Hide Forgot
As per upstream advisory: The NetBIOS over TCP/IP name resolution protocol is framed using the same format as DNS, and Samba's packing code for both uses DNS name compression. An attacker can choose a name which, when the name is included in the reply, causes the DNS name compression algorithm to walk a very long internal list while trying to compress the reply. This in in part because the traditional "." separator in DNS is not actually part of the DNS protocol, the limit of 128 components is exceeded by including "." inside the components. Specifically, the longest label is 63 characters, and Samba enforces a limit of 128 components. That means you can make a query for the address with 127 components, each of which is "...............................................................". In processing that query, Samba rewrites the name in dot-separated form, then converts it back to the wire format in order to reply. Unfortunately for Samba, it now finds the name is just 8127 dots, which it duly converts into over 8127 zero length labels.
Acknowledgments: Name: the Samba project
Statement: This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux and Red Hat Gluster Storage 3 because there is no support for samba as Active Directory Domain Controller.
External References: https://www.samba.org/samba/security/CVE-2020-10745.html
Created samba tracking bugs for this issue: Affects: fedora-all [bug 1853256]
Upstream patch: https://github.com/samba-team/samba/commit/cc3a67760cf9faaad3af73b1eed9e2ef85276633