samba:fix CVE-2023-34967

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Polampalli, Archana <archana.polampalli@windriver.com> 2023-09-29 17:43:21 +0000
committer: Armin Kuster <akuster808@gmail.com> 2023-10-17 08:41:58 -0400
commit: bbe79e4f1787b97ec6c227720ffee06a690e2ab5 (patch)
tree: 228ab6c981ff305a4076f9d0d6f8e50006085a68
parent: 112397bdfe59c9479309d3838a34fc2ef579c44f (diff)
download: meta-openembedded-bbe79e4f1787b97ec6c227720ffee06a690e2ab5.tar.gz
3 files changed, 305 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34967_0001.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34967_0001.patch
new file mode 100644
index 0000000000..e30e54ab96
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34967_0001.patch
@@ -0,0 +1,178 @@
+From 3b3c30e2acfb00d04c4013e32343bc277d5b1aa8 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Wed, 31 May 2023 16:26:14 +0200
+Subject: [PATCH] CVE-2023-34967: CI: add a test for type checking of
+ dalloc_value_for_key()
+Sends a maliciously crafted packet where the value in a key/value style
+dictionary for the "scope" key is a simple string object whereas the server
+expects an array. As the server doesn't perform type validation on the value, it
+crashes when trying to use the "simple" object as a "complex" one.
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/3b3c30e2acfb00d04c4013e32343bc277d5b1aa8]
+CVE: CVE-2023-34967
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ source4/torture/rpc/mdssvc.c | 134 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 134 insertions(+)
+diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c
+index f5f5939..1dce403 100644
+--- a/source4/torture/rpc/mdssvc.c
+++ b/source4/torture/rpc/mdssvc.c
+@@ -666,6 +666,136 @@ done:
+        return ok;
+ }
+static bool test_sl_dict_type_safety(struct torture_context *tctx,
+                                    void *data)
+{
+       struct torture_mdsscv_state *state = talloc_get_type_abort(
+               data, struct torture_mdsscv_state);
+       struct dcerpc_binding_handle *b = state->p->binding_handle;
+       struct mdssvc_blob request_blob;
+       struct mdssvc_blob response_blob;
+       uint64_t ctx1 = 0xdeadbeef;
+       uint64_t ctx2 = 0xcafebabe;
+       uint32_t device_id;
+       uint32_t unkn2;
+       uint32_t unkn9;
+       uint32_t fragment;
+       uint32_t flags;
+       DALLOC_CTX *d = NULL;
+       sl_array_t *array1 = NULL, *array2 = NULL;
+       sl_dict_t *arg = NULL;
+       int result;
+       NTSTATUS status;
+       bool ok = true;
+
+       device_id = UINT32_C(0x2f000045);
+       unkn2 = 23;
+       unkn9 = 0;
+       fragment = 0;
+       flags = UINT32_C(0x6b000001);
+
+       d = dalloc_new(tctx);
+       torture_assert_not_null_goto(tctx, d,
+                                    ok, done, "dalloc_new failed\n");
+
+       array1 = dalloc_zero(d, sl_array_t);
+       torture_assert_not_null_goto(tctx, array1,
+                                    ok, done, "dalloc_zero failed\n");
+
+       array2 = dalloc_zero(d, sl_array_t);
+       torture_assert_not_null_goto(tctx, array2,
+                                    ok, done, "dalloc_new failed\n");
+
+       result = dalloc_stradd(array2, "openQueryWithParams:forContext:");
+       torture_assert_goto(tctx, result == 0,
+                           ok, done, "dalloc_stradd failed\n");
+
+       result = dalloc_add_copy(array2, &ctx1, uint64_t);
+       torture_assert_goto(tctx, result == 0,
+                           ok, done, "dalloc_stradd failed\n");
+
+       result = dalloc_add_copy(array2, &ctx2, uint64_t);
+       torture_assert_goto(tctx, result == 0,
+                           ok, done, "dalloc_stradd failed\n");
+
+       arg = dalloc_zero(array1, sl_dict_t);
+       torture_assert_not_null_goto(tctx, d,
+                                    ok, done, "dalloc_zero failed\n");
+
+       result = dalloc_stradd(arg, "kMDQueryString");
+       torture_assert_goto(tctx, result == 0,
+                           ok, done, "dalloc_stradd failed\n");
+
+       result = dalloc_stradd(arg, "*");
+       torture_assert_goto(tctx, result == 0,
+                           ok, done, "dalloc_stradd failed\n");
+
+       result = dalloc_stradd(arg, "kMDScopeArray");
+       torture_assert_goto(tctx, result == 0,
+                           ok, done, "dalloc_stradd failed\n");
+
+       result = dalloc_stradd(arg, "AAAABBBB");
+       torture_assert_goto(tctx, result == 0,
+                           ok, done, "dalloc_stradd failed\n");
+
+       result = dalloc_add(array1, array2, sl_array_t);
+       torture_assert_goto(tctx, result == 0,
+                           ok, done, "dalloc_add failed\n");
+
+       result = dalloc_add(array1, arg, sl_dict_t);
+       torture_assert_goto(tctx, result == 0,
+                           ok, done, "dalloc_add failed\n");
+
+       result = dalloc_add(d, array1, sl_array_t);
+       torture_assert_goto(tctx, result == 0,
+                           ok, done, "dalloc_add failed\n");
+
+       torture_comment(tctx, "%s", dalloc_dump(d, 0));
+
+       request_blob.spotlight_blob = talloc_array(tctx,
+                                                  uint8_t,
+                                                  64 * 1024);
+       torture_assert_not_null_goto(tctx, request_blob.spotlight_blob,
+                                    ok, done, "dalloc_new failed\n");
+       request_blob.size = 64 * 1024;
+
+       request_blob.length = sl_pack(d,
+                                     (char *)request_blob.spotlight_blob,
+                                     request_blob.size);
+       torture_assert_goto(tctx, request_blob.length > 0,
+                           ok, done, "sl_pack failed\n");
+
+       response_blob.spotlight_blob = talloc_array(state, uint8_t, 0);
+       torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
+                                    ok, done, "dalloc_zero failed\n");
+       response_blob.size = 0;
+
+       status = dcerpc_mdssvc_cmd(b,
+                                  state,
+                                  &state->ph,
+                                  0,
+                                  device_id,
+                                  unkn2,
+                                  0,
+                                  flags,
+                                  request_blob,
+                                  0,
+                                  64 * 1024,
+                                  1,
+                                  64 * 1024,
+                                  0,
+                                  0,
+                                  &fragment,
+                                  &response_blob,
+                                  &unkn9);
+       torture_assert_ntstatus_ok_goto(
+               tctx, status, ok, done,
+               "dcerpc_mdssvc_cmd failed\n");
+
+done:
+       return ok;
+}
+
+ static bool test_mdssvc_invalid_ph_close(struct torture_context *tctx,
+                                         void *data)
+ {
+@@ -940,6 +1070,10 @@ struct torture_suite *torture_rpc_mdssvc(TALLOC_CTX *mem_ctx)
+        torture_tcase_add_simple_test(tcase,
+                                      "mdssvc_sl_unpack_loop",
+                                      test_mdssvc_sl_unpack_loop);
+       torture_tcase_add_simple_test(tcase,
+                                     "sl_dict_type_safety",
+                                     test_sl_dict_type_safety);
+
+        return suite;
+ }
+--
+2.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34967_0002.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34967_0002.patch
new file mode 100644
index 0000000000..2e4907ab62
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34967_0002.patch
@@ -0,0 +1,125 @@
+From 049c13245649fab412b61a5b55e5a7dea72d7c72 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Fri, 26 May 2023 15:06:38 +0200
+Subject: [PATCH] CVE-2023-34967: mdssvc: add type checking to
+ dalloc_value_for_key()
+Change the dalloc_value_for_key() function to require an additional final
+argument which denotes the expected type of the value associated with a key. If
+the types don't match, return NULL.
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/4c60e35add4a1abd04334012a8d6edf1c3f396ba]
+CVE: CVE-2023-34967
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ source3/rpc_server/mdssvc/dalloc.c | 14 ++++++++++----
+ source3/rpc_server/mdssvc/mdssvc.c | 17 +++++++++++++----
+ 2 files changed, 23 insertions(+), 8 deletions(-)
+diff --git a/source3/rpc_server/mdssvc/dalloc.c b/source3/rpc_server/mdssvc/dalloc.c
+index 007702d..8b79b41 100644
+--- a/source3/rpc_server/mdssvc/dalloc.c
+++ b/source3/rpc_server/mdssvc/dalloc.c
+@@ -159,7 +159,7 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
+        int result = 0;
+        void *p = NULL;
+        va_list args;
+-       const char *type;
+       const char *type = NULL;
+        int elem;
+        size_t array_len;
+@@ -170,7 +170,6 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
+                array_len = talloc_array_length(d->dd_talloc_array);
+                elem = va_arg(args, int);
+                if (elem >= array_len) {
+-                       va_end(args);
+                        result = -1;
+                        goto done;
+                }
+@@ -178,8 +177,6 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
+                type = va_arg(args, const char *);
+        }
+-       va_end(args);
+-
+        array_len = talloc_array_length(d->dd_talloc_array);
+        for (elem = 0; elem + 1 < array_len; elem += 2) {
+@@ -192,8 +189,17 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
+                        break;
+                }
+        }
+       if (p == NULL) {
+               goto done;
+       }
+
+       type = va_arg(args, const char *);
+       if (strcmp(talloc_get_name(p), type) != 0) {
+               p = NULL;
+       }
+ done:
+       va_end(args);
+        if (result != 0) {
+                p = NULL;
+        }
+diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c
+index a983a88..fe6e0c2 100644
+--- a/source3/rpc_server/mdssvc/mdssvc.c
+++ b/source3/rpc_server/mdssvc/mdssvc.c
+@@ -884,7 +884,8 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
+        querystring = dalloc_value_for_key(query, "DALLOC_CTX", 0,
+                                           "DALLOC_CTX", 1,
+-                                          "kMDQueryString");
+                                          "kMDQueryString",
+                                          "char *");
+        if (querystring == NULL) {
+                DEBUG(1, ("missing kMDQueryString\n"));
+                goto error;
+@@ -924,8 +925,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
+        slq->ctx2 = *uint64p;
+        path_scope = dalloc_value_for_key(query, "DALLOC_CTX", 0,
+-                                         "DALLOC_CTX", 1, "kMDScopeArray");
+                                          "DALLOC_CTX", 1,
+                                         "kMDScopeArray",
+                                         "sl_array_t");
+        if (path_scope == NULL) {
+               DBG_ERR("missing kMDScopeArray\n");
+                goto error;
+        }
+@@ -940,8 +944,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
+        }
+        reqinfo = dalloc_value_for_key(query, "DALLOC_CTX", 0,
+-                                      "DALLOC_CTX", 1, "kMDAttributeArray");
+                                      "DALLOC_CTX", 1,
+                                      "kMDAttributeArray",
+                                      "sl_array_t");
+        if (reqinfo == NULL) {
+               DBG_ERR("missing kMDAttributeArray\n");
+                goto error;
+        }
+@@ -949,7 +956,9 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
+        DEBUG(10, ("requested attributes: %s", dalloc_dump(reqinfo, 0)));
+        cnids = dalloc_value_for_key(query, "DALLOC_CTX", 0,
+-                                    "DALLOC_CTX", 1, "kMDQueryItemArray");
+                                    "DALLOC_CTX", 1,
+                                    "kMDQueryItemArray",
+                                    "sl_array_t");
+        if (cnids) {
+                ok = sort_cnids(slq, cnids->ca_cnids);
+                if (!ok) {
+--
+2.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
index b71c4b3fca..73e8a82e89 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
@@ -36,6 +36,8 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
           file://CVE-2023-34966_0001.patch \
           file://CVE-2023-34966_0002.patch \
           file://CVE-2022-2127.patch \
+           file://CVE-2023-34967_0001.patch \
+           file://CVE-2023-34967_0002.patch \
           "
 SRC_URI:append:libc-musl = " \
author	Polampalli, Archana <archana.polampalli@windriver.com>	2023-09-29 17:43:21 +0000
committer	Armin Kuster <akuster808@gmail.com>	2023-10-17 08:41:58 -0400
commit	bbe79e4f1787b97ec6c227720ffee06a690e2ab5 (patch)
tree	228ab6c981ff305a4076f9d0d6f8e50006085a68
parent	112397bdfe59c9479309d3838a34fc2ef579c44f (diff)
download	meta-openembedded-bbe79e4f1787b97ec6c227720ffee06a690e2ab5.tar.gz

diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34967_0001.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34967_0001.patch new file mode 100644 index 0000000000..e30e54ab96 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34967_0001.patch
@@ -0,0 +1,178 @@
		1	From 3b3c30e2acfb00d04c4013e32343bc277d5b1aa8 Mon Sep 17 00:00:00 2001
		2	From: Ralph Boehme <slow@samba.org>
		3	Date: Wed, 31 May 2023 16:26:14 +0200
		4	Subject: [PATCH] CVE-2023-34967: CI: add a test for type checking of
		5	dalloc_value_for_key()
		6
		7	Sends a maliciously crafted packet where the value in a key/value style
		8	dictionary for the "scope" key is a simple string object whereas the server
		9	expects an array. As the server doesn't perform type validation on the value, it
		10	crashes when trying to use the "simple" object as a "complex" one.
		11
		12	BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341
		13
		14	Signed-off-by: Ralph Boehme <slow@samba.org>
		15
		16	Upstream-Status: Backport [https://github.com/samba-team/samba/commit/3b3c30e2acfb00d04c4013e32343bc277d5b1aa8]
		17
		18	CVE: CVE-2023-34967
		19
		20	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		21	---
		22	source4/torture/rpc/mdssvc.c \| 134 +++++++++++++++++++++++++++++++++++
		23	1 file changed, 134 insertions(+)
		24
		25	diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c
		26	index f5f5939..1dce403 100644
		27	--- a/source4/torture/rpc/mdssvc.c
		28	+++ b/source4/torture/rpc/mdssvc.c
		29	@@ -666,6 +666,136 @@ done:
		30	return ok;
		31	}
		32
		33	+static bool test_sl_dict_type_safety(struct torture_context *tctx,
		34	+ void *data)
		35	+{
		36	+ struct torture_mdsscv_state *state = talloc_get_type_abort(
		37	+ data, struct torture_mdsscv_state);
		38	+ struct dcerpc_binding_handle *b = state->p->binding_handle;
		39	+ struct mdssvc_blob request_blob;
		40	+ struct mdssvc_blob response_blob;
		41	+ uint64_t ctx1 = 0xdeadbeef;
		42	+ uint64_t ctx2 = 0xcafebabe;
		43	+ uint32_t device_id;
		44	+ uint32_t unkn2;
		45	+ uint32_t unkn9;
		46	+ uint32_t fragment;
		47	+ uint32_t flags;
		48	+ DALLOC_CTX *d = NULL;
		49	+ sl_array_t array1 = NULL, array2 = NULL;
		50	+ sl_dict_t *arg = NULL;
		51	+ int result;
		52	+ NTSTATUS status;
		53	+ bool ok = true;
		54	+
		55	+ device_id = UINT32_C(0x2f000045);
		56	+ unkn2 = 23;
		57	+ unkn9 = 0;
		58	+ fragment = 0;
		59	+ flags = UINT32_C(0x6b000001);
		60	+
		61	+ d = dalloc_new(tctx);
		62	+ torture_assert_not_null_goto(tctx, d,
		63	+ ok, done, "dalloc_new failed\n");
		64	+
		65	+ array1 = dalloc_zero(d, sl_array_t);
		66	+ torture_assert_not_null_goto(tctx, array1,
		67	+ ok, done, "dalloc_zero failed\n");
		68	+
		69	+ array2 = dalloc_zero(d, sl_array_t);
		70	+ torture_assert_not_null_goto(tctx, array2,
		71	+ ok, done, "dalloc_new failed\n");
		72	+
		73	+ result = dalloc_stradd(array2, "openQueryWithParams:forContext:");
		74	+ torture_assert_goto(tctx, result == 0,
		75	+ ok, done, "dalloc_stradd failed\n");
		76	+
		77	+ result = dalloc_add_copy(array2, &ctx1, uint64_t);
		78	+ torture_assert_goto(tctx, result == 0,
		79	+ ok, done, "dalloc_stradd failed\n");
		80	+
		81	+ result = dalloc_add_copy(array2, &ctx2, uint64_t);
		82	+ torture_assert_goto(tctx, result == 0,
		83	+ ok, done, "dalloc_stradd failed\n");
		84	+
		85	+ arg = dalloc_zero(array1, sl_dict_t);
		86	+ torture_assert_not_null_goto(tctx, d,
		87	+ ok, done, "dalloc_zero failed\n");
		88	+
		89	+ result = dalloc_stradd(arg, "kMDQueryString");
		90	+ torture_assert_goto(tctx, result == 0,
		91	+ ok, done, "dalloc_stradd failed\n");
		92	+
		93	+ result = dalloc_stradd(arg, "*");
		94	+ torture_assert_goto(tctx, result == 0,
		95	+ ok, done, "dalloc_stradd failed\n");
		96	+
		97	+ result = dalloc_stradd(arg, "kMDScopeArray");
		98	+ torture_assert_goto(tctx, result == 0,
		99	+ ok, done, "dalloc_stradd failed\n");
		100	+
		101	+ result = dalloc_stradd(arg, "AAAABBBB");
		102	+ torture_assert_goto(tctx, result == 0,
		103	+ ok, done, "dalloc_stradd failed\n");
		104	+
		105	+ result = dalloc_add(array1, array2, sl_array_t);
		106	+ torture_assert_goto(tctx, result == 0,
		107	+ ok, done, "dalloc_add failed\n");
		108	+
		109	+ result = dalloc_add(array1, arg, sl_dict_t);
		110	+ torture_assert_goto(tctx, result == 0,
		111	+ ok, done, "dalloc_add failed\n");
		112	+
		113	+ result = dalloc_add(d, array1, sl_array_t);
		114	+ torture_assert_goto(tctx, result == 0,
		115	+ ok, done, "dalloc_add failed\n");
		116	+
		117	+ torture_comment(tctx, "%s", dalloc_dump(d, 0));
		118	+
		119	+ request_blob.spotlight_blob = talloc_array(tctx,
		120	+ uint8_t,
		121	+ 64 * 1024);
		122	+ torture_assert_not_null_goto(tctx, request_blob.spotlight_blob,
		123	+ ok, done, "dalloc_new failed\n");
		124	+ request_blob.size = 64 * 1024;
		125	+
		126	+ request_blob.length = sl_pack(d,
		127	+ (char *)request_blob.spotlight_blob,
		128	+ request_blob.size);
		129	+ torture_assert_goto(tctx, request_blob.length > 0,
		130	+ ok, done, "sl_pack failed\n");
		131	+
		132	+ response_blob.spotlight_blob = talloc_array(state, uint8_t, 0);
		133	+ torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
		134	+ ok, done, "dalloc_zero failed\n");
		135	+ response_blob.size = 0;
		136	+
		137	+ status = dcerpc_mdssvc_cmd(b,
		138	+ state,
		139	+ &state->ph,
		140	+ 0,
		141	+ device_id,
		142	+ unkn2,
		143	+ 0,
		144	+ flags,
		145	+ request_blob,
		146	+ 0,
		147	+ 64 * 1024,
		148	+ 1,
		149	+ 64 * 1024,
		150	+ 0,
		151	+ 0,
		152	+ &fragment,
		153	+ &response_blob,
		154	+ &unkn9);
		155	+ torture_assert_ntstatus_ok_goto(
		156	+ tctx, status, ok, done,
		157	+ "dcerpc_mdssvc_cmd failed\n");
		158	+
		159	+done:
		160	+ return ok;
		161	+}
		162	+
		163	static bool test_mdssvc_invalid_ph_close(struct torture_context *tctx,
		164	void *data)
		165	{
		166	@@ -940,6 +1070,10 @@ struct torture_suite torture_rpc_mdssvc(TALLOC_CTX mem_ctx)
		167	torture_tcase_add_simple_test(tcase,
		168	"mdssvc_sl_unpack_loop",
		169	test_mdssvc_sl_unpack_loop);
		170	+ torture_tcase_add_simple_test(tcase,
		171	+ "sl_dict_type_safety",
		172	+ test_sl_dict_type_safety);
		173	+
		174
		175	return suite;
		176	}
		177	--
		178	2.40.0


diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34967_0002.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34967_0002.patch new file mode 100644 index 0000000000..2e4907ab62 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34967_0002.patch
@@ -0,0 +1,125 @@
		1	From 049c13245649fab412b61a5b55e5a7dea72d7c72 Mon Sep 17 00:00:00 2001
		2	From: Ralph Boehme <slow@samba.org>
		3	Date: Fri, 26 May 2023 15:06:38 +0200
		4	Subject: [PATCH] CVE-2023-34967: mdssvc: add type checking to
		5	dalloc_value_for_key()
		6
		7	Change the dalloc_value_for_key() function to require an additional final
		8	argument which denotes the expected type of the value associated with a key. If
		9	the types don't match, return NULL.
		10
		11	BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341
		12
		13	Signed-off-by: Ralph Boehme <slow@samba.org>
		14
		15	Upstream-Status: Backport [https://github.com/samba-team/samba/commit/4c60e35add4a1abd04334012a8d6edf1c3f396ba]
		16
		17	CVE: CVE-2023-34967
		18
		19	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		20	---
		21	source3/rpc_server/mdssvc/dalloc.c \| 14 ++++++++++----
		22	source3/rpc_server/mdssvc/mdssvc.c \| 17 +++++++++++++----
		23	2 files changed, 23 insertions(+), 8 deletions(-)
		24
		25	diff --git a/source3/rpc_server/mdssvc/dalloc.c b/source3/rpc_server/mdssvc/dalloc.c
		26	index 007702d..8b79b41 100644
		27	--- a/source3/rpc_server/mdssvc/dalloc.c
		28	+++ b/source3/rpc_server/mdssvc/dalloc.c
		29	@@ -159,7 +159,7 @@ void dalloc_value_for_key(const DALLOC_CTX d, ...)
		30	int result = 0;
		31	void *p = NULL;
		32	va_list args;
		33	- const char *type;
		34	+ const char *type = NULL;
		35	int elem;
		36	size_t array_len;
		37
		38	@@ -170,7 +170,6 @@ void dalloc_value_for_key(const DALLOC_CTX d, ...)
		39	array_len = talloc_array_length(d->dd_talloc_array);
		40	elem = va_arg(args, int);
		41	if (elem >= array_len) {
		42	- va_end(args);
		43	result = -1;
		44	goto done;
		45	}
		46	@@ -178,8 +177,6 @@ void dalloc_value_for_key(const DALLOC_CTX d, ...)
		47	type = va_arg(args, const char *);
		48	}
		49
		50	- va_end(args);
		51	-
		52	array_len = talloc_array_length(d->dd_talloc_array);
		53
		54	for (elem = 0; elem + 1 < array_len; elem += 2) {
		55	@@ -192,8 +189,17 @@ void dalloc_value_for_key(const DALLOC_CTX d, ...)
		56	break;
		57	}
		58	}
		59	+ if (p == NULL) {
		60	+ goto done;
		61	+ }
		62	+
		63	+ type = va_arg(args, const char *);
		64	+ if (strcmp(talloc_get_name(p), type) != 0) {
		65	+ p = NULL;
		66	+ }
		67
		68	done:
		69	+ va_end(args);
		70	if (result != 0) {
		71	p = NULL;
		72	}
		73	diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c
		74	index a983a88..fe6e0c2 100644
		75	--- a/source3/rpc_server/mdssvc/mdssvc.c
		76	+++ b/source3/rpc_server/mdssvc/mdssvc.c
		77	@@ -884,7 +884,8 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
		78
		79	querystring = dalloc_value_for_key(query, "DALLOC_CTX", 0,
		80	"DALLOC_CTX", 1,
		81	- "kMDQueryString");
		82	+ "kMDQueryString",
		83	+ "char *");
		84	if (querystring == NULL) {
		85	DEBUG(1, ("missing kMDQueryString\n"));
		86	goto error;
		87	@@ -924,8 +925,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
		88	slq->ctx2 = *uint64p;
		89
		90	path_scope = dalloc_value_for_key(query, "DALLOC_CTX", 0,
		91	- "DALLOC_CTX", 1, "kMDScopeArray");
		92	+ "DALLOC_CTX", 1,
		93	+ "kMDScopeArray",
		94	+ "sl_array_t");
		95	if (path_scope == NULL) {
		96	+ DBG_ERR("missing kMDScopeArray\n");
		97	goto error;
		98	}
		99
		100	@@ -940,8 +944,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
		101	}
		102
		103	reqinfo = dalloc_value_for_key(query, "DALLOC_CTX", 0,
		104	- "DALLOC_CTX", 1, "kMDAttributeArray");
		105	+ "DALLOC_CTX", 1,
		106	+ "kMDAttributeArray",
		107	+ "sl_array_t");
		108	if (reqinfo == NULL) {
		109	+ DBG_ERR("missing kMDAttributeArray\n");
		110	goto error;
		111	}
		112
		113	@@ -949,7 +956,9 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
		114	DEBUG(10, ("requested attributes: %s", dalloc_dump(reqinfo, 0)));
		115
		116	cnids = dalloc_value_for_key(query, "DALLOC_CTX", 0,
		117	- "DALLOC_CTX", 1, "kMDQueryItemArray");
		118	+ "DALLOC_CTX", 1,
		119	+ "kMDQueryItemArray",
		120	+ "sl_array_t");
		121	if (cnids) {
		122	ok = sort_cnids(slq, cnids->ca_cnids);
		123	if (!ok) {
		124	--
		125	2.40.0


diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb index b71c4b3fca..73e8a82e89 100644 --- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb +++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
@@ -36,6 +36,8 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
36	file://CVE-2023-34966_0001.patch \	36	file://CVE-2023-34966_0001.patch \
37	file://CVE-2023-34966_0002.patch \	37	file://CVE-2023-34966_0002.patch \
38	file://CVE-2022-2127.patch \	38	file://CVE-2022-2127.patch \
		39	file://CVE-2023-34967_0001.patch \
		40	file://CVE-2023-34967_0002.patch \
39	"	41	"
40		42
41	SRC_URI:append:libc-musl = " \	43	SRC_URI:append:libc-musl = " \