From a85805c74c35c9146e6235946095c651a196435b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 28 Nov 2018 15:21:56 +0100 Subject: [PATCH] CVE-2018-14629 dns: fix CNAME loop prevention using counter regression The loop prevention should only be done for CNAME records! Otherwise we truncate the answer records for A, AAAA or SRV queries, which is a bad idea if you have more than 20 DCs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600 Signed-off-by: Stefan Metzmacher --- source4/dns_server/dns_query.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c index fafadb6ac6f2..0f2aa5c69f2b 100644 --- a/source4/dns_server/dns_query.c +++ b/source4/dns_server/dns_query.c @@ -471,11 +471,6 @@ static struct tevent_req *handle_dnsrpcrec_send( state->answers = answers; state->nsrecs = nsrecs; - if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) { - tevent_req_done(req); - return tevent_req_post(req, ev); - } - resolve_cname = ((rec->wType == DNS_TYPE_CNAME) && ((question->question_type == DNS_QTYPE_A) || (question->question_type == DNS_QTYPE_AAAA))); @@ -497,6 +492,11 @@ static struct tevent_req *handle_dnsrpcrec_send( return tevent_req_post(req, ev); } + if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) { + tevent_req_done(req); + return tevent_req_post(req, ev); + } + werr = add_response_rr(question->name, rec, state->answers); if (tevent_req_werror(req, werr)) { return tevent_req_post(req, ev); -- 2.17.1