CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation2

We still want to return DOES_NOT_EXIST when request_filter is not 0.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/dcerpc/dnsserver.py b/python/samba/tests/dcerpc/dnsserver.py
index bfe86323e0ce58cc597fc57c1f3bcb1f2a704114..0da9614d0666faae14097e3447e3b5fc5b7811b9 100644 (file)
--- a/python/samba/tests/dcerpc/dnsserver.py
+++ b/python/samba/tests/dcerpc/dnsserver.py
@@ -732,6 +732,32 @@ class DnsserverTests(RpcInterfaceTestCase):
         # We should always encounter a DOES_NOT_EXIST error.
         self.fail()
 
+    # This test is to confirm that we do not support multizone operations,
+    # which are designated by a non-zero dwContext value (the 5th argument
+    # to DnssrvOperation2).
+    def test_operation2_invalid(self):
+        client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN
+        non_zone = 'a-zone-that-does-not-exist'
+        typeid = dnsserver.DNSSRV_TYPEID_NAME_AND_PARAM
+        name_and_param = dnsserver.DNS_RPC_NAME_AND_PARAM()
+        name_and_param.pszNodeName = 'AllowUpdate'
+        name_and_param.dwParam = dnsp.DNS_ZONE_UPDATE_SECURE
+        try:
+            res = self.conn.DnssrvOperation2(client_version,
+                                             0,
+                                             self.server,
+                                             non_zone,
+                                             1,
+                                             'ResetDwordProperty',
+                                             typeid,
+                                             name_and_param)
+        except WERRORError as e:
+            if e.args[0] == werror.WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST:
+                return
+
+        # We should always encounter a DOES_NOT_EXIST error.
+        self.fail()
+
     def test_operation2(self):
         client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN
         rev_zone = '1.168.192.in-addr.arpa'

diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
index 3bc6e2e3450f4e3bbbd4d0ba54f1923ef3aac05c..993e5dc4e56ae87d8811adb1a2fdf72aa0f33615 100644 (file)
--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
@@ -2239,7 +2239,12 @@ static WERROR dcesrv_DnssrvOperation2(struct dcesrv_call_state *dce_call, TALLOC
                                                &r->in.pData);
        } else {
                z = dnsserver_find_zone(dsstate->zones, r->in.pszZone);
-               if (z == NULL && request_filter == 0) {
+               /*
+                * In the case that request_filter is not 0 and z is NULL,
+                * the request is for a multizone operation, which we do not
+                * yet support, so just error on NULL zone name.
+                */
+               if (z == NULL) {
                        return WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST;
                }