CVE-2020-14383: s4/dns: do not crash when additional data not found

Found by Francis Brosnan Blázquez <francis@aspl.es>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Mon Aug 24 00:21:41 UTC 2020 on sn-devel-184

(based on commit df98e7db04c901259dd089e20cd557bdbdeaf379)

diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
index ec6101682663258ce33fc02efb680a29712fb927..88efc01f15435a2b4e186c5abf287e6a7719aefb 100644 (file)
--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
@@ -1859,8 +1859,8 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
        /* Add any additional records */
        if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) {
                for (i=0; i<add_count; i++) {
-                       struct dnsserver_zone *z2;
-
+                       struct dnsserver_zone *z2 = NULL;
+                       struct ldb_message *msg = NULL;
                        /* Search all the available zones for additional name */
                        for (z2 = dsstate->zones; z2; z2 = z2->next) {
                                char *encoded_name;
@@ -1877,6 +1877,7 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
                                        continue;
                                }
                                if (res->count == 1) {
+                                       msg = res->msgs[0];
                                        break;
                                } else {
                                        TALLOC_FREE(res);
@@ -1892,7 +1893,7 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
                        }
                        status = dns_fill_records_array(tmp_ctx, NULL, DNS_TYPE_A,
                                                        select_flag, rname,
-                                                       res->msgs[0], 0, recs,
+                                                       msg, 0, recs,
                                                        NULL, NULL);
                        TALLOC_FREE(rname);
                        TALLOC_FREE(res);