new file mode 100644
@@ -0,0 +1,78 @@
+From 38664163fcac985d87e4274d198568e0fe88595e Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Fri, 26 May 2023 13:06:19 +0200
+Subject: [PATCH] CVE-2023-34966: mdssvc: harden sl_unpack_loop()
+
+A malicious client could send a packet where subcount is zero, leading to a busy
+loop because
+
+ count -= subcount
+=> count -= 0
+=> while (count > 0)
+
+loops forever.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/38664163fcac985d87e4274d198568e0fe88595e]
+
+CVE: CVE-2023-34966
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ source3/rpc_server/mdssvc/marshalling.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/source3/rpc_server/mdssvc/marshalling.c b/source3/rpc_server/mdssvc/marshalling.c
+index 9ba6ef571f2..d794ba15838 100644
+--- a/source3/rpc_server/mdssvc/marshalling.c
++++ b/source3/rpc_server/mdssvc/marshalling.c
+@@ -1119,7 +1119,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
+ sl_nil_t nil = 0;
+
+ subcount = tag.count;
+- if (subcount > count) {
++ if (subcount < 1 || subcount > count) {
+ return -1;
+ }
+ for (i = 0; i < subcount; i++) {
+@@ -1147,7 +1147,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
+
+ case SQ_TYPE_INT64:
+ subcount = sl_unpack_ints(query, buf, offset, bufsize, encoding);
+- if (subcount == -1 || subcount > count) {
++ if (subcount < 1 || subcount > count) {
+ return -1;
+ }
+ offset += tag.size;
+@@ -1156,7 +1156,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
+
+ case SQ_TYPE_UUID:
+ subcount = sl_unpack_uuid(query, buf, offset, bufsize, encoding);
+- if (subcount == -1 || subcount > count) {
++ if (subcount < 1 || subcount > count) {
+ return -1;
+ }
+ offset += tag.size;
+@@ -1165,7 +1165,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
+
+ case SQ_TYPE_FLOAT:
+ subcount = sl_unpack_floats(query, buf, offset, bufsize, encoding);
+- if (subcount == -1 || subcount > count) {
++ if (subcount < 1 || subcount > count) {
+ return -1;
+ }
+ offset += tag.size;
+@@ -1174,7 +1174,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
+
+ case SQ_TYPE_DATE:
+ subcount = sl_unpack_date(query, buf, offset, bufsize, encoding);
+- if (subcount == -1 || subcount > count) {
++ if (subcount < 1 || subcount > count) {
+ return -1;
+ }
+ offset += tag.size;
+--
+2.40.0
new file mode 100644
@@ -0,0 +1,140 @@
+From 10b6890d26b3c7a829a9e9a05ad1d1ff54daeca9 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Wed, 31 May 2023 15:34:26 +0200
+Subject: [PATCH] CVE-2023-34966: CI: test for sl_unpack_loop()
+
+Send a maliciously crafted packet where a nil type has a subcount of 0. This
+triggers an endless loop in mdssvc sl_unpack_loop().
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/10b6890d26b3c7a829a9e9a05ad1d1ff54daeca9]
+
+CVE: CVE-2023-34966
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ source4/torture/rpc/mdssvc.c | 100 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 100 insertions(+)
+
+diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c
+index 2d2a8306412..a9956ef8f1d 100644
+--- a/source4/torture/rpc/mdssvc.c
++++ b/source4/torture/rpc/mdssvc.c
+@@ -581,6 +581,102 @@ done:
+ return ok;
+ }
+
++static uint8_t test_sl_unpack_loop_buf[] = {
++ 0x34, 0x33, 0x32, 0x31, 0x33, 0x30, 0x64, 0x6d,
++ 0x1d, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00,
++ 0x01, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00,
++ 0x01, 0x00, 0x00, 0x02, 0x02, 0x00, 0x00, 0x00,
++ 0x01, 0x00, 0x00, 0x02, 0x03, 0x00, 0x00, 0x00,
++ 0x06, 0x00, 0x00, 0x07, 0x04, 0x00, 0x00, 0x00,
++ 0x66, 0x65, 0x74, 0x63, 0x68, 0x41, 0x74, 0x74,
++ 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x3a,
++ 0x66, 0x6f, 0x72, 0x4f, 0x49, 0x44, 0x41, 0x72,
++ 0x72, 0x61, 0x79, 0x3a, 0x63, 0x6f, 0x6e, 0x74,
++ 0x65, 0x78, 0x74, 0x3a, 0x00, 0x00, 0x00, 0xea,
++ 0x02, 0x00, 0x00, 0x84, 0x02, 0x00, 0x00, 0x00,
++ 0x0a, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x01, 0x00, 0x00, 0x02, 0x04, 0x00, 0x00, 0x00,
++ 0x01, 0x00, 0x00, 0x02, 0x05, 0x00, 0x00, 0x00,
++ 0x03, 0x00, 0x00, 0x07, 0x03, 0x00, 0x00, 0x00,
++ 0x6b, 0x4d, 0x44, 0x49, 0x74, 0x65, 0x6d, 0x50,
++ 0x61, 0x74, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x01, 0x00, 0x00, 0x02, 0x06, 0x00, 0x00, 0x00,
++ 0x03, 0x00, 0x00, 0x87, 0x08, 0x00, 0x00, 0x00,
++ 0x01, 0x00, 0xdd, 0x0a, 0x20, 0x00, 0x00, 0x6b,
++ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x07, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x00,
++ 0x02, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00,
++ 0x03, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00,
++ 0x04, 0x00, 0x00, 0x0c, 0x04, 0x00, 0x00, 0x00,
++ 0x0e, 0x00, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x00,
++ 0x0f, 0x00, 0x00, 0x0c, 0x03, 0x00, 0x00, 0x00,
++ 0x13, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00
++};
++
++static bool test_mdssvc_sl_unpack_loop(struct torture_context *tctx,
++ void *data)
++{
++ struct torture_mdsscv_state *state = talloc_get_type_abort(
++ data, struct torture_mdsscv_state);
++ struct dcerpc_binding_handle *b = state->p->binding_handle;
++ struct mdssvc_blob request_blob;
++ struct mdssvc_blob response_blob;
++ uint32_t device_id;
++ uint32_t unkn2;
++ uint32_t unkn9;
++ uint32_t fragment;
++ uint32_t flags;
++ NTSTATUS status;
++ bool ok = true;
++
++ device_id = UINT32_C(0x2f000045);
++ unkn2 = 23;
++ unkn9 = 0;
++ fragment = 0;
++ flags = UINT32_C(0x6b000001);
++
++ request_blob.spotlight_blob = test_sl_unpack_loop_buf;
++ request_blob.size = sizeof(test_sl_unpack_loop_buf);
++ request_blob.length = sizeof(test_sl_unpack_loop_buf);
++
++ response_blob.spotlight_blob = talloc_array(state,
++ uint8_t,
++ 0);
++ torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
++ ok, done, "dalloc_zero failed\n");
++ response_blob.size = 0;
++
++ status = dcerpc_mdssvc_cmd(b,
++ state,
++ &state->ph,
++ 0,
++ device_id,
++ unkn2,
++ 0,
++ flags,
++ request_blob,
++ 0,
++ 64 * 1024,
++ 1,
++ 64 * 1024,
++ 0,
++ 0,
++ &fragment,
++ &response_blob,
++ &unkn9);
++ torture_assert_ntstatus_ok_goto(
++ tctx, status, ok, done,
++ "dcerpc_mdssvc_unknown1 failed\n");
++
++done:
++ return ok;
++}
++
+ static bool test_mdssvc_invalid_ph_close(struct torture_context *tctx,
+ void *data)
+ {
+@@ -856,5 +952,9 @@ struct torture_suite *torture_rpc_mdssvc(TALLOC_CTX *mem_ctx)
+ "fetch_unknown_cnid",
+ test_mdssvc_fetch_attr_unknown_cnid);
+
++ torture_tcase_add_simple_test(tcase,
++ "mdssvc_sl_unpack_loop",
++ test_mdssvc_sl_unpack_loop);
++
+ return suite;
+ }
+--
+2.40.0
@@ -33,6 +33,8 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
file://CVE-2022-45142.patch;patchdir=source4/heimdal \
file://CVE-2022-41916.patch;patchdir=source4/heimdal \
file://CVE-2021-44758.patch;patchdir=source4/heimdal \
+ file://CVE-2023-34966_0001.patch \
+ file://CVE-2023-34966_0002.patch \
"
SRC_URI:append:libc-musl = " \
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> --- .../samba/samba/CVE-2023-34966_0001.patch | 78 ++++++++++ .../samba/samba/CVE-2023-34966_0002.patch | 140 ++++++++++++++++++ .../samba/samba_4.14.14.bb | 2 + 3 files changed, 220 insertions(+) create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0001.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0002.patch