[PATCH] Fix bug in dns wild card search
Jeremy Allison
jra at samba.org
Thu Jul 19 21:01:51 UTC 2018
On Thu, Jul 19, 2018 at 11:22:25AM +1200, Gary Lockyer via samba-technical wrote:
> DNS wild card matching fails if there is more than one label to the left
> of the wild card.
>
> Wild card entry: *.example.org
>
> bar.example.com matches
>
> foo.bar.example.com does not, but it it should.
>
> Fixes https://bugzilla.samba.org/show_bug.cgi?id=13536
>
> CI results: https://gitlab.com/catalyst-samba/samba/pipelines/25970150
>
> Review appreciated.
Nice catch Gary ! Thanks for the test also.
RB+ and pushed.
Jeremy.
> From 8595da627f5b3f4d5134a75e10ec24ef41f62de6 Mon Sep 17 00:00:00 2001
> From: Gary Lockyer <gary at catalyst.net.nz>
> Date: Wed, 18 Jul 2018 15:29:21 +1200
> Subject: [PATCH 1/2] dns wildcards: tests to confirm BUG 13536
>
> DNS wildcard matching failing if more than one label to the left of the
> wildcard. This commits adds tests to confirm the bug.
>
> Wildcard entry: *.example.org
> bar.example.com matches
> foo.bar.example.com does not, but it it should.
>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
> ---
> python/samba/tests/dns_wildcard.py | 48 ++++++++++++++++++++++++++++++++++++++
> selftest/knownfail.d/dns_wildcard | 6 +++++
> 2 files changed, 54 insertions(+)
> create mode 100644 selftest/knownfail.d/dns_wildcard
>
> diff --git a/python/samba/tests/dns_wildcard.py b/python/samba/tests/dns_wildcard.py
> index ca8426a..01e06b8 100644
> --- a/python/samba/tests/dns_wildcard.py
> +++ b/python/samba/tests/dns_wildcard.py
> @@ -172,6 +172,30 @@ class TestWildCardQueries(DNSTest):
> self.assertEquals(response.answers[0].rr_type, dns.DNS_QTYPE_A)
> self.assertEquals(response.answers[0].rdata, WILDCARD_IP)
>
> + def test_one_a_query_match_wildcard_2_labels(self):
> + """ Query an A record, should match the wild card entry
> + have two labels to the left of the wild card target.
> + """
> +
> + p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
> + questions = []
> +
> + # Check the record
> + name = "label2.label1.wildcardtest.%s" % self.get_dns_domain()
> + q = self.make_name_question(name,
> + dns.DNS_QTYPE_A,
> + dns.DNS_QCLASS_IN)
> + questions.append(q)
> +
> + self.finish_name_packet(p, questions)
> + (response, response_packet) =\
> + self.dns_transaction_udp(p, host=self.server_ip)
> + self.assert_dns_rcode_equals(response, dns.DNS_RCODE_OK)
> + self.assert_dns_opcode_equals(response, dns.DNS_OPCODE_QUERY)
> + self.assertEquals(response.ancount, 1)
> + self.assertEquals(response.answers[0].rr_type, dns.DNS_QTYPE_A)
> + self.assertEquals(response.answers[0].rdata, WILDCARD_IP)
> +
> def test_one_a_query_wildcard_entry(self):
> "Query the wildcard entry"
>
> @@ -239,6 +263,30 @@ class TestWildCardQueries(DNSTest):
> self.assertEquals(response.answers[0].rr_type, dns.DNS_QTYPE_A)
> self.assertEquals(response.answers[0].rdata, LEVEL2_WILDCARD_IP)
>
> + def test_one_a_query_match_wildcard_l2_2_labels(self):
> + """Query an A record, should match the level 2 wild card entry
> + have two labels to the left of the wild card target
> + """
> +
> + p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
> + questions = []
> +
> + # Check the record
> + name = "label1.label2.level2.wildcardtest.%s" % self.get_dns_domain()
> + q = self.make_name_question(name,
> + dns.DNS_QTYPE_A,
> + dns.DNS_QCLASS_IN)
> + questions.append(q)
> +
> + self.finish_name_packet(p, questions)
> + (response, response_packet) =\
> + self.dns_transaction_udp(p, host=self.server_ip)
> + self.assert_dns_rcode_equals(response, dns.DNS_RCODE_OK)
> + self.assert_dns_opcode_equals(response, dns.DNS_OPCODE_QUERY)
> + self.assertEquals(response.ancount, 1)
> + self.assertEquals(response.answers[0].rr_type, dns.DNS_QTYPE_A)
> + self.assertEquals(response.answers[0].rdata, LEVEL2_WILDCARD_IP)
> +
> def test_one_a_query_exact_match_l2(self):
> """Query an entry that matches the wild card but has an exact match as
> well.
> diff --git a/selftest/knownfail.d/dns_wildcard b/selftest/knownfail.d/dns_wildcard
> new file mode 100644
> index 0000000..d20d9f2
> --- /dev/null
> +++ b/selftest/knownfail.d/dns_wildcard
> @@ -0,0 +1,6 @@
> +# https://bugzilla.samba.org/show_bug.cgi?id=13536
> +#
> +
> +^samba.*.TestWildCardQueries.test_one_a_query_match_wildcard_l2_2_labels
> +^samba.*.TestWildCardQueries.test_one_a_query_match_wildcard_2_labels
> +
> --
> 2.7.4
>
>
> From a7326130147c07adfa0a0ced753a26b3e58c9306 Mon Sep 17 00:00:00 2001
> From: Gary Lockyer <gary at catalyst.net.nz>
> Date: Wed, 18 Jul 2018 15:33:26 +1200
> Subject: [PATCH 2/2] dns wildcards: fix BUG 13536
>
> The current position in the dns name was not advanced past the '.'
> character
>
> Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
> ---
> selftest/knownfail.d/dns_wildcard | 6 ------
> source4/dns_server/dnsserver_common.c | 1 +
> 2 files changed, 1 insertion(+), 6 deletions(-)
> delete mode 100644 selftest/knownfail.d/dns_wildcard
>
> diff --git a/selftest/knownfail.d/dns_wildcard b/selftest/knownfail.d/dns_wildcard
> deleted file mode 100644
> index d20d9f2..0000000
> --- a/selftest/knownfail.d/dns_wildcard
> +++ /dev/null
> @@ -1,6 +0,0 @@
> -# https://bugzilla.samba.org/show_bug.cgi?id=13536
> -#
> -
> -^samba.*.TestWildCardQueries.test_one_a_query_match_wildcard_l2_2_labels
> -^samba.*.TestWildCardQueries.test_one_a_query_match_wildcard_2_labels
> -
> diff --git a/source4/dns_server/dnsserver_common.c b/source4/dns_server/dnsserver_common.c
> index 2a49370..bbbfe92 100644
> --- a/source4/dns_server/dnsserver_common.c
> +++ b/source4/dns_server/dnsserver_common.c
> @@ -380,6 +380,7 @@ static struct ldb_parse_tree *build_wildcard_query(
> wildcard_query->u.list.elements[l] = el;
>
> /* skip to the start of the next label */
> + x++;
> for (;x < name->length && name->data[x] != '.'; x++);
> }
>
> --
> 2.7.4
>
More information about the samba-technical
mailing list