new file mode 100644
@@ -0,0 +1,104 @@
+From 98b2a013bc723cd660978d5a1db40b987816f90e Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Tue, 6 Jun 2023 15:17:26 +0200
+Subject: [PATCH] CVE-2023-34968: mdssvc: cache and reuse stat info in struct
+ sl_inode_path_map
+
+Prepare for the "path" being a fake path and not the real server-side
+path where we won't be able to vfs_stat_fsp() this fake path. Luckily we already
+got stat info for the object in mds_add_result() so we can just pass stat info
+from there.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/98b2a013bc723cd660978d5a1db40b987816f90e]
+
+CVE: CVE-2023-34968
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ source3/rpc_server/mdssvc/mdssvc.c | 32 +++++++-----------------------
+ source3/rpc_server/mdssvc/mdssvc.h | 1 +
+ 2 files changed, 8 insertions(+), 25 deletions(-)
+
+diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c
+index 26a3ec7..a6cc653 100644
+--- a/source3/rpc_server/mdssvc/mdssvc.c
++++ b/source3/rpc_server/mdssvc/mdssvc.c
+@@ -446,7 +446,10 @@ static int ino_path_map_destr_cb(struct sl_inode_path_map *entry)
+ * entries by calling talloc_free() on the query slq handles.
+ **/
+
+-static bool inode_map_add(struct sl_query *slq, uint64_t ino, const char *path)
++static bool inode_map_add(struct sl_query *slq,
++ uint64_t ino,
++ const char *path,
++ struct stat_ex *st)
+ {
+ NTSTATUS status;
+ struct sl_inode_path_map *entry;
+@@ -493,6 +496,7 @@ static bool inode_map_add(struct sl_query *slq, uint64_t ino, const char *path)
+
+ entry->ino = ino;
+ entry->mds_ctx = slq->mds_ctx;
++ entry->st = *st;
+ entry->path = talloc_strdup(entry, path);
+ if (entry->path == NULL) {
+ DEBUG(1, ("talloc failed\n"));
+@@ -629,7 +633,7 @@ bool mds_add_result(struct sl_query *slq, const char *path)
+ return false;
+ }
+
+- ok = inode_map_add(slq, ino64, path);
++ ok = inode_map_add(slq, ino64, path, &sb);
+ if (!ok) {
+ DEBUG(1, ("inode_map_add error\n"));
+ slq->state = SLQ_STATE_ERROR;
+@@ -1350,29 +1354,7 @@ static bool slrpc_fetch_attributes(struct mds_ctx *mds_ctx,
+ elem = talloc_get_type_abort(p, struct sl_inode_path_map);
+ path = elem->path;
+
+- status = synthetic_pathref(talloc_tos(),
+- mds_ctx->conn->cwd_fsp,
+- path,
+- NULL,
+- NULL,
+- 0,
+- 0,
+- &smb_fname);
+- if (!NT_STATUS_IS_OK(status)) {
+- /* This is not an error, the user may lack permissions */
+- DBG_DEBUG("synthetic_pathref [%s]: %s\n",
+- smb_fname_str_dbg(smb_fname),
+- nt_errstr(status));
+- return true;
+- }
+-
+- result = SMB_VFS_FSTAT(smb_fname->fsp, &smb_fname->st);
+- if (result != 0) {
+- TALLOC_FREE(smb_fname);
+- return true;
+- }
+-
+- sp = &smb_fname->st;
++ sp = &elem->st;
+ }
+
+ ok = add_filemeta(mds_ctx, reqinfo, fm_array, path, sp);
+diff --git a/source3/rpc_server/mdssvc/mdssvc.h b/source3/rpc_server/mdssvc/mdssvc.h
+index 3924827..a097991 100644
+--- a/source3/rpc_server/mdssvc/mdssvc.h
++++ b/source3/rpc_server/mdssvc/mdssvc.h
+@@ -105,6 +105,7 @@ struct sl_inode_path_map {
+ struct mds_ctx *mds_ctx;
+ uint64_t ino;
+ char *path;
++ struct stat_ex st;
+ };
+
+ /* Per process state */
+--
+2.40.0
new file mode 100644
@@ -0,0 +1,39 @@
+From 47a0c1681dd1e7ec407679793966ec8bdc08a24e Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Sat, 17 Jun 2023 13:39:55 +0200
+Subject: [PATCH] CVE-2023-34968: mdssvc: add missing "kMDSStoreMetaScopes"
+ dict key in slrpc_fetch_properties()
+
+We were adding the value, but not the key.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/47a0c1681dd1e7ec407679793966ec8bdc08a24e]
+
+CVE: CVE-2023-34968
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ source3/rpc_server/mdssvc/mdssvc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c
+index a6d09a43b9c..9c23ef95753 100644
+--- a/source3/rpc_server/mdssvc/mdssvc.c
++++ b/source3/rpc_server/mdssvc/mdssvc.c
+@@ -730,6 +730,10 @@ static bool slrpc_fetch_properties(struct mds_ctx *mds_ctx,
+ }
+
+ /* kMDSStoreMetaScopes array */
++ result = dalloc_stradd(dict, "kMDSStoreMetaScopes");
++ if (result != 0) {
++ return false;
++ }
+ array = dalloc_zero(dict, sl_array_t);
+ if (array == NULL) {
+ return NULL;
+--
+2.40.0
new file mode 100644
@@ -0,0 +1,65 @@
+From 56a21b3bc8fb24416ead9061f9305c8122bc7f86 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Mon, 19 Jun 2023 17:14:38 +0200
+Subject: [PATCH] CVE-2023-34968: mdscli: use correct TALLOC memory context
+ when allocating spotlight_blob
+
+d is talloc_free()d at the end of the functions and the buffer was later used
+after beeing freed in the DCERPC layer when sending the packet.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/56a21b3bc8fb24416ead9061f9305c8122bc7f86]
+
+CVE: CVE-2023-34968
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ source3/rpc_client/cli_mdssvc_util.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/source3/rpc_client/cli_mdssvc_util.c b/source3/rpc_client/cli_mdssvc_util.c
+index fe5092c3790..892a844e71a 100644
+--- a/source3/rpc_client/cli_mdssvc_util.c
++++ b/source3/rpc_client/cli_mdssvc_util.c
+@@ -209,7 +209,7 @@ NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- blob->spotlight_blob = talloc_array(d,
++ blob->spotlight_blob = talloc_array(mem_ctx,
+ uint8_t,
+ ctx->max_fragment_size);
+ if (blob->spotlight_blob == NULL) {
+@@ -293,7 +293,7 @@ NTSTATUS mdscli_blob_get_results(TALLOC_CTX *mem_ctx,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- blob->spotlight_blob = talloc_array(d,
++ blob->spotlight_blob = talloc_array(mem_ctx,
+ uint8_t,
+ ctx->max_fragment_size);
+ if (blob->spotlight_blob == NULL) {
+@@ -426,7 +426,7 @@ NTSTATUS mdscli_blob_get_path(TALLOC_CTX *mem_ctx,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- blob->spotlight_blob = talloc_array(d,
++ blob->spotlight_blob = talloc_array(mem_ctx,
+ uint8_t,
+ ctx->max_fragment_size);
+ if (blob->spotlight_blob == NULL) {
+@@ -510,7 +510,7 @@ NTSTATUS mdscli_blob_close_search(TALLOC_CTX *mem_ctx,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- blob->spotlight_blob = talloc_array(d,
++ blob->spotlight_blob = talloc_array(mem_ctx,
+ uint8_t,
+ ctx->max_fragment_size);
+ if (blob->spotlight_blob == NULL) {
+--
+2.40.0
new file mode 100644
@@ -0,0 +1,85 @@
+From 0ae6084d1a9c4eb12e9f1ab1902e00f96bcbea55 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Mon, 19 Jun 2023 18:28:41 +0200
+Subject: [PATCH] CVE-2023-34968: mdscli: remove response blob allocation
+
+This is handled by the NDR code transparently.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/rpc_client/cli_mdssvc.c | 36 ---------------------------------
+ 1 file changed, 36 deletions(-)
+
+diff --git a/source3/rpc_client/cli_mdssvc.c b/source3/rpc_client/cli_mdssvc.c
+index 046d37135cb..474d7c0b150 100644
+--- a/source3/rpc_client/cli_mdssvc.c
++++ b/source3/rpc_client/cli_mdssvc.c
+@@ -276,15 +276,6 @@ struct tevent_req *mdscli_search_send(TALLOC_CTX *mem_ctx,
+ return tevent_req_post(req, ev);
+ }
+
+- state->response_blob.spotlight_blob = talloc_array(
+- state,
+- uint8_t,
+- mdscli_ctx->max_fragment_size);
+- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) {
+- return tevent_req_post(req, ev);
+- }
+- state->response_blob.size = mdscli_ctx->max_fragment_size;
+-
+ subreq = dcerpc_mdssvc_cmd_send(state,
+ ev,
+ mdscli_ctx->bh,
+@@ -457,15 +448,6 @@ struct tevent_req *mdscli_get_results_send(
+ return tevent_req_post(req, ev);
+ }
+
+- state->response_blob.spotlight_blob = talloc_array(
+- state,
+- uint8_t,
+- mdscli_ctx->max_fragment_size);
+- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) {
+- return tevent_req_post(req, ev);
+- }
+- state->response_blob.size = mdscli_ctx->max_fragment_size;
+-
+ subreq = dcerpc_mdssvc_cmd_send(state,
+ ev,
+ mdscli_ctx->bh,
+@@ -681,15 +663,6 @@ struct tevent_req *mdscli_get_path_send(TALLOC_CTX *mem_ctx,
+ return tevent_req_post(req, ev);
+ }
+
+- state->response_blob.spotlight_blob = talloc_array(
+- state,
+- uint8_t,
+- mdscli_ctx->max_fragment_size);
+- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) {
+- return tevent_req_post(req, ev);
+- }
+- state->response_blob.size = mdscli_ctx->max_fragment_size;
+-
+ subreq = dcerpc_mdssvc_cmd_send(state,
+ ev,
+ mdscli_ctx->bh,
+@@ -852,15 +825,6 @@ struct tevent_req *mdscli_close_search_send(TALLOC_CTX *mem_ctx,
+ return tevent_req_post(req, ev);
+ }
+
+- state->response_blob.spotlight_blob = talloc_array(
+- state,
+- uint8_t,
+- mdscli_ctx->max_fragment_size);
+- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) {
+- return tevent_req_post(req, ev);
+- }
+- state->response_blob.size = mdscli_ctx->max_fragment_size;
+-
+ subreq = dcerpc_mdssvc_cmd_send(state,
+ ev,
+ mdscli_ctx->bh,
+--
+2.40.0
new file mode 100644
@@ -0,0 +1,83 @@
+From 353a9ccea6ff93ea2cd604dcc2b0372f056f819d Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Tue, 20 Jun 2023 11:28:47 +0200
+Subject: [PATCH] CVE-2023-34968: smbtorture: remove response blob allocation
+ in mdssvc.c
+
+This is alreay done by NDR for us.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/353a9ccea6ff93ea2cd604dcc2b0372f056f819d]
+
+CVE: CVE-2023-34968
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+
+---
+ source4/torture/rpc/mdssvc.c | 26 --------------------------
+ 1 file changed, 26 deletions(-)
+
+diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c
+index 3689692f7de..a16bd5b47e3 100644
+--- a/source4/torture/rpc/mdssvc.c
++++ b/source4/torture/rpc/mdssvc.c
+@@ -536,13 +536,6 @@ static bool test_mdssvc_invalid_ph_cmd(struct torture_context *tctx,
+ request_blob.length = 0;
+ request_blob.size = 0;
+
+- response_blob.spotlight_blob = talloc_array(state,
+- uint8_t,
+- 0);
+- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
+- ok, done, "dalloc_zero failed\n");
+- response_blob.size = 0;
+-
+ status = dcerpc_mdssvc_cmd(b,
+ state,
+ &ph,
+@@ -632,13 +625,6 @@ static bool test_mdssvc_sl_unpack_loop(struct torture_context *tctx,
+ request_blob.size = sizeof(test_sl_unpack_loop_buf);
+ request_blob.length = sizeof(test_sl_unpack_loop_buf);
+
+- response_blob.spotlight_blob = talloc_array(state,
+- uint8_t,
+- 0);
+- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
+- ok, done, "dalloc_zero failed\n");
+- response_blob.size = 0;
+-
+ status = dcerpc_mdssvc_cmd(b,
+ state,
+ &state->ph,
+@@ -764,11 +750,6 @@ static bool test_sl_dict_type_safety(struct torture_context *tctx,
+ torture_assert_goto(tctx, request_blob.length > 0,
+ ok, done, "sl_pack failed\n");
+
+- response_blob.spotlight_blob = talloc_array(state, uint8_t, 0);
+- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
+- ok, done, "dalloc_zero failed\n");
+- response_blob.size = 0;
+-
+ status = dcerpc_mdssvc_cmd(b,
+ state,
+ &state->ph,
+@@ -926,13 +907,6 @@ static bool test_mdssvc_fetch_attr_unknown_cnid(struct torture_context *tctx,
+ ret, done, "dalloc_zero failed\n");
+ request_blob.size = max_fragment_size;
+
+- response_blob.spotlight_blob = talloc_array(state,
+- uint8_t,
+- max_fragment_size);
+- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
+- ret, done, "dalloc_zero failed\n");
+- response_blob.size = max_fragment_size;
+-
+ len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size);
+ torture_assert_goto(tctx, len != -1, ret, done, "sl_pack failed\n");
+
+--
+2.40.0
new file mode 100644
@@ -0,0 +1,57 @@
+From 449f1280b718c6da3b8e309fe124be4e9bfd8184 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Tue, 20 Jun 2023 11:35:41 +0200
+Subject: [PATCH] CVE-2023-34968: rpcclient: remove response blob allocation
+
+This is alreay done by NDR for us.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/449f1280b718c6da3b8e309fe124be4e9bfd8184]
+
+CVE: CVE-2023-34968
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ source3/rpcclient/cmd_spotlight.c | 16 ----------------
+ 1 file changed, 16 deletions(-)
+
+diff --git a/source3/rpcclient/cmd_spotlight.c b/source3/rpcclient/cmd_spotlight.c
+index 24db9893df6..64fe321089c 100644
+--- a/source3/rpcclient/cmd_spotlight.c
++++ b/source3/rpcclient/cmd_spotlight.c
+@@ -144,13 +144,6 @@ static NTSTATUS cmd_mdssvc_fetch_properties(
+ }
+ request_blob.size = max_fragment_size;
+
+- response_blob.spotlight_blob = talloc_array(mem_ctx, uint8_t, max_fragment_size);
+- if (response_blob.spotlight_blob == NULL) {
+- status = NT_STATUS_INTERNAL_ERROR;
+- goto done;
+- }
+- response_blob.size = max_fragment_size;
+-
+ len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size);
+ if (len == -1) {
+ status = NT_STATUS_INTERNAL_ERROR;
+@@ -368,15 +361,6 @@ static NTSTATUS cmd_mdssvc_fetch_attributes(
+ }
+ request_blob.size = max_fragment_size;
+
+- response_blob.spotlight_blob = talloc_array(mem_ctx,
+- uint8_t,
+- max_fragment_size);
+- if (response_blob.spotlight_blob == NULL) {
+- status = NT_STATUS_INTERNAL_ERROR;
+- goto done;
+- }
+- response_blob.size = max_fragment_size;
+-
+ len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size);
+ if (len == -1) {
+ status = NT_STATUS_INTERNAL_ERROR;
+--
+2.40.0
new file mode 100644
@@ -0,0 +1,49 @@
+From cc593a6ac531f02f2fe70fd4f7dfe649a02f9206 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Tue, 20 Jun 2023 11:42:10 +0200
+Subject: [PATCH] CVE-2023-34968: mdssvc: remove response blob allocation
+
+This is alreay done by NDR for us.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/cc593a6ac531f02f2fe70fd4f7dfe649a02f9206]
+
+CVE: CVE-2023-34968
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
+index b8eed8b..714e6c1 100644
+--- a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
++++ b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
+@@ -209,7 +209,6 @@ void _mdssvc_unknown1(struct pipes_struct *p, struct mdssvc_unknown1 *r)
+ void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r)
+ {
+ bool ok;
+- char *rbuf;
+ struct mds_ctx *mds_ctx;
+ NTSTATUS status;
+
+@@ -266,13 +265,6 @@ void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r)
+ return;
+ }
+
+- rbuf = talloc_zero_array(p->mem_ctx, char, r->in.max_fragment_size1);
+- if (rbuf == NULL) {
+- p->fault_state = DCERPC_FAULT_CANT_PERFORM;
+- return;
+- }
+- r->out.response_blob->spotlight_blob = (uint8_t *)rbuf;
+- r->out.response_blob->size = r->in.max_fragment_size1;
+
+ /* We currently don't use fragmentation at the mdssvc RPC layer */
+ *r->out.fragment = 0;
+--
+2.40.0
new file mode 100644
@@ -0,0 +1,62 @@
+From 397919e82b493206ae9b60bb9c539d52c3207729 Mon Sep 17 00:00:00 2001
+From: Archana Polampalli <archana.polampalli@windriver.com>
+Date: Fri, 29 Sep 2023 08:59:31 +0000
+Subject: [PATCH] CVE-2023-34968: mdssvc: switch to doing an early return
+
+Just reduce indentation of the code handling the success case. No change in
+behaviour.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/397919e82b493206ae9b60bb9c539d52c3207729]
+
+CVE: CVE-2023-34968
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ source3/rpc_server/mdssvc/mdssvc.c | 26 ++++++++++++++------------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c
+index a6cc653..0e6a916 100644
+--- a/source3/rpc_server/mdssvc/mdssvc.c
++++ b/source3/rpc_server/mdssvc/mdssvc.c
+@@ -1798,19 +1798,21 @@ bool mds_dispatch(struct mds_ctx *mds_ctx,
+ }
+
+ ok = slcmd->function(mds_ctx, query, reply);
+- if (ok) {
+- DBG_DEBUG("%s", dalloc_dump(reply, 0));
+-
+- len = sl_pack(reply,
+- (char *)response_blob->spotlight_blob,
+- response_blob->size);
+- if (len == -1) {
+- DBG_ERR("error packing Spotlight RPC reply\n");
+- ok = false;
+- goto cleanup;
+- }
+- response_blob->length = len;
++ if (!ok) {
++ goto cleanup;
++ }
++
++ DBG_DEBUG("%s", dalloc_dump(reply, 0));
++
++ len = sl_pack(reply,
++ (char *)response_blob->spotlight_blob,
++ response_blob->size);
++ if (len == -1) {
++ DBG_ERR("error packing Spotlight RPC reply\n");
++ ok = false;
++ goto cleanup;
+ }
++ response_blob->length = len;
+
+ cleanup:
+ talloc_free(query);
+--
+2.40.0
new file mode 100644
@@ -0,0 +1,465 @@
+From cb8313e7bee75454ce29d2b2f657927259298f52 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Mon, 19 Jun 2023 18:16:57 +0200
+Subject: [PATCH] CVE-2023-34968: mdssvc: introduce an allocating wrapper to
+ sl_pack()
+
+sl_pack_alloc() does the buffer allocation that previously all callers of
+sl_pack() did themselves.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/cb8313e7bee75454ce29d2b2f657927259298f52]
+
+CVE: CVE-2023-34968
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ source3/rpc_client/cli_mdssvc_util.c | 80 +++++------------------
+ source3/rpc_server/mdssvc/marshalling.c | 35 ++++++++--
+ source3/rpc_server/mdssvc/marshalling.h | 9 ++-
+ source3/rpc_server/mdssvc/mdssvc.c | 18 ++---
+ source3/rpc_server/mdssvc/mdssvc.h | 5 +-
+ source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 5 +-
+ source3/rpcclient/cmd_spotlight.c | 32 ++-------
+ source4/torture/rpc/mdssvc.c | 24 ++-----
+ 8 files changed, 80 insertions(+), 128 deletions(-)
+
+diff --git a/source3/rpc_client/cli_mdssvc_util.c b/source3/rpc_client/cli_mdssvc_util.c
+index 892a844..a39202d 100644
+--- a/source3/rpc_client/cli_mdssvc_util.c
++++ b/source3/rpc_client/cli_mdssvc_util.c
+@@ -42,7 +42,7 @@ NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx,
+ sl_array_t *scope_array = NULL;
+ double dval;
+ uint64_t uint64val;
+- ssize_t len;
++ NTSTATUS status;
+ int ret;
+
+ d = dalloc_new(mem_ctx);
+@@ -209,23 +209,11 @@ NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- blob->spotlight_blob = talloc_array(mem_ctx,
+- uint8_t,
+- ctx->max_fragment_size);
+- if (blob->spotlight_blob == NULL) {
+- TALLOC_FREE(d);
+- return NT_STATUS_NO_MEMORY;
+- }
+- blob->size = ctx->max_fragment_size;
+-
+- len = sl_pack(d, (char *)blob->spotlight_blob, blob->size);
++ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size);
+ TALLOC_FREE(d);
+- if (len == -1) {
+- return NT_STATUS_NO_MEMORY;
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
+ }
+-
+- blob->length = len;
+- blob->size = len;
+ return NT_STATUS_OK;
+ }
+
+@@ -238,7 +226,7 @@ NTSTATUS mdscli_blob_get_results(TALLOC_CTX *mem_ctx,
+ uint64_t *uint64p = NULL;
+ sl_array_t *array = NULL;
+ sl_array_t *cmd_array = NULL;
+- ssize_t len;
++ NTSTATUS status;
+ int ret;
+
+ d = dalloc_new(mem_ctx);
+@@ -293,23 +281,11 @@ NTSTATUS mdscli_blob_get_results(TALLOC_CTX *mem_ctx,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- blob->spotlight_blob = talloc_array(mem_ctx,
+- uint8_t,
+- ctx->max_fragment_size);
+- if (blob->spotlight_blob == NULL) {
+- TALLOC_FREE(d);
+- return NT_STATUS_NO_MEMORY;
+- }
+- blob->size = ctx->max_fragment_size;
+-
+- len = sl_pack(d, (char *)blob->spotlight_blob, blob->size);
++ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size);
+ TALLOC_FREE(d);
+- if (len == -1) {
+- return NT_STATUS_NO_MEMORY;
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
+ }
+-
+- blob->length = len;
+- blob->size = len;
+ return NT_STATUS_OK;
+ }
+
+@@ -325,7 +301,7 @@ NTSTATUS mdscli_blob_get_path(TALLOC_CTX *mem_ctx,
+ sl_array_t *cmd_array = NULL;
+ sl_array_t *attr_array = NULL;
+ sl_cnids_t *cnids = NULL;
+- ssize_t len;
++ NTSTATUS status;
+ int ret;
+
+ d = dalloc_new(mem_ctx);
+@@ -426,23 +402,11 @@ NTSTATUS mdscli_blob_get_path(TALLOC_CTX *mem_ctx,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- blob->spotlight_blob = talloc_array(mem_ctx,
+- uint8_t,
+- ctx->max_fragment_size);
+- if (blob->spotlight_blob == NULL) {
+- TALLOC_FREE(d);
+- return NT_STATUS_NO_MEMORY;
+- }
+- blob->size = ctx->max_fragment_size;
+-
+- len = sl_pack(d, (char *)blob->spotlight_blob, blob->size);
++ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size);
+ TALLOC_FREE(d);
+- if (len == -1) {
+- return NT_STATUS_NO_MEMORY;
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
+ }
+-
+- blob->length = len;
+- blob->size = len;
+ return NT_STATUS_OK;
+ }
+
+@@ -455,7 +419,7 @@ NTSTATUS mdscli_blob_close_search(TALLOC_CTX *mem_ctx,
+ uint64_t *uint64p = NULL;
+ sl_array_t *array = NULL;
+ sl_array_t *cmd_array = NULL;
+- ssize_t len;
++ NTSTATUS status;
+ int ret;
+
+ d = dalloc_new(mem_ctx);
+@@ -510,22 +474,10 @@ NTSTATUS mdscli_blob_close_search(TALLOC_CTX *mem_ctx,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- blob->spotlight_blob = talloc_array(mem_ctx,
+- uint8_t,
+- ctx->max_fragment_size);
+- if (blob->spotlight_blob == NULL) {
+- TALLOC_FREE(d);
+- return NT_STATUS_NO_MEMORY;
+- }
+- blob->size = ctx->max_fragment_size;
+-
+- len = sl_pack(d, (char *)blob->spotlight_blob, blob->size);
++ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size);
+ TALLOC_FREE(d);
+- if (len == -1) {
+- return NT_STATUS_NO_MEMORY;
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
+ }
+-
+- blob->length = len;
+- blob->size = len;
+ return NT_STATUS_OK;
+ }
+diff --git a/source3/rpc_server/mdssvc/marshalling.c b/source3/rpc_server/mdssvc/marshalling.c
+index 441d411..34bfda5 100644
+--- a/source3/rpc_server/mdssvc/marshalling.c
++++ b/source3/rpc_server/mdssvc/marshalling.c
+@@ -78,6 +78,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, const char *buf,
+ ssize_t offset, size_t bufsize,
+ int count, ssize_t toc_offset,
+ int encoding);
++static ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize);
+
+ /******************************************************************************
+ * Wrapper functions for the *VAL macros with bound checking
+@@ -1190,11 +1191,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
+ return offset;
+ }
+
+-/******************************************************************************
+- * Global functions for packing und unpacking
+- ******************************************************************************/
+-
+-ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize)
++static ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize)
+ {
+ ssize_t result;
+ char *toc_buf;
+@@ -1274,6 +1271,34 @@ ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize)
+ return len;
+ }
+
++/******************************************************************************
++ * Global functions for packing und unpacking
++ ******************************************************************************/
++
++NTSTATUS sl_pack_alloc(TALLOC_CTX *mem_ctx,
++ DALLOC_CTX *d,
++ struct mdssvc_blob *b,
++ size_t max_fragment_size)
++{
++ ssize_t len;
++
++ b->spotlight_blob = talloc_zero_array(mem_ctx,
++ uint8_t,
++ max_fragment_size);
++ if (b->spotlight_blob == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ len = sl_pack(d, (char *)b->spotlight_blob, max_fragment_size);
++ if (len == -1) {
++ return NT_STATUS_DATA_ERROR;
++ }
++
++ b->length = len;
++ b->size = len;
++ return NT_STATUS_OK;
++}
++
+ bool sl_unpack(DALLOC_CTX *query, const char *buf, size_t bufsize)
+ {
+ ssize_t result;
+diff --git a/source3/rpc_server/mdssvc/marshalling.h b/source3/rpc_server/mdssvc/marshalling.h
+index 086ca74..2cc1b44 100644
+--- a/source3/rpc_server/mdssvc/marshalling.h
++++ b/source3/rpc_server/mdssvc/marshalling.h
+@@ -22,6 +22,9 @@
+ #define _MDSSVC_MARSHALLING_H
+
+ #include "dalloc.h"
++#include "libcli/util/ntstatus.h"
++#include "lib/util/data_blob.h"
++#include "librpc/gen_ndr/mdssvc.h"
+
+ #define MAX_SL_FRAGMENT_SIZE 0xFFFFF
+
+@@ -49,7 +52,11 @@ typedef struct {
+ * Function declarations
+ ******************************************************************************/
+
+-extern ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize);
++extern NTSTATUS sl_pack_alloc(TALLOC_CTX *mem_ctx,
++ DALLOC_CTX *d,
++ struct mdssvc_blob *b,
++ size_t max_fragment_size);
++
+ extern bool sl_unpack(DALLOC_CTX *query, const char *buf, size_t bufsize);
+
+ #endif
+diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c
+index 0e6a916..19257e8 100644
+--- a/source3/rpc_server/mdssvc/mdssvc.c
++++ b/source3/rpc_server/mdssvc/mdssvc.c
+@@ -1726,11 +1726,11 @@ error:
+ **/
+ bool mds_dispatch(struct mds_ctx *mds_ctx,
+ struct mdssvc_blob *request_blob,
+- struct mdssvc_blob *response_blob)
++ struct mdssvc_blob *response_blob,
++ size_t max_fragment_size)
+ {
+ bool ok;
+ int ret;
+- ssize_t len;
+ DALLOC_CTX *query = NULL;
+ DALLOC_CTX *reply = NULL;
+ char *rpccmd;
+@@ -1738,6 +1738,7 @@ bool mds_dispatch(struct mds_ctx *mds_ctx,
+ const struct smb_filename conn_basedir = {
+ .base_name = mds_ctx->conn->connectpath,
+ };
++ NTSTATUS status;
+
+ if (CHECK_DEBUGLVL(10)) {
+ const struct sl_query *slq;
+@@ -1804,15 +1805,14 @@ bool mds_dispatch(struct mds_ctx *mds_ctx,
+
+ DBG_DEBUG("%s", dalloc_dump(reply, 0));
+
+- len = sl_pack(reply,
+- (char *)response_blob->spotlight_blob,
+- response_blob->size);
+- if (len == -1) {
+- DBG_ERR("error packing Spotlight RPC reply\n");
+- ok = false;
++ status = sl_pack_alloc(response_blob,
++ reply,
++ response_blob,
++ max_fragment_size);
++ if (!NT_STATUS_IS_OK(status)) {
++ DBG_ERR("sl_pack_alloc() failed\n");
+ goto cleanup;
+ }
+- response_blob->length = len;
+
+ cleanup:
+ talloc_free(query);
+diff --git a/source3/rpc_server/mdssvc/mdssvc.h b/source3/rpc_server/mdssvc/mdssvc.h
+index a097991..b3bd8b9 100644
+--- a/source3/rpc_server/mdssvc/mdssvc.h
++++ b/source3/rpc_server/mdssvc/mdssvc.h
+@@ -157,9 +157,10 @@ struct mds_ctx *mds_init_ctx(TALLOC_CTX *mem_ctx,
+ int snum,
+ const char *sharename,
+ const char *path);
+-extern bool mds_dispatch(struct mds_ctx *query_ctx,
++extern bool mds_dispatch(struct mds_ctx *mds_ctx,
+ struct mdssvc_blob *request_blob,
+- struct mdssvc_blob *response_blob);
++ struct mdssvc_blob *response_blob,
++ size_t max_fragment_size);
+ bool mds_add_result(struct sl_query *slq, const char *path);
+
+ #endif /* _MDSSVC_H */
+diff --git a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
+index 714e6c1..59e2a97 100644
+--- a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
++++ b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
+@@ -269,7 +269,10 @@ void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r)
+ /* We currently don't use fragmentation at the mdssvc RPC layer */
+ *r->out.fragment = 0;
+
+- ok = mds_dispatch(mds_ctx, &r->in.request_blob, r->out.response_blob);
++ ok = mds_dispatch(mds_ctx,
++ &r->in.request_blob,
++ r->out.response_blob,
++ r->in.max_fragment_size1);
+ if (ok) {
+ *r->out.unkn9 = 0;
+ } else {
+diff --git a/source3/rpcclient/cmd_spotlight.c b/source3/rpcclient/cmd_spotlight.c
+index 64fe321..ba3f61f 100644
+--- a/source3/rpcclient/cmd_spotlight.c
++++ b/source3/rpcclient/cmd_spotlight.c
+@@ -43,7 +43,6 @@ static NTSTATUS cmd_mdssvc_fetch_properties(
+ uint32_t unkn3; /* server always returns 0 ? */
+ struct mdssvc_blob request_blob;
+ struct mdssvc_blob response_blob;
+- ssize_t len;
+ uint32_t max_fragment_size = 64 * 1024;
+ DALLOC_CTX *d, *mds_reply;
+ uint64_t *uint64var;
+@@ -137,20 +136,10 @@ static NTSTATUS cmd_mdssvc_fetch_properties(
+ goto done;
+ }
+
+- request_blob.spotlight_blob = talloc_array(mem_ctx, uint8_t, max_fragment_size);
+- if (request_blob.spotlight_blob == NULL) {
+- status = NT_STATUS_INTERNAL_ERROR;
+- goto done;
+- }
+- request_blob.size = max_fragment_size;
+-
+- len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size);
+- if (len == -1) {
+- status = NT_STATUS_INTERNAL_ERROR;
++ status = sl_pack_alloc(mem_ctx, d, &request_blob, max_fragment_size);
++ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+- request_blob.length = len;
+- request_blob.size = len;
+
+ status = dcerpc_mdssvc_cmd(b, mem_ctx,
+ &share_handle,
+@@ -204,7 +193,6 @@ static NTSTATUS cmd_mdssvc_fetch_attributes(
+ uint32_t unkn3; /* server always returns 0 ? */
+ struct mdssvc_blob request_blob;
+ struct mdssvc_blob response_blob;
+- ssize_t len;
+ uint32_t max_fragment_size = 64 * 1024;
+ DALLOC_CTX *d, *mds_reply;
+ uint64_t *uint64var;
+@@ -352,22 +340,10 @@ static NTSTATUS cmd_mdssvc_fetch_attributes(
+ goto done;
+ }
+
+- request_blob.spotlight_blob = talloc_array(mem_ctx,
+- uint8_t,
+- max_fragment_size);
+- if (request_blob.spotlight_blob == NULL) {
+- status = NT_STATUS_INTERNAL_ERROR;
+- goto done;
+- }
+- request_blob.size = max_fragment_size;
+-
+- len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size);
+- if (len == -1) {
+- status = NT_STATUS_INTERNAL_ERROR;
++ status = sl_pack_alloc(mem_ctx, d, &request_blob, max_fragment_size);
++ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+- request_blob.length = len;
+- request_blob.size = len;
+
+ status = dcerpc_mdssvc_cmd(b, mem_ctx,
+ &share_handle,
+diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c
+index e99c82c..1305456 100644
+--- a/source4/torture/rpc/mdssvc.c
++++ b/source4/torture/rpc/mdssvc.c
+@@ -745,11 +745,9 @@ static bool test_sl_dict_type_safety(struct torture_context *tctx,
+ ok, done, "dalloc_new failed\n");
+ request_blob.size = 64 * 1024;
+
+- request_blob.length = sl_pack(d,
+- (char *)request_blob.spotlight_blob,
+- request_blob.size);
+- torture_assert_goto(tctx, request_blob.length > 0,
+- ok, done, "sl_pack failed\n");
++ status = sl_pack_alloc(tctx, d, &request_blob, 64 * 1024);
++ torture_assert_ntstatus_ok_goto(tctx, status, ok, done,
++ "sl_pack_alloc() failed\n");
+
+ status = dcerpc_mdssvc_cmd(b,
+ state,
+@@ -836,7 +834,6 @@ static bool test_mdssvc_fetch_attr_unknown_cnid(struct torture_context *tctx,
+ const char *path_type = NULL;
+ uint64_t ino64;
+ NTSTATUS status;
+- ssize_t len;
+ int ret;
+ bool ok = true;
+
+@@ -901,19 +898,10 @@ static bool test_mdssvc_fetch_attr_unknown_cnid(struct torture_context *tctx,
+ ret = dalloc_add(array, cnids, sl_cnids_t);
+ torture_assert_goto(tctx, ret == 0, ret, done, "dalloc_add failed\n");
+
+- request_blob.spotlight_blob = talloc_array(state,
+- uint8_t,
+- max_fragment_size);
+- torture_assert_not_null_goto(tctx, request_blob.spotlight_blob,
+- ret, done, "dalloc_zero failed\n");
+- request_blob.size = max_fragment_size;
+-
+- len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size);
+- torture_assert_goto(tctx, len != -1, ret, done, "sl_pack failed\n");
+-
+- request_blob.length = len;
+- request_blob.size = len;
+
++ status = sl_pack_alloc(tctx, d, &request_blob, max_fragment_size);
++ torture_assert_ntstatus_ok_goto(tctx, status, ok, done,
++ "sl_pack_alloc() failed\n");
+ status = dcerpc_mdssvc_cmd(b,
+ state,
+ &state->ph,
+--
+2.40.0
new file mode 100644
@@ -0,0 +1,484 @@
+From a5c570e262911874e43e82de601d809aa5b1b729 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Sat, 17 Jun 2023 13:53:27 +0200
+Subject: [PATCH] CVE-2023-34968: mdscli: return share relative paths The next
+ commit will change the Samba Spotlight server to return absolute paths that
+ start with the sharename as "/SHARENAME/..." followed by the share path
+ relative appended.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+So given a share
+
+ [spotlight]
+ path = /foo/bar
+ spotlight = yes
+
+and a file inside this share with a full path of
+
+ /foo/bar/dir/file
+
+previously a search that matched this file would returns the absolute
+server-side pato of the file, ie
+
+ /foo/bar/dir/file
+
+This will be change to
+
+ /spotlight/dir/file
+
+As currently the mdscli library and hence the mdsearch tool print out these
+paths returned from the server, we have to change the output to accomodate these
+fake paths. The only way to do this sensibly is by makeing the paths relative to
+the containing share, so just
+
+ dir/file
+
+in the example above.
+
+The client learns about the share root path prefix – real server-side of fake in
+the future – in an initial handshake in the "share_path" out argument of the
+mdssvc_open() RPC call, so the client can use this path to convert the absolute
+path to relative.
+
+There is however an additional twist: the macOS Spotlight server prefixes this
+absolute path with another prefix, typically "/System/Volumes/Data", so in the
+example above the full path for the same search would be
+
+ /System/Volumes/Data/foo/bar/dir/file
+
+So macOS does return the full server-side path too, just prefixed with an
+additional path. This path prefixed can be queried by the client in the
+mdssvc_cmd() RPC call with an Spotlight command of "fetchPropertiesForContext:"
+and the path is returned in a dictionary with key "kMDSStorePathScopes". Samba
+just returns "/" for this.
+
+Currently the mdscli library doesn't issue this Spotlight RPC
+request (fetchPropertiesForContext), so this is added in this commit. In the
+end, all search result paths are stripped of the combined prefix
+
+ kMDSStorePathScopes + share_path (from mdssvc_open).
+
+eg
+
+ kMDSStorePathScopes = /System/Volumes/Data
+ share_path = /foo/bar
+ search result = /System/Volumes/Data/foo/bar/dir/file
+ relative path returned by mdscli = dir/file
+
+Makes sense? :)
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/a5c570e262911874e43e82de601d809aa5b1b729]
+
+CVE: CVE-2023-34968
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ python/samba/tests/dcerpc/mdssvc.py | 26 ++--
+ source3/rpc_client/cli_mdssvc.c | 155 +++++++++++++++++++++++-
+ source3/rpc_client/cli_mdssvc_private.h | 4 +
+ source3/rpc_client/cli_mdssvc_util.c | 68 +++++++++++
+ source3/rpc_client/cli_mdssvc_util.h | 4 +
+ 5 files changed, 243 insertions(+), 14 deletions(-)
+
+diff --git a/python/samba/tests/dcerpc/mdssvc.py b/python/samba/tests/dcerpc/mdssvc.py
+index b0df509..5002e5d 100644
+--- a/python/samba/tests/dcerpc/mdssvc.py
++++ b/python/samba/tests/dcerpc/mdssvc.py
+@@ -84,10 +84,11 @@ class MdssvcTests(RpcInterfaceTestCase):
+ self.t = threading.Thread(target=MdssvcTests.http_server, args=(self,))
+ self.t.setDaemon(True)
+ self.t.start()
++ self.sharepath = os.environ["LOCAL_PATH"]
+ time.sleep(1)
+
+ conn = mdscli.conn(self.pipe, 'spotlight', '/foo')
+- self.sharepath = conn.sharepath()
++ self.fakepath = conn.sharepath()
+ conn.disconnect(self.pipe)
+
+ for file in testfiles:
+@@ -105,12 +106,11 @@ class MdssvcTests(RpcInterfaceTestCase):
+ self.server.serve_forever()
+
+ def run_test(self, query, expect, json_in, json_out):
+- expect = [s.replace("%BASEPATH%", self.sharepath) for s in expect]
+ self.server.json_in = json_in.replace("%BASEPATH%", self.sharepath)
+ self.server.json_out = json_out.replace("%BASEPATH%", self.sharepath)
+
+ self.conn = mdscli.conn(self.pipe, 'spotlight', '/foo')
+- search = self.conn.search(self.pipe, query, self.sharepath)
++ search = self.conn.search(self.pipe, query, self.fakepath)
+
+ # Give it some time, the get_results() below returns immediately
+ # what's available, so if we ask to soon, we might get back no results
+@@ -141,7 +141,7 @@ class MdssvcTests(RpcInterfaceTestCase):
+ ]
+ }
+ }'''
+- exp_results = ["%BASEPATH%/foo", "%BASEPATH%/bar"]
++ exp_results = ["foo", "bar"]
+ self.run_test('*=="samba*"', exp_results, exp_json_query, fake_json_response)
+
+ def test_mdscli_search_escapes(self):
+@@ -181,14 +181,14 @@ class MdssvcTests(RpcInterfaceTestCase):
+ }
+ }'''
+ exp_results = [
+- r"%BASEPATH%/x+x",
+- r"%BASEPATH%/x*x",
+- r"%BASEPATH%/x=x",
+- r"%BASEPATH%/x'x",
+- r"%BASEPATH%/x?x",
+- r"%BASEPATH%/x x",
+- r"%BASEPATH%/x(x",
+- "%BASEPATH%/x\"x",
+- r"%BASEPATH%/x\x",
++ r"x+x",
++ r"x*x",
++ r"x=x",
++ r"x'x",
++ r"x?x",
++ r"x x",
++ r"x(x",
++ "x\"x",
++ r"x\x",
+ ]
+ self.run_test(sl_query, exp_results, exp_json_query, fake_json_response)
+diff --git a/source3/rpc_client/cli_mdssvc.c b/source3/rpc_client/cli_mdssvc.c
+index 07c19b5..a047b91 100644
+--- a/source3/rpc_client/cli_mdssvc.c
++++ b/source3/rpc_client/cli_mdssvc.c
+@@ -43,10 +43,12 @@ char *mdscli_get_basepath(TALLOC_CTX *mem_ctx,
+ struct mdscli_connect_state {
+ struct tevent_context *ev;
+ struct mdscli_ctx *mdscli_ctx;
++ struct mdssvc_blob response_blob;
+ };
+
+ static void mdscli_connect_open_done(struct tevent_req *subreq);
+ static void mdscli_connect_unknown1_done(struct tevent_req *subreq);
++static void mdscli_connect_fetch_props_done(struct tevent_req *subreq);
+
+ struct tevent_req *mdscli_connect_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+@@ -111,6 +113,7 @@ static void mdscli_connect_open_done(struct tevent_req *subreq)
+ struct mdscli_connect_state *state = tevent_req_data(
+ req, struct mdscli_connect_state);
+ struct mdscli_ctx *mdscli_ctx = state->mdscli_ctx;
++ size_t share_path_len;
+ NTSTATUS status;
+
+ status = dcerpc_mdssvc_open_recv(subreq, state);
+@@ -120,6 +123,18 @@ static void mdscli_connect_open_done(struct tevent_req *subreq)
+ return;
+ }
+
++ share_path_len = strlen(mdscli_ctx->mdscmd_open.share_path);
++ if (share_path_len < 1 || share_path_len > UINT16_MAX) {
++ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
++ return;
++ }
++ mdscli_ctx->mdscmd_open.share_path_len = share_path_len;
++
++ if (mdscli_ctx->mdscmd_open.share_path[share_path_len-1] == '/') {
++ mdscli_ctx->mdscmd_open.share_path[share_path_len-1] = '\0';
++ mdscli_ctx->mdscmd_open.share_path_len--;
++ }
++
+ subreq = dcerpc_mdssvc_unknown1_send(
+ state,
+ state->ev,
+@@ -146,6 +161,8 @@ static void mdscli_connect_unknown1_done(struct tevent_req *subreq)
+ subreq, struct tevent_req);
+ struct mdscli_connect_state *state = tevent_req_data(
+ req, struct mdscli_connect_state);
++ struct mdscli_ctx *mdscli_ctx = state->mdscli_ctx;
++ struct mdssvc_blob request_blob;
+ NTSTATUS status;
+
+ status = dcerpc_mdssvc_unknown1_recv(subreq, state);
+@@ -153,6 +170,108 @@ static void mdscli_connect_unknown1_done(struct tevent_req *subreq)
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
++ status = mdscli_blob_fetch_props(state,
++ state->mdscli_ctx,
++ &request_blob);
++ if (tevent_req_nterror(req, status)) {
++ return;
++ }
++
++ subreq = dcerpc_mdssvc_cmd_send(state,
++ state->ev,
++ mdscli_ctx->bh,
++ &mdscli_ctx->ph,
++ 0,
++ mdscli_ctx->dev,
++ mdscli_ctx->mdscmd_open.unkn2,
++ 0,
++ mdscli_ctx->flags,
++ request_blob,
++ 0,
++ mdscli_ctx->max_fragment_size,
++ 1,
++ mdscli_ctx->max_fragment_size,
++ 0,
++ 0,
++ &mdscli_ctx->mdscmd_cmd.fragment,
++ &state->response_blob,
++ &mdscli_ctx->mdscmd_cmd.unkn9);
++ if (tevent_req_nomem(subreq, req)) {
++ return;
++ }
++ tevent_req_set_callback(subreq, mdscli_connect_fetch_props_done, req);
++ mdscli_ctx->async_pending++;
++ return;
++}
++
++static void mdscli_connect_fetch_props_done(struct tevent_req *subreq)
++{
++ struct tevent_req *req = tevent_req_callback_data(
++ subreq, struct tevent_req);
++ struct mdscli_connect_state *state = tevent_req_data(
++ req, struct mdscli_connect_state);
++ struct mdscli_ctx *mdscli_ctx = state->mdscli_ctx;
++ DALLOC_CTX *d = NULL;
++ sl_array_t *path_scope_array = NULL;
++ char *path_scope = NULL;
++ NTSTATUS status;
++ bool ok;
++
++ status = dcerpc_mdssvc_cmd_recv(subreq, state);
++ TALLOC_FREE(subreq);
++ state->mdscli_ctx->async_pending--;
++ if (tevent_req_nterror(req, status)) {
++ return;
++ }
++
++ d = dalloc_new(state);
++ if (tevent_req_nomem(d, req)) {
++ return;
++ }
++
++ ok = sl_unpack(d,
++ (char *)state->response_blob.spotlight_blob,
++ state->response_blob.length);
++ if (!ok) {
++ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
++ return;
++ }
++
++ path_scope_array = dalloc_value_for_key(d,
++ "DALLOC_CTX", 0,
++ "kMDSStorePathScopes",
++ "sl_array_t");
++ if (path_scope_array == NULL) {
++ DBG_ERR("Missing kMDSStorePathScopes\n");
++ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
++ return;
++ }
++
++ path_scope = dalloc_get(path_scope_array, "char *", 0);
++ if (path_scope == NULL) {
++ DBG_ERR("Missing path in kMDSStorePathScopes\n");
++ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
++ return;
++ }
++
++ mdscli_ctx->path_scope_len = strlen(path_scope);
++ if (mdscli_ctx->path_scope_len < 1 ||
++ mdscli_ctx->path_scope_len > UINT16_MAX)
++ {
++ DBG_ERR("Bad path_scope: %s\n", path_scope);
++ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
++ return;
++ }
++ mdscli_ctx->path_scope = talloc_strdup(mdscli_ctx, path_scope);
++ if (tevent_req_nomem(mdscli_ctx->path_scope, req)) {
++ return;
++ }
++
++ if (mdscli_ctx->path_scope[mdscli_ctx->path_scope_len-1] == '/') {
++ mdscli_ctx->path_scope[mdscli_ctx->path_scope_len-1] = '\0';
++ mdscli_ctx->path_scope_len--;
++ }
++
+
+ tevent_req_done(req);
+ }
+@@ -697,7 +816,10 @@ static void mdscli_get_path_done(struct tevent_req *subreq)
+ struct mdscli_get_path_state *state = tevent_req_data(
+ req, struct mdscli_get_path_state);
+ DALLOC_CTX *d = NULL;
++ size_t pathlen;
++ size_t prefixlen;
+ char *path = NULL;
++ const char *p = NULL;
+ NTSTATUS status;
+ bool ok;
+
+@@ -732,7 +854,38 @@ static void mdscli_get_path_done(struct tevent_req *subreq)
+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+ return;
+ }
+- state->path = talloc_move(state, &path);
++
++ /* Path is prefixed by /PATHSCOPE/SHARENAME/, strip it */
++ pathlen = strlen(path);
++
++ /*
++ * path_scope_len and share_path_len are already checked to be smaller
++ * then UINT16_MAX so this can't overflow
++ */
++ prefixlen = state->mdscli_ctx->path_scope_len
++ + state->mdscli_ctx->mdscmd_open.share_path_len;
++
++ if (pathlen < prefixlen) {
++ DBG_DEBUG("Bad path: %s\n", path);
++ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
++ return;
++ }
++
++ p = path + prefixlen;
++ while (*p == '/') {
++ p++;
++ }
++ if (*p == '\0') {
++ DBG_DEBUG("Bad path: %s\n", path);
++ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
++ return;
++ }
++
++ state->path = talloc_strdup(state, p);
++ if (state->path == NULL) {
++ tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
++ return;
++ }
+ DBG_DEBUG("path: %s\n", state->path);
+
+ tevent_req_done(req);
+diff --git a/source3/rpc_client/cli_mdssvc_private.h b/source3/rpc_client/cli_mdssvc_private.h
+index 031af85..b10aca0 100644
+--- a/source3/rpc_client/cli_mdssvc_private.h
++++ b/source3/rpc_client/cli_mdssvc_private.h
+@@ -42,6 +42,7 @@ struct mdscli_ctx {
+ /* cmd specific or unknown fields */
+ struct {
+ char share_path[1025];
++ size_t share_path_len;
+ uint32_t unkn2;
+ uint32_t unkn3;
+ } mdscmd_open;
+@@ -56,6 +57,9 @@ struct mdscli_ctx {
+ struct {
+ uint32_t status;
+ } mdscmd_close;
++
++ char *path_scope;
++ size_t path_scope_len;
+ };
+
+ struct mdscli_search_ctx {
+diff --git a/source3/rpc_client/cli_mdssvc_util.c b/source3/rpc_client/cli_mdssvc_util.c
+index a39202d..1eaaca7 100644
+--- a/source3/rpc_client/cli_mdssvc_util.c
++++ b/source3/rpc_client/cli_mdssvc_util.c
+@@ -28,6 +28,74 @@
+ #include "rpc_server/mdssvc/dalloc.h"
+ #include "rpc_server/mdssvc/marshalling.h"
+
++NTSTATUS mdscli_blob_fetch_props(TALLOC_CTX *mem_ctx,
++ struct mdscli_ctx *ctx,
++ struct mdssvc_blob *blob)
++{
++ DALLOC_CTX *d = NULL;
++ uint64_t *uint64p = NULL;
++ sl_array_t *array = NULL;
++ sl_array_t *cmd_array = NULL;
++ NTSTATUS status;
++ int ret;
++
++ d = dalloc_new(mem_ctx);
++ if (d == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ array = dalloc_zero(d, sl_array_t);
++ if (array == NULL) {
++ TALLOC_FREE(d);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ ret = dalloc_add(d, array, sl_array_t);
++ if (ret != 0) {
++ TALLOC_FREE(d);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ cmd_array = dalloc_zero(d, sl_array_t);
++ if (cmd_array == NULL) {
++ TALLOC_FREE(d);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ ret = dalloc_add(array, cmd_array, sl_array_t);
++ if (ret != 0) {
++ TALLOC_FREE(d);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ ret = dalloc_stradd(cmd_array, "fetchPropertiesForContext:");
++ if (ret != 0) {
++ TALLOC_FREE(d);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ uint64p = talloc_zero_array(cmd_array, uint64_t, 2);
++ if (uint64p == NULL) {
++ TALLOC_FREE(d);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ talloc_set_name(uint64p, "uint64_t *");
++
++ ret = dalloc_add(cmd_array, uint64p, uint64_t *);
++ if (ret != 0) {
++ TALLOC_FREE(d);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size);
++ TALLOC_FREE(d);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++ return NT_STATUS_OK;
++}
++
+ NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx,
+ struct mdscli_search_ctx *search,
+ struct mdssvc_blob *blob)
+diff --git a/source3/rpc_client/cli_mdssvc_util.h b/source3/rpc_client/cli_mdssvc_util.h
+index 7a98c85..3f32475 100644
+--- a/source3/rpc_client/cli_mdssvc_util.h
++++ b/source3/rpc_client/cli_mdssvc_util.h
+@@ -21,6 +21,10 @@
+ #ifndef _MDSCLI_UTIL_H_
+ #define _MDSCLI_UTIL_H_
+
++NTSTATUS mdscli_blob_fetch_props(TALLOC_CTX *mem_ctx,
++ struct mdscli_ctx *ctx,
++ struct mdssvc_blob *blob);
++
+ NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx,
+ struct mdscli_search_ctx *search,
+ struct mdssvc_blob *blob);
+--
+2.40.0
new file mode 100644
@@ -0,0 +1,295 @@
+From 091b0265fe42878d676def5d4f5b4f8f3977b0e2 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Mon, 5 Jun 2023 18:02:20 +0200
+Subject: [PATCH] CVE-2023-34968: mdssvc: return a fake share path Instead of
+ returning the real server-side absolute path of shares and search results,
+ return a fake absolute path replacing the path of the share with the share
+ name, iow for a share "test" with a server-side path of "/foo/bar", we
+ previously returned
+
+ /foo/bar and
+ /foo/bar/search/result
+
+and now return
+
+ /test and
+ /test/search/result
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/091b0265fe42878d676def5d4f5b4f8f3977b0e2]
+
+CVE: CVE-2023-34968
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ source3/lib/util_path.c | 52 ++++++++++++++++++++
+ source3/lib/util_path.h | 5 ++
+ source3/rpc_server/mdssvc/mdssvc.c | 60 +++++++++++++++++++++--
+ source3/rpc_server/mdssvc/mdssvc.h | 1 +
+ source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 17 +++++--
+ 6 files changed, 128 insertions(+), 7 deletions(-)
+ mode change 100755 => 100644 source3/libads/ldap.c
+
+diff --git a/source3/lib/util_path.c b/source3/lib/util_path.c
+index c34b734..5b5a51c 100644
+--- a/source3/lib/util_path.c
++++ b/source3/lib/util_path.c
+@@ -21,8 +21,10 @@
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
++#include "includes.h"
+ #include "replace.h"
+ #include <talloc.h>
++#include "lib/util/debug.h"
+ #include "lib/util/samba_util.h"
+ #include "lib/util_path.h"
+
+@@ -210,3 +212,53 @@ char *canonicalize_absolute_path(TALLOC_CTX *ctx, const char *pathname_in)
+ *p++ = '\0';
+ return pathname;
+ }
++
++/*
++ * Take two absolute paths, figure out if "subdir" is a proper
++ * subdirectory of "parent". Return the component relative to the
++ * "parent" without the potential "/". Take care of "parent"
++ * possibly ending in "/".
++ */
++bool subdir_of(const char *parent,
++ size_t parent_len,
++ const char *subdir,
++ const char **_relative)
++{
++ const char *relative = NULL;
++ bool matched;
++
++ SMB_ASSERT(parent[0] == '/');
++ SMB_ASSERT(subdir[0] == '/');
++
++ if (parent_len == 1) {
++ /*
++ * Everything is below "/"
++ */
++ *_relative = subdir+1;
++ return true;
++ }
++
++ if (parent[parent_len-1] == '/') {
++ parent_len -= 1;
++ }
++
++ matched = (strncmp(subdir, parent, parent_len) == 0);
++ if (!matched) {
++ return false;
++ }
++
++ relative = &subdir[parent_len];
++
++ if (relative[0] == '\0') {
++ *_relative = relative; /* nothing left */
++ return true;
++ }
++
++ if (relative[0] == '/') {
++ /* End of parent must match a '/' in subdir. */
++ *_relative = relative+1;
++ return true;
++ }
++
++ return false;
++}
+diff --git a/source3/lib/util_path.h b/source3/lib/util_path.h
+index 3e7d04d..6d2155a 100644
+--- a/source3/lib/util_path.h
++++ b/source3/lib/util_path.h
+@@ -31,5 +31,10 @@ char *lock_path(TALLOC_CTX *mem_ctx, const char *name);
+ char *state_path(TALLOC_CTX *mem_ctx, const char *name);
+ char *cache_path(TALLOC_CTX *mem_ctx, const char *name);
+ char *canonicalize_absolute_path(TALLOC_CTX *ctx, const char *abs_path);
++bool subdir_of(const char *parent,
++ size_t parent_len,
++ const char *subdir,
++ const char **_relative);
++
+
+ #endif
+diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c
+index 19257e8..d442d8d 100644
+--- a/source3/rpc_server/mdssvc/mdssvc.c
++++ b/source3/rpc_server/mdssvc/mdssvc.c
+@@ -520,11 +520,14 @@ static bool inode_map_add(struct sl_query *slq,
+ bool mds_add_result(struct sl_query *slq, const char *path)
+ {
+ struct smb_filename *smb_fname = NULL;
++ char *fake_path = NULL;
++ const char *relative = NULL;
+ struct stat_ex sb;
+ uint32_t attr;
+ uint64_t ino64;
+ int result;
+ NTSTATUS status;
++ bool sub;
+ bool ok;
+
+ /*
+@@ -610,6 +613,17 @@ bool mds_add_result(struct sl_query *slq, const char *path)
+ }
+ }
+
++ sub = subdir_of(slq->mds_ctx->spath,
++ slq->mds_ctx->spath_len,
++ path,
++ &relative);
++ if (!sub) {
++ DBG_ERR("[%s] is not inside [%s]\n",
++ path, slq->mds_ctx->spath);
++ slq->state = SLQ_STATE_ERROR;
++ return false;
++ }
++
+ /*
+ * Add inode number and filemeta to result set, this is what
+ * we return as part of the result set of a query
+@@ -622,18 +636,30 @@ bool mds_add_result(struct sl_query *slq, const char *path)
+ slq->state = SLQ_STATE_ERROR;
+ return false;
+ }
++
++ fake_path = talloc_asprintf(slq,
++ "/%s/%s",
++ slq->mds_ctx->sharename,
++ relative);
++ if (fake_path == NULL) {
++ slq->state = SLQ_STATE_ERROR;
++ return false;
++ }
++
+ ok = add_filemeta(slq->mds_ctx,
+ slq->reqinfo,
+ slq->query_results->fm_array,
+- path,
++ fake_path,
+ &sb);
+ if (!ok) {
+ DBG_ERR("add_filemeta error\n");
++ TALLOC_FREE(fake_path);
+ slq->state = SLQ_STATE_ERROR;
+ return false;
+ }
+
+- ok = inode_map_add(slq, ino64, path, &sb);
++ ok = inode_map_add(slq, ino64, fake_path, &sb);
++ TALLOC_FREE(fake_path);
+ if (!ok) {
+ DEBUG(1, ("inode_map_add error\n"));
+ slq->state = SLQ_STATE_ERROR;
+@@ -840,6 +866,32 @@ static void slq_close_timer(struct tevent_context *ev,
+ }
+ }
+
++/**
++ * Translate a fake scope from the client like /sharename/dir
++ * to the real server-side path, replacing the "/sharename" part
++ * with the absolute server-side path of the share.
++ **/
++static bool mdssvc_real_scope(struct sl_query *slq, const char *fake_scope)
++{
++ size_t sname_len = strlen(slq->mds_ctx->sharename);
++ size_t fake_scope_len = strlen(fake_scope);
++
++ if (fake_scope_len < sname_len + 1) {
++ DBG_ERR("Short scope [%s] for share [%s]\n",
++ fake_scope, slq->mds_ctx->sharename);
++ return false;
++ }
++
++ slq->path_scope = talloc_asprintf(slq,
++ "%s%s",
++ slq->mds_ctx->spath,
++ fake_scope + sname_len + 1);
++ if (slq->path_scope == NULL) {
++ return false;
++ }
++ return true;
++}
++
+ /**
+ * Begin a search query
+ **/
+@@ -946,8 +998,8 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
+ goto error;
+ }
+
+- slq->path_scope = talloc_strdup(slq, scope);
+- if (slq->path_scope == NULL) {
++ ok = mdssvc_real_scope(slq, scope);
++ if (!ok) {
+ goto error;
+ }
+
+diff --git a/source3/rpc_server/mdssvc/mdssvc.h b/source3/rpc_server/mdssvc/mdssvc.h
+index b3bd8b9..8434812 100644
+--- a/source3/rpc_server/mdssvc/mdssvc.h
++++ b/source3/rpc_server/mdssvc/mdssvc.h
+@@ -127,6 +127,7 @@ struct mds_ctx {
+ int snum;
+ const char *sharename;
+ const char *spath;
++ size_t spath_len;
+ struct connection_struct *conn;
+ struct sl_query *query_list; /* list of active queries */
+ struct db_context *ino_path_map; /* dbwrap rbt for storing inode->path mappings */
+diff --git a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
+index 59e2a97..b20bd2a 100644
+--- a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
++++ b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
+@@ -121,6 +121,7 @@ void _mdssvc_open(struct pipes_struct *p, struct mdssvc_open *r)
+ loadparm_s3_global_substitution();
+ int snum;
+ char *outpath = discard_const_p(char, r->out.share_path);
++ char *fake_path = NULL;
+ char *path;
+ NTSTATUS status;
+
+@@ -144,21 +145,31 @@ void _mdssvc_open(struct pipes_struct *p, struct mdssvc_open *r)
+ return;
+ }
+
++ fake_path = talloc_asprintf(p->mem_ctx, "/%s", r->in.share_name);
++ if (fake_path == NULL) {
++ DBG_ERR("Couldn't create fake share path for %s\n",
++ r->in.share_name);
++ talloc_free(path);
++ p->fault_state = DCERPC_FAULT_CANT_PERFORM;
++ return;
++ }
++
+ status = create_mdssvc_policy_handle(p->mem_ctx, p,
+ snum,
+ r->in.share_name,
+ path,
+ r->out.handle);
+ if (!NT_STATUS_IS_OK(status)) {
+- DBG_ERR("Couldn't create policy handle for %s\n",
++ DBG_ERR("Couldn't create path for %s\n",
+ r->in.share_name);
+ talloc_free(path);
++ talloc_free(fake_path);
+ p->fault_state = DCERPC_FAULT_CANT_PERFORM;
+ return;
+ }
+
+- strlcpy(outpath, path, 1024);
+- talloc_free(path);
++ strlcpy(outpath, fake_path, 1024);
++ talloc_free(fake_path);
+ return;
+ }
+
+--
+2.40.0
@@ -38,6 +38,17 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
file://CVE-2022-2127.patch \
file://CVE-2023-34967_0001.patch \
file://CVE-2023-34967_0002.patch \
+ file://CVE-2023-34968_0001.patch \
+ file://CVE-2023-34968_0002.patch \
+ file://CVE-2023-34968_0003.patch \
+ file://CVE-2023-34968_0004.patch \
+ file://CVE-2023-34968_0005.patch \
+ file://CVE-2023-34968_0006.patch \
+ file://CVE-2023-34968_0007.patch \
+ file://CVE-2023-34968_0008.patch \
+ file://CVE-2023-34968_0009.patch \
+ file://CVE-2023-34968_0010.patch \
+ file://CVE-2023-34968_0011.patch \
"
SRC_URI:append:libc-musl = " \
A path disclosure vulnerability was found in Samba. As part of the Spotlight protocol, Samba discloses the server-side absolute path of shares, files, and directories in the results for search queries. This flaw allows a malicious client or an attacker with a targeted RPC request to view the information that is part of the disclosed path. Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> --- .../samba/samba/CVE-2023-34968_0001.patch | 104 ++++ .../samba/samba/CVE-2023-34968_0002.patch | 39 ++ .../samba/samba/CVE-2023-34968_0003.patch | 65 +++ .../samba/samba/CVE-2023-34968_0004.patch | 85 +++ .../samba/samba/CVE-2023-34968_0005.patch | 83 +++ .../samba/samba/CVE-2023-34968_0006.patch | 57 +++ .../samba/samba/CVE-2023-34968_0007.patch | 49 ++ .../samba/samba/CVE-2023-34968_0008.patch | 62 +++ .../samba/samba/CVE-2023-34968_0009.patch | 465 +++++++++++++++++ .../samba/samba/CVE-2023-34968_0010.patch | 484 ++++++++++++++++++ .../samba/samba/CVE-2023-34968_0011.patch | 295 +++++++++++ .../samba/samba_4.14.14.bb | 11 + 12 files changed, 1799 insertions(+) create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0001.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0002.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0003.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0004.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0005.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0006.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0007.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0008.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0009.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0010.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0011.patch