAME@$REALM || failed=`expr $failed + 1`
+
+testit_expect_failure "STEP1 kinit with pkinit (wrong name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER $SERVER@$REALM || failed=`expr $failed + 1`
+
testit "STEP1 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || failed=`expr $failed + 1`
testit "STEP1 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1`
test_smbclient "STEP1 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise not$USERNAME@$REALM || failed=`expr $failed + 1`
+
+testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $SERVER$@$REALM || failed=`expr $failed + 1`
+
testit "STEP1 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed=`expr $failed + 1`
testit "STEP1 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R || failed=`expr $failed + 1`
test_smbclient "STEP1 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
View it on GitLab: https://salsa.debian.org/samba-team/samba/compare/55634757485cd0840f57119d6d4b7b997d2368c0...9014cb5484b9fe550ce6547e05135626fbd5d179
--
View it on GitLab: https://salsa.debian.org/samba-team/samba/compare/55634757485cd0840f57119d6d4b7b997d2368c0...9014cb5484b9fe550ce6547e05135626fbd5d179
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20181128/ddde04f6/attachment-0001.html>
More information about the Pkg-samba-maint
mailing list