samba: fix CVE-2023-34966

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Polampalli, Archana <archana.polampalli@windriver.com> 2023-09-29 17:43:19 +0000
committer: Armin Kuster <akuster808@gmail.com> 2023-10-17 08:40:46 -0400
commit: 2715358a3d7e134ae7e2dc689f40c4fdd47f6d4f (patch)
tree: ad6f989994d1d759b964a9111927ff468df4436b /meta-networking
parent: 9c5541f7e18a1fac3b8dea71e1ebb8398d58e6ff (diff)
download: meta-openembedded-2715358a3d7e134ae7e2dc689f40c4fdd47f6d4f.tar.gz
3 files changed, 220 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0001.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0001.patch
new file mode 100644
index 0000000000..77a383f09e
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0001.patch
@@ -0,0 +1,78 @@
+From 38664163fcac985d87e4274d198568e0fe88595e Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Fri, 26 May 2023 13:06:19 +0200
+Subject: [PATCH] CVE-2023-34966: mdssvc: harden sl_unpack_loop()
+A malicious client could send a packet where subcount is zero, leading to a busy
+loop because
+    count -= subcount
+=>  count -= 0
+=>  while (count > 0)
+loops forever.
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/38664163fcac985d87e4274d198568e0fe88595e]
+CVE: CVE-2023-34966
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ source3/rpc_server/mdssvc/marshalling.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+diff --git a/source3/rpc_server/mdssvc/marshalling.c b/source3/rpc_server/mdssvc/marshalling.c
+index 9ba6ef571f2..d794ba15838 100644
+--- a/source3/rpc_server/mdssvc/marshalling.c
+++ b/source3/rpc_server/mdssvc/marshalling.c
+@@ -1119,7 +1119,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
+                        sl_nil_t nil = 0;
+                        subcount = tag.count;
+-                       if (subcount > count) {
+                       if (subcount < 1 || subcount > count) {
+                                return -1;
+                        }
+                        for (i = 0; i < subcount; i++) {
+@@ -1147,7 +1147,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
+                case SQ_TYPE_INT64:
+                        subcount = sl_unpack_ints(query, buf, offset, bufsize, encoding);
+-                       if (subcount == -1 || subcount > count) {
+                       if (subcount < 1 || subcount > count) {
+                                return -1;
+                        }
+                        offset += tag.size;
+@@ -1156,7 +1156,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
+                case SQ_TYPE_UUID:
+                        subcount = sl_unpack_uuid(query, buf, offset, bufsize, encoding);
+-                       if (subcount == -1 || subcount > count) {
+                       if (subcount < 1 || subcount > count) {
+                                return -1;
+                        }
+                        offset += tag.size;
+@@ -1165,7 +1165,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
+                case SQ_TYPE_FLOAT:
+                        subcount = sl_unpack_floats(query, buf, offset, bufsize, encoding);
+-                       if (subcount == -1 || subcount > count) {
+                       if (subcount < 1 || subcount > count) {
+                                return -1;
+                        }
+                        offset += tag.size;
+@@ -1174,7 +1174,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
+                case SQ_TYPE_DATE:
+                        subcount = sl_unpack_date(query, buf, offset, bufsize, encoding);
+-                       if (subcount == -1 || subcount > count) {
+                       if (subcount < 1 || subcount > count) {
+                                return -1;
+                        }
+                        offset += tag.size;
+--
+2.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0002.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0002.patch
new file mode 100644
index 0000000000..a86d1729cf
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0002.patch
@@ -0,0 +1,140 @@
+From 10b6890d26b3c7a829a9e9a05ad1d1ff54daeca9 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Wed, 31 May 2023 15:34:26 +0200
+Subject: [PATCH] CVE-2023-34966: CI: test for sl_unpack_loop()
+Send a maliciously crafted packet where a nil type has a subcount of 0. This
+triggers an endless loop in mdssvc sl_unpack_loop().
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/10b6890d26b3c7a829a9e9a05ad1d1ff54daeca9]
+CVE: CVE-2023-34966
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ source4/torture/rpc/mdssvc.c | 100 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 100 insertions(+)
+diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c
+index 2d2a8306412..a9956ef8f1d 100644
+--- a/source4/torture/rpc/mdssvc.c
+++ b/source4/torture/rpc/mdssvc.c
+@@ -581,6 +581,102 @@ done:
+        return ok;
+ }
+static uint8_t test_sl_unpack_loop_buf[] = {
+       0x34, 0x33, 0x32, 0x31, 0x33, 0x30, 0x64, 0x6d,
+       0x1d, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00,
+       0x01, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00,
+       0x01, 0x00, 0x00, 0x02, 0x02, 0x00, 0x00, 0x00,
+       0x01, 0x00, 0x00, 0x02, 0x03, 0x00, 0x00, 0x00,
+       0x06, 0x00, 0x00, 0x07, 0x04, 0x00, 0x00, 0x00,
+       0x66, 0x65, 0x74, 0x63, 0x68, 0x41, 0x74, 0x74,
+       0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x3a,
+       0x66, 0x6f, 0x72, 0x4f, 0x49, 0x44, 0x41, 0x72,
+       0x72, 0x61, 0x79, 0x3a, 0x63, 0x6f, 0x6e, 0x74,
+       0x65, 0x78, 0x74, 0x3a, 0x00, 0x00, 0x00, 0xea,
+       0x02, 0x00, 0x00, 0x84, 0x02, 0x00, 0x00, 0x00,
+       0x0a, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+       0x01, 0x00, 0x00, 0x02, 0x04, 0x00, 0x00, 0x00,
+       0x01, 0x00, 0x00, 0x02, 0x05, 0x00, 0x00, 0x00,
+       0x03, 0x00, 0x00, 0x07, 0x03, 0x00, 0x00, 0x00,
+       0x6b, 0x4d, 0x44, 0x49, 0x74, 0x65, 0x6d, 0x50,
+       0x61, 0x74, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00,
+       0x01, 0x00, 0x00, 0x02, 0x06, 0x00, 0x00, 0x00,
+       0x03, 0x00, 0x00, 0x87, 0x08, 0x00, 0x00, 0x00,
+       0x01, 0x00, 0xdd, 0x0a, 0x20, 0x00, 0x00, 0x6b,
+       0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+       0x07, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x00,
+       0x02, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00,
+       0x03, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00,
+       0x04, 0x00, 0x00, 0x0c, 0x04, 0x00, 0x00, 0x00,
+       0x0e, 0x00, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x00,
+       0x0f, 0x00, 0x00, 0x0c, 0x03, 0x00, 0x00, 0x00,
+       0x13, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00,
+       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+       0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
+       0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
+       0x00, 0x00, 0x00, 0x00
+};
+
+static bool test_mdssvc_sl_unpack_loop(struct torture_context *tctx,
+                                      void *data)
+{
+       struct torture_mdsscv_state *state = talloc_get_type_abort(
+               data, struct torture_mdsscv_state);
+       struct dcerpc_binding_handle *b = state->p->binding_handle;
+       struct mdssvc_blob request_blob;
+       struct mdssvc_blob response_blob;
+       uint32_t device_id;
+       uint32_t unkn2;
+       uint32_t unkn9;
+       uint32_t fragment;
+       uint32_t flags;
+       NTSTATUS status;
+       bool ok = true;
+
+       device_id = UINT32_C(0x2f000045);
+       unkn2 = 23;
+       unkn9 = 0;
+       fragment = 0;
+       flags = UINT32_C(0x6b000001);
+
+       request_blob.spotlight_blob = test_sl_unpack_loop_buf;
+       request_blob.size = sizeof(test_sl_unpack_loop_buf);
+       request_blob.length = sizeof(test_sl_unpack_loop_buf);
+
+       response_blob.spotlight_blob = talloc_array(state,
+                                                   uint8_t,
+                                                   0);
+       torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
+                                    ok, done, "dalloc_zero failed\n");
+       response_blob.size = 0;
+
+       status = dcerpc_mdssvc_cmd(b,
+                                  state,
+                                  &state->ph,
+                                  0,
+                                  device_id,
+                                  unkn2,
+                                  0,
+                                  flags,
+                                  request_blob,
+                                  0,
+                                  64 * 1024,
+                                  1,
+                                  64 * 1024,
+                                  0,
+                                  0,
+                                  &fragment,
+                                  &response_blob,
+                                  &unkn9);
+       torture_assert_ntstatus_ok_goto(
+               tctx, status, ok, done,
+               "dcerpc_mdssvc_unknown1 failed\n");
+
+done:
+       return ok;
+}
+
+ static bool test_mdssvc_invalid_ph_close(struct torture_context *tctx,
+                                         void *data)
+ {
+@@ -856,5 +952,9 @@ struct torture_suite *torture_rpc_mdssvc(TALLOC_CTX *mem_ctx)
+                                      "fetch_unknown_cnid",
+                                      test_mdssvc_fetch_attr_unknown_cnid);
+       torture_tcase_add_simple_test(tcase,
+                                     "mdssvc_sl_unpack_loop",
+                                     test_mdssvc_sl_unpack_loop);
+
+        return suite;
+ }
+--
+2.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
index 72021745b3..11b6ade405 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
@@ -33,6 +33,8 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
           file://CVE-2022-45142.patch;patchdir=source4/heimdal \
           file://CVE-2022-41916.patch;patchdir=source4/heimdal \
           file://CVE-2021-44758.patch;patchdir=source4/heimdal \
+           file://CVE-2023-34966_0001.patch \
+           file://CVE-2023-34966_0002.patch \
           "
 SRC_URI:append:libc-musl = " \
author	Polampalli, Archana <archana.polampalli@windriver.com>	2023-09-29 17:43:19 +0000
committer	Armin Kuster <akuster808@gmail.com>	2023-10-17 08:40:46 -0400
commit	2715358a3d7e134ae7e2dc689f40c4fdd47f6d4f (patch)
tree	ad6f989994d1d759b964a9111927ff468df4436b /meta-networking
parent	9c5541f7e18a1fac3b8dea71e1ebb8398d58e6ff (diff)
download	meta-openembedded-2715358a3d7e134ae7e2dc689f40c4fdd47f6d4f.tar.gz

diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0001.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0001.patch new file mode 100644 index 0000000000..77a383f09e --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0001.patch
@@ -0,0 +1,78 @@
		1	From 38664163fcac985d87e4274d198568e0fe88595e Mon Sep 17 00:00:00 2001
		2	From: Ralph Boehme <slow@samba.org>
		3	Date: Fri, 26 May 2023 13:06:19 +0200
		4	Subject: [PATCH] CVE-2023-34966: mdssvc: harden sl_unpack_loop()
		5
		6	A malicious client could send a packet where subcount is zero, leading to a busy
		7	loop because
		8
		9	count -= subcount
		10	=> count -= 0
		11	=> while (count > 0)
		12
		13	loops forever.
		14
		15	BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340
		16
		17	Signed-off-by: Ralph Boehme <slow@samba.org>
		18
		19	Upstream-Status: Backport [https://github.com/samba-team/samba/commit/38664163fcac985d87e4274d198568e0fe88595e]
		20
		21	CVE: CVE-2023-34966
		22
		23	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		24	---
		25	source3/rpc_server/mdssvc/marshalling.c \| 10 +++++-----
		26	1 file changed, 5 insertions(+), 5 deletions(-)
		27
		28	diff --git a/source3/rpc_server/mdssvc/marshalling.c b/source3/rpc_server/mdssvc/marshalling.c
		29	index 9ba6ef571f2..d794ba15838 100644
		30	--- a/source3/rpc_server/mdssvc/marshalling.c
		31	+++ b/source3/rpc_server/mdssvc/marshalling.c
		32	@@ -1119,7 +1119,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
		33	sl_nil_t nil = 0;
		34
		35	subcount = tag.count;
		36	- if (subcount > count) {
		37	+ if (subcount < 1 \|\| subcount > count) {
		38	return -1;
		39	}
		40	for (i = 0; i < subcount; i++) {
		41	@@ -1147,7 +1147,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
		42
		43	case SQ_TYPE_INT64:
		44	subcount = sl_unpack_ints(query, buf, offset, bufsize, encoding);
		45	- if (subcount == -1 \|\| subcount > count) {
		46	+ if (subcount < 1 \|\| subcount > count) {
		47	return -1;
		48	}
		49	offset += tag.size;
		50	@@ -1156,7 +1156,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
		51
		52	case SQ_TYPE_UUID:
		53	subcount = sl_unpack_uuid(query, buf, offset, bufsize, encoding);
		54	- if (subcount == -1 \|\| subcount > count) {
		55	+ if (subcount < 1 \|\| subcount > count) {
		56	return -1;
		57	}
		58	offset += tag.size;
		59	@@ -1165,7 +1165,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
		60
		61	case SQ_TYPE_FLOAT:
		62	subcount = sl_unpack_floats(query, buf, offset, bufsize, encoding);
		63	- if (subcount == -1 \|\| subcount > count) {
		64	+ if (subcount < 1 \|\| subcount > count) {
		65	return -1;
		66	}
		67	offset += tag.size;
		68	@@ -1174,7 +1174,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
		69
		70	case SQ_TYPE_DATE:
		71	subcount = sl_unpack_date(query, buf, offset, bufsize, encoding);
		72	- if (subcount == -1 \|\| subcount > count) {
		73	+ if (subcount < 1 \|\| subcount > count) {
		74	return -1;
		75	}
		76	offset += tag.size;
		77	--
		78	2.40.0


diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0002.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0002.patch new file mode 100644 index 0000000000..a86d1729cf --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0002.patch
@@ -0,0 +1,140 @@
		1	From 10b6890d26b3c7a829a9e9a05ad1d1ff54daeca9 Mon Sep 17 00:00:00 2001
		2	From: Ralph Boehme <slow@samba.org>
		3	Date: Wed, 31 May 2023 15:34:26 +0200
		4	Subject: [PATCH] CVE-2023-34966: CI: test for sl_unpack_loop()
		5
		6	Send a maliciously crafted packet where a nil type has a subcount of 0. This
		7	triggers an endless loop in mdssvc sl_unpack_loop().
		8
		9	BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340
		10
		11	Signed-off-by: Ralph Boehme <slow@samba.org>
		12
		13	Upstream-Status: Backport [https://github.com/samba-team/samba/commit/10b6890d26b3c7a829a9e9a05ad1d1ff54daeca9]
		14
		15	CVE: CVE-2023-34966
		16
		17	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		18	---
		19	source4/torture/rpc/mdssvc.c \| 100 +++++++++++++++++++++++++++++++++++
		20	1 file changed, 100 insertions(+)
		21
		22	diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c
		23	index 2d2a8306412..a9956ef8f1d 100644
		24	--- a/source4/torture/rpc/mdssvc.c
		25	+++ b/source4/torture/rpc/mdssvc.c
		26	@@ -581,6 +581,102 @@ done:
		27	return ok;
		28	}
		29
		30	+static uint8_t test_sl_unpack_loop_buf[] = {
		31	+ 0x34, 0x33, 0x32, 0x31, 0x33, 0x30, 0x64, 0x6d,
		32	+ 0x1d, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00,
		33	+ 0x01, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00,
		34	+ 0x01, 0x00, 0x00, 0x02, 0x02, 0x00, 0x00, 0x00,
		35	+ 0x01, 0x00, 0x00, 0x02, 0x03, 0x00, 0x00, 0x00,
		36	+ 0x06, 0x00, 0x00, 0x07, 0x04, 0x00, 0x00, 0x00,
		37	+ 0x66, 0x65, 0x74, 0x63, 0x68, 0x41, 0x74, 0x74,
		38	+ 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x3a,
		39	+ 0x66, 0x6f, 0x72, 0x4f, 0x49, 0x44, 0x41, 0x72,
		40	+ 0x72, 0x61, 0x79, 0x3a, 0x63, 0x6f, 0x6e, 0x74,
		41	+ 0x65, 0x78, 0x74, 0x3a, 0x00, 0x00, 0x00, 0xea,
		42	+ 0x02, 0x00, 0x00, 0x84, 0x02, 0x00, 0x00, 0x00,
		43	+ 0x0a, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		44	+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		45	+ 0x01, 0x00, 0x00, 0x02, 0x04, 0x00, 0x00, 0x00,
		46	+ 0x01, 0x00, 0x00, 0x02, 0x05, 0x00, 0x00, 0x00,
		47	+ 0x03, 0x00, 0x00, 0x07, 0x03, 0x00, 0x00, 0x00,
		48	+ 0x6b, 0x4d, 0x44, 0x49, 0x74, 0x65, 0x6d, 0x50,
		49	+ 0x61, 0x74, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00,
		50	+ 0x01, 0x00, 0x00, 0x02, 0x06, 0x00, 0x00, 0x00,
		51	+ 0x03, 0x00, 0x00, 0x87, 0x08, 0x00, 0x00, 0x00,
		52	+ 0x01, 0x00, 0xdd, 0x0a, 0x20, 0x00, 0x00, 0x6b,
		53	+ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		54	+ 0x07, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x00,
		55	+ 0x02, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00,
		56	+ 0x03, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00,
		57	+ 0x04, 0x00, 0x00, 0x0c, 0x04, 0x00, 0x00, 0x00,
		58	+ 0x0e, 0x00, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x00,
		59	+ 0x0f, 0x00, 0x00, 0x0c, 0x03, 0x00, 0x00, 0x00,
		60	+ 0x13, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00,
		61	+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		62	+ 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
		63	+ 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
		64	+ 0x00, 0x00, 0x00, 0x00
		65	+};
		66	+
		67	+static bool test_mdssvc_sl_unpack_loop(struct torture_context *tctx,
		68	+ void *data)
		69	+{
		70	+ struct torture_mdsscv_state *state = talloc_get_type_abort(
		71	+ data, struct torture_mdsscv_state);
		72	+ struct dcerpc_binding_handle *b = state->p->binding_handle;
		73	+ struct mdssvc_blob request_blob;
		74	+ struct mdssvc_blob response_blob;
		75	+ uint32_t device_id;
		76	+ uint32_t unkn2;
		77	+ uint32_t unkn9;
		78	+ uint32_t fragment;
		79	+ uint32_t flags;
		80	+ NTSTATUS status;
		81	+ bool ok = true;
		82	+
		83	+ device_id = UINT32_C(0x2f000045);
		84	+ unkn2 = 23;
		85	+ unkn9 = 0;
		86	+ fragment = 0;
		87	+ flags = UINT32_C(0x6b000001);
		88	+
		89	+ request_blob.spotlight_blob = test_sl_unpack_loop_buf;
		90	+ request_blob.size = sizeof(test_sl_unpack_loop_buf);
		91	+ request_blob.length = sizeof(test_sl_unpack_loop_buf);
		92	+
		93	+ response_blob.spotlight_blob = talloc_array(state,
		94	+ uint8_t,
		95	+ 0);
		96	+ torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
		97	+ ok, done, "dalloc_zero failed\n");
		98	+ response_blob.size = 0;
		99	+
		100	+ status = dcerpc_mdssvc_cmd(b,
		101	+ state,
		102	+ &state->ph,
		103	+ 0,
		104	+ device_id,
		105	+ unkn2,
		106	+ 0,
		107	+ flags,
		108	+ request_blob,
		109	+ 0,
		110	+ 64 * 1024,
		111	+ 1,
		112	+ 64 * 1024,
		113	+ 0,
		114	+ 0,
		115	+ &fragment,
		116	+ &response_blob,
		117	+ &unkn9);
		118	+ torture_assert_ntstatus_ok_goto(
		119	+ tctx, status, ok, done,
		120	+ "dcerpc_mdssvc_unknown1 failed\n");
		121	+
		122	+done:
		123	+ return ok;
		124	+}
		125	+
		126	static bool test_mdssvc_invalid_ph_close(struct torture_context *tctx,
		127	void *data)
		128	{
		129	@@ -856,5 +952,9 @@ struct torture_suite torture_rpc_mdssvc(TALLOC_CTX mem_ctx)
		130	"fetch_unknown_cnid",
		131	test_mdssvc_fetch_attr_unknown_cnid);
		132
		133	+ torture_tcase_add_simple_test(tcase,
		134	+ "mdssvc_sl_unpack_loop",
		135	+ test_mdssvc_sl_unpack_loop);
		136	+
		137	return suite;
		138	}
		139	--
		140	2.40.0


diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb index 72021745b3..11b6ade405 100644 --- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb +++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
@@ -33,6 +33,8 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
33	file://CVE-2022-45142.patch;patchdir=source4/heimdal \	33	file://CVE-2022-45142.patch;patchdir=source4/heimdal \
34	file://CVE-2022-41916.patch;patchdir=source4/heimdal \	34	file://CVE-2022-41916.patch;patchdir=source4/heimdal \
35	file://CVE-2021-44758.patch;patchdir=source4/heimdal \	35	file://CVE-2021-44758.patch;patchdir=source4/heimdal \
		36	file://CVE-2023-34966_0001.patch \
		37	file://CVE-2023-34966_0002.patch \
36	"	38	"
37		39
38	SRC_URI:append:libc-musl = " \	40	SRC_URI:append:libc-musl = " \