new file mode 100644
@@ -0,0 +1,178 @@
+From 3b3c30e2acfb00d04c4013e32343bc277d5b1aa8 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Wed, 31 May 2023 16:26:14 +0200
+Subject: [PATCH] CVE-2023-34967: CI: add a test for type checking of
+ dalloc_value_for_key()
+
+Sends a maliciously crafted packet where the value in a key/value style
+dictionary for the "scope" key is a simple string object whereas the server
+expects an array. As the server doesn't perform type validation on the value, it
+crashes when trying to use the "simple" object as a "complex" one.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/3b3c30e2acfb00d04c4013e32343bc277d5b1aa8]
+
+CVE: CVE-2023-34967
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ source4/torture/rpc/mdssvc.c | 134 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 134 insertions(+)
+
+diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c
+index f5f5939..1dce403 100644
+--- a/source4/torture/rpc/mdssvc.c
++++ b/source4/torture/rpc/mdssvc.c
+@@ -666,6 +666,136 @@ done:
+ return ok;
+ }
+
++static bool test_sl_dict_type_safety(struct torture_context *tctx,
++ void *data)
++{
++ struct torture_mdsscv_state *state = talloc_get_type_abort(
++ data, struct torture_mdsscv_state);
++ struct dcerpc_binding_handle *b = state->p->binding_handle;
++ struct mdssvc_blob request_blob;
++ struct mdssvc_blob response_blob;
++ uint64_t ctx1 = 0xdeadbeef;
++ uint64_t ctx2 = 0xcafebabe;
++ uint32_t device_id;
++ uint32_t unkn2;
++ uint32_t unkn9;
++ uint32_t fragment;
++ uint32_t flags;
++ DALLOC_CTX *d = NULL;
++ sl_array_t *array1 = NULL, *array2 = NULL;
++ sl_dict_t *arg = NULL;
++ int result;
++ NTSTATUS status;
++ bool ok = true;
++
++ device_id = UINT32_C(0x2f000045);
++ unkn2 = 23;
++ unkn9 = 0;
++ fragment = 0;
++ flags = UINT32_C(0x6b000001);
++
++ d = dalloc_new(tctx);
++ torture_assert_not_null_goto(tctx, d,
++ ok, done, "dalloc_new failed\n");
++
++ array1 = dalloc_zero(d, sl_array_t);
++ torture_assert_not_null_goto(tctx, array1,
++ ok, done, "dalloc_zero failed\n");
++
++ array2 = dalloc_zero(d, sl_array_t);
++ torture_assert_not_null_goto(tctx, array2,
++ ok, done, "dalloc_new failed\n");
++
++ result = dalloc_stradd(array2, "openQueryWithParams:forContext:");
++ torture_assert_goto(tctx, result == 0,
++ ok, done, "dalloc_stradd failed\n");
++
++ result = dalloc_add_copy(array2, &ctx1, uint64_t);
++ torture_assert_goto(tctx, result == 0,
++ ok, done, "dalloc_stradd failed\n");
++
++ result = dalloc_add_copy(array2, &ctx2, uint64_t);
++ torture_assert_goto(tctx, result == 0,
++ ok, done, "dalloc_stradd failed\n");
++
++ arg = dalloc_zero(array1, sl_dict_t);
++ torture_assert_not_null_goto(tctx, d,
++ ok, done, "dalloc_zero failed\n");
++
++ result = dalloc_stradd(arg, "kMDQueryString");
++ torture_assert_goto(tctx, result == 0,
++ ok, done, "dalloc_stradd failed\n");
++
++ result = dalloc_stradd(arg, "*");
++ torture_assert_goto(tctx, result == 0,
++ ok, done, "dalloc_stradd failed\n");
++
++ result = dalloc_stradd(arg, "kMDScopeArray");
++ torture_assert_goto(tctx, result == 0,
++ ok, done, "dalloc_stradd failed\n");
++
++ result = dalloc_stradd(arg, "AAAABBBB");
++ torture_assert_goto(tctx, result == 0,
++ ok, done, "dalloc_stradd failed\n");
++
++ result = dalloc_add(array1, array2, sl_array_t);
++ torture_assert_goto(tctx, result == 0,
++ ok, done, "dalloc_add failed\n");
++
++ result = dalloc_add(array1, arg, sl_dict_t);
++ torture_assert_goto(tctx, result == 0,
++ ok, done, "dalloc_add failed\n");
++
++ result = dalloc_add(d, array1, sl_array_t);
++ torture_assert_goto(tctx, result == 0,
++ ok, done, "dalloc_add failed\n");
++
++ torture_comment(tctx, "%s", dalloc_dump(d, 0));
++
++ request_blob.spotlight_blob = talloc_array(tctx,
++ uint8_t,
++ 64 * 1024);
++ torture_assert_not_null_goto(tctx, request_blob.spotlight_blob,
++ ok, done, "dalloc_new failed\n");
++ request_blob.size = 64 * 1024;
++
++ request_blob.length = sl_pack(d,
++ (char *)request_blob.spotlight_blob,
++ request_blob.size);
++ torture_assert_goto(tctx, request_blob.length > 0,
++ ok, done, "sl_pack failed\n");
++
++ response_blob.spotlight_blob = talloc_array(state, uint8_t, 0);
++ torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
++ ok, done, "dalloc_zero failed\n");
++ response_blob.size = 0;
++
++ status = dcerpc_mdssvc_cmd(b,
++ state,
++ &state->ph,
++ 0,
++ device_id,
++ unkn2,
++ 0,
++ flags,
++ request_blob,
++ 0,
++ 64 * 1024,
++ 1,
++ 64 * 1024,
++ 0,
++ 0,
++ &fragment,
++ &response_blob,
++ &unkn9);
++ torture_assert_ntstatus_ok_goto(
++ tctx, status, ok, done,
++ "dcerpc_mdssvc_cmd failed\n");
++
++done:
++ return ok;
++}
++
+ static bool test_mdssvc_invalid_ph_close(struct torture_context *tctx,
+ void *data)
+ {
+@@ -940,6 +1070,10 @@ struct torture_suite *torture_rpc_mdssvc(TALLOC_CTX *mem_ctx)
+ torture_tcase_add_simple_test(tcase,
+ "mdssvc_sl_unpack_loop",
+ test_mdssvc_sl_unpack_loop);
++ torture_tcase_add_simple_test(tcase,
++ "sl_dict_type_safety",
++ test_sl_dict_type_safety);
++
+
+ return suite;
+ }
+--
+2.40.0
new file mode 100644
@@ -0,0 +1,125 @@
+From 049c13245649fab412b61a5b55e5a7dea72d7c72 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Fri, 26 May 2023 15:06:38 +0200
+Subject: [PATCH] CVE-2023-34967: mdssvc: add type checking to
+ dalloc_value_for_key()
+
+Change the dalloc_value_for_key() function to require an additional final
+argument which denotes the expected type of the value associated with a key. If
+the types don't match, return NULL.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/4c60e35add4a1abd04334012a8d6edf1c3f396ba]
+
+CVE: CVE-2023-34967
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ source3/rpc_server/mdssvc/dalloc.c | 14 ++++++++++----
+ source3/rpc_server/mdssvc/mdssvc.c | 17 +++++++++++++----
+ 2 files changed, 23 insertions(+), 8 deletions(-)
+
+diff --git a/source3/rpc_server/mdssvc/dalloc.c b/source3/rpc_server/mdssvc/dalloc.c
+index 007702d..8b79b41 100644
+--- a/source3/rpc_server/mdssvc/dalloc.c
++++ b/source3/rpc_server/mdssvc/dalloc.c
+@@ -159,7 +159,7 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
+ int result = 0;
+ void *p = NULL;
+ va_list args;
+- const char *type;
++ const char *type = NULL;
+ int elem;
+ size_t array_len;
+
+@@ -170,7 +170,6 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
+ array_len = talloc_array_length(d->dd_talloc_array);
+ elem = va_arg(args, int);
+ if (elem >= array_len) {
+- va_end(args);
+ result = -1;
+ goto done;
+ }
+@@ -178,8 +177,6 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
+ type = va_arg(args, const char *);
+ }
+
+- va_end(args);
+-
+ array_len = talloc_array_length(d->dd_talloc_array);
+
+ for (elem = 0; elem + 1 < array_len; elem += 2) {
+@@ -192,8 +189,17 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
+ break;
+ }
+ }
++ if (p == NULL) {
++ goto done;
++ }
++
++ type = va_arg(args, const char *);
++ if (strcmp(talloc_get_name(p), type) != 0) {
++ p = NULL;
++ }
+
+ done:
++ va_end(args);
+ if (result != 0) {
+ p = NULL;
+ }
+diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c
+index a983a88..fe6e0c2 100644
+--- a/source3/rpc_server/mdssvc/mdssvc.c
++++ b/source3/rpc_server/mdssvc/mdssvc.c
+@@ -884,7 +884,8 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
+
+ querystring = dalloc_value_for_key(query, "DALLOC_CTX", 0,
+ "DALLOC_CTX", 1,
+- "kMDQueryString");
++ "kMDQueryString",
++ "char *");
+ if (querystring == NULL) {
+ DEBUG(1, ("missing kMDQueryString\n"));
+ goto error;
+@@ -924,8 +925,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
+ slq->ctx2 = *uint64p;
+
+ path_scope = dalloc_value_for_key(query, "DALLOC_CTX", 0,
+- "DALLOC_CTX", 1, "kMDScopeArray");
++ "DALLOC_CTX", 1,
++ "kMDScopeArray",
++ "sl_array_t");
+ if (path_scope == NULL) {
++ DBG_ERR("missing kMDScopeArray\n");
+ goto error;
+ }
+
+@@ -940,8 +944,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
+ }
+
+ reqinfo = dalloc_value_for_key(query, "DALLOC_CTX", 0,
+- "DALLOC_CTX", 1, "kMDAttributeArray");
++ "DALLOC_CTX", 1,
++ "kMDAttributeArray",
++ "sl_array_t");
+ if (reqinfo == NULL) {
++ DBG_ERR("missing kMDAttributeArray\n");
+ goto error;
+ }
+
+@@ -949,7 +956,9 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
+ DEBUG(10, ("requested attributes: %s", dalloc_dump(reqinfo, 0)));
+
+ cnids = dalloc_value_for_key(query, "DALLOC_CTX", 0,
+- "DALLOC_CTX", 1, "kMDQueryItemArray");
++ "DALLOC_CTX", 1,
++ "kMDQueryItemArray",
++ "sl_array_t");
+ if (cnids) {
+ ok = sort_cnids(slq, cnids->ca_cnids);
+ if (!ok) {
+--
+2.40.0
@@ -36,6 +36,8 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
file://CVE-2023-34966_0001.patch \
file://CVE-2023-34966_0002.patch \
file://CVE-2022-2127.patch \
+ file://CVE-2023-34967_0001.patch \
+ file://CVE-2023-34967_0002.patch \
"
SRC_URI:append:libc-musl = " \
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> --- .../samba/samba/CVE-2023-34967_0001.patch | 178 ++++++++++++++++++ .../samba/samba/CVE-2023-34967_0002.patch | 125 ++++++++++++ .../samba/samba_4.14.14.bb | 2 + 3 files changed, 305 insertions(+) create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2023-34967_0001.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2023-34967_0002.patch