Skip to content

CVE-2022-32743 s4-acl: Add validated dNSHostName write and make NETLOGON operations use it

Andrew Bartlett requested to merge samba-team/devel/samba:jsutton24/dnshostname-validated into master

Submission on behalf of @jsutton24 from the previously embargoed Samba Bugzilla ticket.

We should fully implement the Validated-DNS-Host-Name right, which applies only to objectclass=computer, and make the dcesrv_netr_LogonGetDomainInfo() call use that, rather than the simple filter it has currently.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Checklist

  • Commits have Signed-off-by: with name/author being identical to the commit author
  • (optional) This MR is just one part towards a larger feature.
  • (optional, if backport required) Bugzilla bug filed and BUG: tag added
  • Test suite updated with functionality tests
  • Test suite updated with negative tests
  • Documentation updated
  • CI timeout is 3h or higher (see Settings/CICD/General pipelines/ Timeout)

Reviewer's checklist:

  • There is a test suite reasonably covering new functionality or modifications
  • Function naming, parameters, return values, types, etc., are consistent and according to README.Coding.md
  • This feature/change has adequate documentation added
  • No obvious mistakes in the code
Edited by Andrew Bartlett

Merge request reports