From 392ec4d241eb19c812cd49ff73bd32b2b09d8533 Mon Sep 17 00:00:00 2001
From: Kai Blin <kai@samba.org>
Date: Tue, 13 May 2014 08:13:29 +0200
Subject: bug #10609: CVE-2014-0239 Don't reply to replies

Due to insufficient input checking, the DNS server will reply to a packet that
has the "reply" bit set. Over UDP, this allows to send a packet with a spoofed
sender address and have two servers DOS each other with circular replies.

This patch fixes bug #10609 and adds a test to make sure we don't regress.
CVE-2014-2039 has been assigned to this issue.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10609

Signed-off-by: Kai Blin <kai@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Kai Blin <kai@samba.org>
Autobuild-Date(master): Tue May 20 04:15:44 CEST 2014 on sn-devel-104
---
 source4/dns_server/dns_server.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'source4')

diff --git a/source4/dns_server/dns_server.c b/source4/dns_server/dns_server.c
index 976774d020..60ce27c6ff 100644
--- a/source4/dns_server/dns_server.c
+++ b/source4/dns_server/dns_server.c
@@ -156,6 +156,12 @@ static struct tevent_req *dns_process_send(TALLOC_CTX *mem_ctx,
 		return tevent_req_post(req, ev);
 	}
 
+	if (state->in_packet.operation & DNS_FLAG_REPLY) {
+		DEBUG(1, ("Won't reply to replies.\n"));
+		tevent_req_werror(req, WERR_INVALID_PARAM);
+		return tevent_req_post(req, ev);
+	}
+
 	state->state.flags = state->in_packet.operation;
 	state->state.flags |= DNS_FLAG_REPLY;
 
-- 
cgit