[PATCH] Fix bug in dns wild card search
Gary Lockyer
gary at catalyst.net.nz
Wed Jul 18 23:22:25 UTC 2018
DNS wild card matching fails if there is more than one label to the left
of the wild card.
Wild card entry: *.example.org
bar.example.com matches
foo.bar.example.com does not, but it it should.
Fixes https://bugzilla.samba.org/show_bug.cgi?id=13536
CI results: https://gitlab.com/catalyst-samba/samba/pipelines/25970150
Review appreciated.
Thanks
Gary
-------------- next part --------------
From 8595da627f5b3f4d5134a75e10ec24ef41f62de6 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Wed, 18 Jul 2018 15:29:21 +1200
Subject: [PATCH 1/2] dns wildcards: tests to confirm BUG 13536
DNS wildcard matching failing if more than one label to the left of the
wildcard. This commits adds tests to confirm the bug.
Wildcard entry: *.example.org
bar.example.com matches
foo.bar.example.com does not, but it it should.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
python/samba/tests/dns_wildcard.py | 48 ++++++++++++++++++++++++++++++++++++++
selftest/knownfail.d/dns_wildcard | 6 +++++
2 files changed, 54 insertions(+)
create mode 100644 selftest/knownfail.d/dns_wildcard
diff --git a/python/samba/tests/dns_wildcard.py b/python/samba/tests/dns_wildcard.py
index ca8426a..01e06b8 100644
--- a/python/samba/tests/dns_wildcard.py
+++ b/python/samba/tests/dns_wildcard.py
@@ -172,6 +172,30 @@ class TestWildCardQueries(DNSTest):
self.assertEquals(response.answers[0].rr_type, dns.DNS_QTYPE_A)
self.assertEquals(response.answers[0].rdata, WILDCARD_IP)
+ def test_one_a_query_match_wildcard_2_labels(self):
+ """ Query an A record, should match the wild card entry
+ have two labels to the left of the wild card target.
+ """
+
+ p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
+ questions = []
+
+ # Check the record
+ name = "label2.label1.wildcardtest.%s" % self.get_dns_domain()
+ q = self.make_name_question(name,
+ dns.DNS_QTYPE_A,
+ dns.DNS_QCLASS_IN)
+ questions.append(q)
+
+ self.finish_name_packet(p, questions)
+ (response, response_packet) =\
+ self.dns_transaction_udp(p, host=self.server_ip)
+ self.assert_dns_rcode_equals(response, dns.DNS_RCODE_OK)
+ self.assert_dns_opcode_equals(response, dns.DNS_OPCODE_QUERY)
+ self.assertEquals(response.ancount, 1)
+ self.assertEquals(response.answers[0].rr_type, dns.DNS_QTYPE_A)
+ self.assertEquals(response.answers[0].rdata, WILDCARD_IP)
+
def test_one_a_query_wildcard_entry(self):
"Query the wildcard entry"
@@ -239,6 +263,30 @@ class TestWildCardQueries(DNSTest):
self.assertEquals(response.answers[0].rr_type, dns.DNS_QTYPE_A)
self.assertEquals(response.answers[0].rdata, LEVEL2_WILDCARD_IP)
+ def test_one_a_query_match_wildcard_l2_2_labels(self):
+ """Query an A record, should match the level 2 wild card entry
+ have two labels to the left of the wild card target
+ """
+
+ p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
+ questions = []
+
+ # Check the record
+ name = "label1.label2.level2.wildcardtest.%s" % self.get_dns_domain()
+ q = self.make_name_question(name,
+ dns.DNS_QTYPE_A,
+ dns.DNS_QCLASS_IN)
+ questions.append(q)
+
+ self.finish_name_packet(p, questions)
+ (response, response_packet) =\
+ self.dns_transaction_udp(p, host=self.server_ip)
+ self.assert_dns_rcode_equals(response, dns.DNS_RCODE_OK)
+ self.assert_dns_opcode_equals(response, dns.DNS_OPCODE_QUERY)
+ self.assertEquals(response.ancount, 1)
+ self.assertEquals(response.answers[0].rr_type, dns.DNS_QTYPE_A)
+ self.assertEquals(response.answers[0].rdata, LEVEL2_WILDCARD_IP)
+
def test_one_a_query_exact_match_l2(self):
"""Query an entry that matches the wild card but has an exact match as
well.
diff --git a/selftest/knownfail.d/dns_wildcard b/selftest/knownfail.d/dns_wildcard
new file mode 100644
index 0000000..d20d9f2
--- /dev/null
+++ b/selftest/knownfail.d/dns_wildcard
@@ -0,0 +1,6 @@
+# https://bugzilla.samba.org/show_bug.cgi?id=13536
+#
+
+^samba.*.TestWildCardQueries.test_one_a_query_match_wildcard_l2_2_labels
+^samba.*.TestWildCardQueries.test_one_a_query_match_wildcard_2_labels
+
--
2.7.4
From a7326130147c07adfa0a0ced753a26b3e58c9306 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Wed, 18 Jul 2018 15:33:26 +1200
Subject: [PATCH 2/2] dns wildcards: fix BUG 13536
The current position in the dns name was not advanced past the '.'
character
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
selftest/knownfail.d/dns_wildcard | 6 ------
source4/dns_server/dnsserver_common.c | 1 +
2 files changed, 1 insertion(+), 6 deletions(-)
delete mode 100644 selftest/knownfail.d/dns_wildcard
diff --git a/selftest/knownfail.d/dns_wildcard b/selftest/knownfail.d/dns_wildcard
deleted file mode 100644
index d20d9f2..0000000
--- a/selftest/knownfail.d/dns_wildcard
+++ /dev/null
@@ -1,6 +0,0 @@
-# https://bugzilla.samba.org/show_bug.cgi?id=13536
-#
-
-^samba.*.TestWildCardQueries.test_one_a_query_match_wildcard_l2_2_labels
-^samba.*.TestWildCardQueries.test_one_a_query_match_wildcard_2_labels
-
diff --git a/source4/dns_server/dnsserver_common.c b/source4/dns_server/dnsserver_common.c
index 2a49370..bbbfe92 100644
--- a/source4/dns_server/dnsserver_common.c
+++ b/source4/dns_server/dnsserver_common.c
@@ -380,6 +380,7 @@ static struct ldb_parse_tree *build_wildcard_query(
wildcard_query->u.list.elements[l] = el;
/* skip to the start of the next label */
+ x++;
for (;x < name->length && name->data[x] != '.'; x++);
}
--
2.7.4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180719/4eb5a7b7/signature.sig>
More information about the samba-technical
mailing list