From 7aeb3a7251dd8fd799b52088a9cce20a55a841b8 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <christof.schmitt@us.ibm.com>
Date: Mon, 5 Aug 2013 11:16:22 -0700
Subject: [PATCH 1/2] FSCTL_GET_SHADOW_COPY_DATA: Initialize output array to
 zero

Otherwise num_volumes and the end marker can return uninitialized data
to the client.

Signed-off-by: Christof Schmitt <christof.schmitt@us.ibm.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
(cherry picked from commit 30e724cbff1ecd90e5a676831902d1e41ec1b347)
---
 source3/modules/vfs_default.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index 82d059c..efb0204 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -1151,7 +1151,7 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle,
 			return NT_STATUS_BUFFER_TOO_SMALL;
 		}
 
-		cur_pdata = talloc_array(ctx, char, *out_len);
+		cur_pdata = talloc_zero_array(ctx, char, *out_len);
 		if (cur_pdata == NULL) {
 			TALLOC_FREE(shadow_data);
 			return NT_STATUS_NO_MEMORY;
-- 
1.8.4.5


From 7d7d40522123066ecc80852f172e81b7c76f8fc6 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <christof.schmitt@us.ibm.com>
Date: Mon, 5 Aug 2013 11:21:59 -0700
Subject: [PATCH 2/2] FSCTL_GET_SHADOW_COPY_DATA: Don't return 4 extra bytes at
 end

labels_data_count already accounts for the unicode null character at the
end of the array. There is no need in adding space for it again.

Signed-off-by: Christof Schmitt <christof.schmitt@us.ibm.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Aug  6 04:03:17 CEST 2013 on sn-devel-104

(cherry picked from commit eb50fb8f3bf670bd7d1cf8fd4368ef4a73083696)
---
 source3/modules/vfs_default.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index efb0204..304ef37 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -1141,7 +1141,7 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle,
 		if (!labels) {
 			*out_len = 16;
 		} else {
-			*out_len = 12 + labels_data_count + 4;
+			*out_len = 12 + labels_data_count;
 		}
 
 		if (max_out_len < *out_len) {
@@ -1168,7 +1168,7 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle,
 		}
 
 		/* needed_data_count 4 bytes */
-		SIVAL(cur_pdata, 8, labels_data_count + 4);
+		SIVAL(cur_pdata, 8, labels_data_count);
 
 		cur_pdata += 12;
 
-- 
1.8.4.5

From 9009a3c23e31d0323440af1edbc5bb3d2b6eaa79 Mon Sep 17 00:00:00 2001
From: Kai Blin <kai@samba.org>
Date: Tue, 13 May 2014 08:13:29 +0200
Subject: [PATCH] bug #10609: CVE-2014-0239 Don't reply to replies

Due to insufficient input checking, the DNS server will reply to a packet that
has the "reply" bit set. Over UDP, this allows to send a packet with a spoofed
sender address and have two servers DOS each other with circular replies.

This patch fixes bug #10609 and adds a test to make sure we don't regress.
CVE-2014-2039 has been assigned to this issue.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10609

Signed-off-by: Kai Blin <kai@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Kai Blin <kai@samba.org>
Autobuild-Date(master): Tue May 20 04:15:44 CEST 2014 on sn-devel-104

(cherry picked from commit 392ec4d241eb19c812cd49ff73bd32b2b09d8533)
---
 python/samba/tests/dns.py       | 29 +++++++++++++++++++++++++++++
 source4/dns_server/dns_server.c |  6 ++++++
 2 files changed, 35 insertions(+)

diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py
index f2c5685..79e4158 100644
--- a/python/samba/tests/dns.py
+++ b/python/samba/tests/dns.py
@@ -833,6 +833,35 @@ class TestInvalidQueries(DNSTest):
         self.assertEquals(response.answers[0].rdata,
                           os.getenv('SERVER_IP'))
 
+    def test_one_a_reply(self):
+        "send a reply instead of a query"
+
+        p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
+        questions = []
+
+        name = "%s.%s" % ('fakefakefake', self.get_dns_domain())
+        q = self.make_name_question(name, dns.DNS_QTYPE_A, dns.DNS_QCLASS_IN)
+        print "asking for ", q.name
+        questions.append(q)
+
+        self.finish_name_packet(p, questions)
+        p.operation |= dns.DNS_FLAG_REPLY
+        s = None
+        try:
+            send_packet = ndr.ndr_pack(p)
+            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
+            host=os.getenv('SERVER_IP')
+            s.connect((host, 53))
+            tcp_packet = struct.pack('!H', len(send_packet))
+            tcp_packet += send_packet
+            s.send(tcp_packet, 0)
+            recv_packet = s.recv(0xffff + 2, 0)
+            self.assertEquals(0, len(recv_packet))
+        finally:
+            if s is not None:
+                s.close()
+
+
 if __name__ == "__main__":
     import unittest
     unittest.main()
diff --git a/source4/dns_server/dns_server.c b/source4/dns_server/dns_server.c
index 976774d..60ce27c 100644
--- a/source4/dns_server/dns_server.c
+++ b/source4/dns_server/dns_server.c
@@ -156,6 +156,12 @@ static struct tevent_req *dns_process_send(TALLOC_CTX *mem_ctx,
 		return tevent_req_post(req, ev);
 	}
 
+	if (state->in_packet.operation & DNS_FLAG_REPLY) {
+		DEBUG(1, ("Won't reply to replies.\n"));
+		tevent_req_werror(req, WERR_INVALID_PARAM);
+		return tevent_req_post(req, ev);
+	}
+
 	state->state.flags = state->in_packet.operation;
 	state->state.flags |= DNS_FLAG_REPLY;
 
-- 
1.9.1