From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 29 Oct 2019 22:50:57 +0000 (+1300)
Subject: CVE-2019-14861: Test to demonstrate the bug
X-Git-Tag: samba-4.10.11~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=329b78ed92cc8d08ca2ca88653890a8a60aa1a7b;p=thirdparty%2Fsamba.git

CVE-2019-14861: Test to demonstrate the bug

This test does not fail every time, but when it does it casues a segfault which
takes out the rpc_server master process, as this hosts the dnsserver pipe.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/python/samba/tests/dcerpc/dnsserver.py b/python/samba/tests/dcerpc/dnsserver.py
index b2dffc924cb..c6a150c876f 100644
--- a/python/samba/tests/dcerpc/dnsserver.py
+++ b/python/samba/tests/dcerpc/dnsserver.py
@@ -191,6 +191,53 @@ class DnsserverTests(RpcInterfaceTestCase):
         self.assertEqual(result.rec[4].dnsNodeName.str, "atestrecord-3")
         self.assertEqual(result.rec[5].dnsNodeName.str, "atestrecord-4")
 
+    def test_enum_is_sorted_with_zone_dup(self):
+        """
+        Confirm the zone is sorted
+        """
+
+        record_str = "192.168.50.50"
+        record_type_str = "A"
+        self.add_record(self.custom_zone, "atestrecord-1", record_type_str, record_str)
+        self.add_record(self.custom_zone, "atestrecord-2", record_type_str, record_str)
+        self.add_record(self.custom_zone, "atestrecord-3", record_type_str, record_str)
+        self.add_record(self.custom_zone, "atestrecord-4", record_type_str, record_str)
+        self.add_record(self.custom_zone, "atestrecord-0", record_type_str, record_str)
+
+        # This triggers a bug in old Samba
+        self.add_record(self.custom_zone, self.custom_zone + "1", record_type_str, record_str)
+
+        dn, record = self.get_record_from_db(self.custom_zone, self.custom_zone + "1")
+
+        new_dn = ldb.Dn(self.samdb, str(dn))
+        new_dn.set_component(0, "dc", self.custom_zone)
+        self.samdb.rename(dn, new_dn)
+
+        _, result = self.conn.DnssrvEnumRecords2(dnsserver.DNS_CLIENT_VERSION_LONGHORN,
+                                                 0,
+                                                 self.server,
+                                                 self.custom_zone,
+                                                 "@",
+                                                 None,
+                                                 self.record_type_int(record_type_str),
+                                                 dnsserver.DNS_RPC_VIEW_AUTHORITY_DATA,
+                                                 None,
+                                                 None)
+
+        self.assertEqual(len(result.rec), 7)
+        self.assertEqual(result.rec[0].dnsNodeName.str, "")
+        self.assertEqual(result.rec[1].dnsNodeName.str, "atestrecord-0")
+        self.assertEqual(result.rec[2].dnsNodeName.str, "atestrecord-1")
+        self.assertEqual(result.rec[3].dnsNodeName.str, "atestrecord-2")
+        self.assertEqual(result.rec[4].dnsNodeName.str, "atestrecord-3")
+        self.assertEqual(result.rec[5].dnsNodeName.str, "atestrecord-4")
+
+        # Windows doesn't reload the zone fast enough, but doesn't
+        # have the bug anyway, it will sort last on both names (where
+        # it should)
+        if result.rec[6].dnsNodeName.str != (self.custom_zone + "1"):
+            self.assertEqual(result.rec[6].dnsNodeName.str, self.custom_zone)
+
     def test_enum_is_sorted_children_prefix_first(self):
         """
         Confirm the zone returns the selected prefix first but no more