From cc93a3004e1f7a38e7519ecd124a1ce6a21ffe1c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 21 Sep 2012 22:18:10 +0200 Subject: [PATCH 1/3] libcli/echo: validate the message length metze --- libcli/echo/echo.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libcli/echo/echo.c b/libcli/echo/echo.c index b6005cb..0f5f7f7 100644 --- a/libcli/echo/echo.c +++ b/libcli/echo/echo.c @@ -172,6 +172,11 @@ static void echo_request_done(struct tevent_req *subreq) return; } + if (len != state->orig_len) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + state->message[len-1] = '\0'; /* Once the async function has completed, set tevent_req_done() */ tevent_req_done(req); -- 1.7.9.5 From eacdd9f730c09bc59e3906e4f2eff6b8b3051169 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 21 Sep 2012 22:54:26 +0200 Subject: [PATCH 2/3] lib/tsocket: fix receiving of udp packets from 0 bytes (bug #9184) It's possible for a client to send 0 bytes in a UDP packet, we need still need to call recvfrom() and skip the invalid packet at a higher level. Otherwise the kernel receive queue is blocked. metze --- lib/tsocket/tsocket_bsd.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/lib/tsocket/tsocket_bsd.c b/lib/tsocket/tsocket_bsd.c index 9e80065..d5721b4 100644 --- a/lib/tsocket/tsocket_bsd.c +++ b/lib/tsocket/tsocket_bsd.c @@ -876,10 +876,6 @@ static void tdgram_bsd_recvfrom_handler(void *private_data) bool retry; ret = tsocket_bsd_pending(bsds->fd); - if (ret == 0) { - /* retry later */ - return; - } err = tsocket_bsd_error_from_errno(ret, errno, &retry); if (retry) { /* retry later */ @@ -889,6 +885,7 @@ static void tdgram_bsd_recvfrom_handler(void *private_data) return; } + /* note that 'ret' can be 0 here */ state->buf = talloc_array(state, uint8_t, ret); if (tevent_req_nomem(state->buf, req)) { return; -- 1.7.9.5 From cb157e19cb6e96f319008c7178d04bfe7b30b5b4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 21 Sep 2012 23:06:13 +0200 Subject: [PATCH 3/3] s4:dns.py: reproducer for (bug #9184) metze Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Sat Sep 22 06:08:05 CEST 2012 on sn-devel-104 --- source4/scripting/python/samba/tests/dns.py | 29 +++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/source4/scripting/python/samba/tests/dns.py b/source4/scripting/python/samba/tests/dns.py index 3eee306..327e166 100644 --- a/source4/scripting/python/samba/tests/dns.py +++ b/source4/scripting/python/samba/tests/dns.py @@ -547,6 +547,35 @@ class TestComplexQueries(DNSTest): self.assertEquals(response.answers[1].rdata, os.getenv('SERVER_IP')) +class TestInvalidQueries(DNSTest): + + def test_one_a_query(self): + "send 0 bytes follows by create a query packet containing one query record" + + s = None + try: + s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, 0) + s.connect((os.getenv('SERVER_IP'), 53)) + s.send("", 0) + finally: + if s is not None: + s.close() + + p = self.make_name_packet(dns.DNS_OPCODE_QUERY) + questions = [] + + name = "%s.%s" % (os.getenv('SERVER'), self.get_dns_domain()) + q = self.make_name_question(name, dns.DNS_QTYPE_A, dns.DNS_QCLASS_IN) + print "asking for ", q.name + questions.append(q) + + self.finish_name_packet(p, questions) + response = self.dns_transaction_udp(p) + self.assert_dns_rcode_equals(response, dns.DNS_RCODE_OK) + self.assert_dns_opcode_equals(response, dns.DNS_OPCODE_QUERY) + self.assertEquals(response.ancount, 1) + self.assertEquals(response.answers[0].rdata, + os.getenv('SERVER_IP')) if __name__ == "__main__": import unittest -- 1.7.9.5