summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPolampalli, Archana <archana.polampalli@windriver.com>2023-10-03 11:47:40 +0000
committerArmin Kuster <akuster808@gmail.com>2023-10-17 08:42:14 -0400
commitbaf6153112e416cf2fe05351a1b007d88f0ef1a4 (patch)
tree2582c293127c9cebd736025cdb1bc5ec6e1cdef3
parentbbe79e4f1787b97ec6c227720ffee06a690e2ab5 (diff)
downloadmeta-openembedded-baf6153112e416cf2fe05351a1b007d88f0ef1a4.tar.gz
samba: fix CVE-2023-34968
A path disclosure vulnerability was found in Samba. As part of the Spotlight protocol, Samba discloses the server-side absolute path of shares, files, and directories in the results for search queries. This flaw allows a malicious client or an attacker with a targeted RPC request to view the information that is part of the disclosed path. Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat
-rw-r--r--meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0001.patch104
-rw-r--r--meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0002.patch39
-rw-r--r--meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0003.patch65
-rw-r--r--meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0004.patch85
-rw-r--r--meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0005.patch83
-rw-r--r--meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0006.patch57
-rw-r--r--meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0007.patch49
-rw-r--r--meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0008.patch62
-rw-r--r--meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0009.patch465
-rw-r--r--meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0010.patch484
-rw-r--r--meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0011.patch295
-rw-r--r--meta-networking/recipes-connectivity/samba/samba_4.14.14.bb11
12 files changed, 1799 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0001.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0001.patch
new file mode 100644
index 0000000000..ad8e3e4ce3
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0001.patch
@@ -0,0 +1,104 @@
1From 98b2a013bc723cd660978d5a1db40b987816f90e Mon Sep 17 00:00:00 2001
2From: Ralph Boehme <slow@samba.org>
3Date: Tue, 6 Jun 2023 15:17:26 +0200
4Subject: [PATCH] CVE-2023-34968: mdssvc: cache and reuse stat info in struct
5 sl_inode_path_map
6
7Prepare for the "path" being a fake path and not the real server-side
8path where we won't be able to vfs_stat_fsp() this fake path. Luckily we already
9got stat info for the object in mds_add_result() so we can just pass stat info
10from there.
11
12BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
13
14Signed-off-by: Ralph Boehme <slow@samba.org>
15Reviewed-by: Stefan Metzmacher <metze@samba.org>
16
17Upstream-Status: Backport [https://github.com/samba-team/samba/commit/98b2a013bc723cd660978d5a1db40b987816f90e]
18
19CVE: CVE-2023-34968
20
21Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
22---
23 source3/rpc_server/mdssvc/mdssvc.c | 32 +++++++-----------------------
24 source3/rpc_server/mdssvc/mdssvc.h | 1 +
25 2 files changed, 8 insertions(+), 25 deletions(-)
26
27diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c
28index 26a3ec7..a6cc653 100644
29--- a/source3/rpc_server/mdssvc/mdssvc.c
30+++ b/source3/rpc_server/mdssvc/mdssvc.c
31@@ -446,7 +446,10 @@ static int ino_path_map_destr_cb(struct sl_inode_path_map *entry)
32 * entries by calling talloc_free() on the query slq handles.
33 **/
34
35-static bool inode_map_add(struct sl_query *slq, uint64_t ino, const char *path)
36+static bool inode_map_add(struct sl_query *slq,
37+ uint64_t ino,
38+ const char *path,
39+ struct stat_ex *st)
40 {
41 NTSTATUS status;
42 struct sl_inode_path_map *entry;
43@@ -493,6 +496,7 @@ static bool inode_map_add(struct sl_query *slq, uint64_t ino, const char *path)
44
45 entry->ino = ino;
46 entry->mds_ctx = slq->mds_ctx;
47+ entry->st = *st;
48 entry->path = talloc_strdup(entry, path);
49 if (entry->path == NULL) {
50 DEBUG(1, ("talloc failed\n"));
51@@ -629,7 +633,7 @@ bool mds_add_result(struct sl_query *slq, const char *path)
52 return false;
53 }
54
55- ok = inode_map_add(slq, ino64, path);
56+ ok = inode_map_add(slq, ino64, path, &sb);
57 if (!ok) {
58 DEBUG(1, ("inode_map_add error\n"));
59 slq->state = SLQ_STATE_ERROR;
60@@ -1350,29 +1354,7 @@ static bool slrpc_fetch_attributes(struct mds_ctx *mds_ctx,
61 elem = talloc_get_type_abort(p, struct sl_inode_path_map);
62 path = elem->path;
63
64- status = synthetic_pathref(talloc_tos(),
65- mds_ctx->conn->cwd_fsp,
66- path,
67- NULL,
68- NULL,
69- 0,
70- 0,
71- &smb_fname);
72- if (!NT_STATUS_IS_OK(status)) {
73- /* This is not an error, the user may lack permissions */
74- DBG_DEBUG("synthetic_pathref [%s]: %s\n",
75- smb_fname_str_dbg(smb_fname),
76- nt_errstr(status));
77- return true;
78- }
79-
80- result = SMB_VFS_FSTAT(smb_fname->fsp, &smb_fname->st);
81- if (result != 0) {
82- TALLOC_FREE(smb_fname);
83- return true;
84- }
85-
86- sp = &smb_fname->st;
87+ sp = &elem->st;
88 }
89
90 ok = add_filemeta(mds_ctx, reqinfo, fm_array, path, sp);
91diff --git a/source3/rpc_server/mdssvc/mdssvc.h b/source3/rpc_server/mdssvc/mdssvc.h
92index 3924827..a097991 100644
93--- a/source3/rpc_server/mdssvc/mdssvc.h
94+++ b/source3/rpc_server/mdssvc/mdssvc.h
95@@ -105,6 +105,7 @@ struct sl_inode_path_map {
96 struct mds_ctx *mds_ctx;
97 uint64_t ino;
98 char *path;
99+ struct stat_ex st;
100 };
101
102 /* Per process state */
103--
1042.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0002.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0002.patch
new file mode 100644
index 0000000000..21b98c4d7e
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0002.patch
@@ -0,0 +1,39 @@
1From 47a0c1681dd1e7ec407679793966ec8bdc08a24e Mon Sep 17 00:00:00 2001
2From: Ralph Boehme <slow@samba.org>
3Date: Sat, 17 Jun 2023 13:39:55 +0200
4Subject: [PATCH] CVE-2023-34968: mdssvc: add missing "kMDSStoreMetaScopes"
5 dict key in slrpc_fetch_properties()
6
7We were adding the value, but not the key.
8
9BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
10
11Signed-off-by: Ralph Boehme <slow@samba.org>
12Reviewed-by: Stefan Metzmacher <metze@samba.org>
13
14Upstream-Status: Backport [https://github.com/samba-team/samba/commit/47a0c1681dd1e7ec407679793966ec8bdc08a24e]
15
16CVE: CVE-2023-34968
17
18Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
19---
20 source3/rpc_server/mdssvc/mdssvc.c | 4 ++++
21 1 file changed, 4 insertions(+)
22
23diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c
24index a6d09a43b9c..9c23ef95753 100644
25--- a/source3/rpc_server/mdssvc/mdssvc.c
26+++ b/source3/rpc_server/mdssvc/mdssvc.c
27@@ -730,6 +730,10 @@ static bool slrpc_fetch_properties(struct mds_ctx *mds_ctx,
28 }
29
30 /* kMDSStoreMetaScopes array */
31+ result = dalloc_stradd(dict, "kMDSStoreMetaScopes");
32+ if (result != 0) {
33+ return false;
34+ }
35 array = dalloc_zero(dict, sl_array_t);
36 if (array == NULL) {
37 return NULL;
38--
392.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0003.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0003.patch
new file mode 100644
index 0000000000..42106d82b8
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0003.patch
@@ -0,0 +1,65 @@
1From 56a21b3bc8fb24416ead9061f9305c8122bc7f86 Mon Sep 17 00:00:00 2001
2From: Ralph Boehme <slow@samba.org>
3Date: Mon, 19 Jun 2023 17:14:38 +0200
4Subject: [PATCH] CVE-2023-34968: mdscli: use correct TALLOC memory context
5 when allocating spotlight_blob
6
7d is talloc_free()d at the end of the functions and the buffer was later used
8after beeing freed in the DCERPC layer when sending the packet.
9
10BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
11
12Signed-off-by: Ralph Boehme <slow@samba.org>
13Reviewed-by: Stefan Metzmacher <metze@samba.org>
14
15Upstream-Status: Backport [https://github.com/samba-team/samba/commit/56a21b3bc8fb24416ead9061f9305c8122bc7f86]
16
17CVE: CVE-2023-34968
18
19Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
20---
21 source3/rpc_client/cli_mdssvc_util.c | 8 ++++----
22 1 file changed, 4 insertions(+), 4 deletions(-)
23
24diff --git a/source3/rpc_client/cli_mdssvc_util.c b/source3/rpc_client/cli_mdssvc_util.c
25index fe5092c3790..892a844e71a 100644
26--- a/source3/rpc_client/cli_mdssvc_util.c
27+++ b/source3/rpc_client/cli_mdssvc_util.c
28@@ -209,7 +209,7 @@ NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx,
29 return NT_STATUS_NO_MEMORY;
30 }
31
32- blob->spotlight_blob = talloc_array(d,
33+ blob->spotlight_blob = talloc_array(mem_ctx,
34 uint8_t,
35 ctx->max_fragment_size);
36 if (blob->spotlight_blob == NULL) {
37@@ -293,7 +293,7 @@ NTSTATUS mdscli_blob_get_results(TALLOC_CTX *mem_ctx,
38 return NT_STATUS_NO_MEMORY;
39 }
40
41- blob->spotlight_blob = talloc_array(d,
42+ blob->spotlight_blob = talloc_array(mem_ctx,
43 uint8_t,
44 ctx->max_fragment_size);
45 if (blob->spotlight_blob == NULL) {
46@@ -426,7 +426,7 @@ NTSTATUS mdscli_blob_get_path(TALLOC_CTX *mem_ctx,
47 return NT_STATUS_NO_MEMORY;
48 }
49
50- blob->spotlight_blob = talloc_array(d,
51+ blob->spotlight_blob = talloc_array(mem_ctx,
52 uint8_t,
53 ctx->max_fragment_size);
54 if (blob->spotlight_blob == NULL) {
55@@ -510,7 +510,7 @@ NTSTATUS mdscli_blob_close_search(TALLOC_CTX *mem_ctx,
56 return NT_STATUS_NO_MEMORY;
57 }
58
59- blob->spotlight_blob = talloc_array(d,
60+ blob->spotlight_blob = talloc_array(mem_ctx,
61 uint8_t,
62 ctx->max_fragment_size);
63 if (blob->spotlight_blob == NULL) {
64--
652.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0004.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0004.patch
new file mode 100644
index 0000000000..785908b528
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0004.patch
@@ -0,0 +1,85 @@
1From 0ae6084d1a9c4eb12e9f1ab1902e00f96bcbea55 Mon Sep 17 00:00:00 2001
2From: Ralph Boehme <slow@samba.org>
3Date: Mon, 19 Jun 2023 18:28:41 +0200
4Subject: [PATCH] CVE-2023-34968: mdscli: remove response blob allocation
5
6This is handled by the NDR code transparently.
7
8BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
9
10Signed-off-by: Ralph Boehme <slow@samba.org>
11Reviewed-by: Stefan Metzmacher <metze@samba.org>
12---
13 source3/rpc_client/cli_mdssvc.c | 36 ---------------------------------
14 1 file changed, 36 deletions(-)
15
16diff --git a/source3/rpc_client/cli_mdssvc.c b/source3/rpc_client/cli_mdssvc.c
17index 046d37135cb..474d7c0b150 100644
18--- a/source3/rpc_client/cli_mdssvc.c
19+++ b/source3/rpc_client/cli_mdssvc.c
20@@ -276,15 +276,6 @@ struct tevent_req *mdscli_search_send(TALLOC_CTX *mem_ctx,
21 return tevent_req_post(req, ev);
22 }
23
24- state->response_blob.spotlight_blob = talloc_array(
25- state,
26- uint8_t,
27- mdscli_ctx->max_fragment_size);
28- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) {
29- return tevent_req_post(req, ev);
30- }
31- state->response_blob.size = mdscli_ctx->max_fragment_size;
32-
33 subreq = dcerpc_mdssvc_cmd_send(state,
34 ev,
35 mdscli_ctx->bh,
36@@ -457,15 +448,6 @@ struct tevent_req *mdscli_get_results_send(
37 return tevent_req_post(req, ev);
38 }
39
40- state->response_blob.spotlight_blob = talloc_array(
41- state,
42- uint8_t,
43- mdscli_ctx->max_fragment_size);
44- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) {
45- return tevent_req_post(req, ev);
46- }
47- state->response_blob.size = mdscli_ctx->max_fragment_size;
48-
49 subreq = dcerpc_mdssvc_cmd_send(state,
50 ev,
51 mdscli_ctx->bh,
52@@ -681,15 +663,6 @@ struct tevent_req *mdscli_get_path_send(TALLOC_CTX *mem_ctx,
53 return tevent_req_post(req, ev);
54 }
55
56- state->response_blob.spotlight_blob = talloc_array(
57- state,
58- uint8_t,
59- mdscli_ctx->max_fragment_size);
60- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) {
61- return tevent_req_post(req, ev);
62- }
63- state->response_blob.size = mdscli_ctx->max_fragment_size;
64-
65 subreq = dcerpc_mdssvc_cmd_send(state,
66 ev,
67 mdscli_ctx->bh,
68@@ -852,15 +825,6 @@ struct tevent_req *mdscli_close_search_send(TALLOC_CTX *mem_ctx,
69 return tevent_req_post(req, ev);
70 }
71
72- state->response_blob.spotlight_blob = talloc_array(
73- state,
74- uint8_t,
75- mdscli_ctx->max_fragment_size);
76- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) {
77- return tevent_req_post(req, ev);
78- }
79- state->response_blob.size = mdscli_ctx->max_fragment_size;
80-
81 subreq = dcerpc_mdssvc_cmd_send(state,
82 ev,
83 mdscli_ctx->bh,
84--
852.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0005.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0005.patch
new file mode 100644
index 0000000000..308b441e95
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0005.patch
@@ -0,0 +1,83 @@
1From 353a9ccea6ff93ea2cd604dcc2b0372f056f819d Mon Sep 17 00:00:00 2001
2From: Ralph Boehme <slow@samba.org>
3Date: Tue, 20 Jun 2023 11:28:47 +0200
4Subject: [PATCH] CVE-2023-34968: smbtorture: remove response blob allocation
5 in mdssvc.c
6
7This is alreay done by NDR for us.
8
9BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
10
11Signed-off-by: Ralph Boehme <slow@samba.org>
12Reviewed-by: Stefan Metzmacher <metze@samba.org>
13
14Upstream-Status: Backport [https://github.com/samba-team/samba/commit/353a9ccea6ff93ea2cd604dcc2b0372f056f819d]
15
16CVE: CVE-2023-34968
17
18Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
19
20---
21 source4/torture/rpc/mdssvc.c | 26 --------------------------
22 1 file changed, 26 deletions(-)
23
24diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c
25index 3689692f7de..a16bd5b47e3 100644
26--- a/source4/torture/rpc/mdssvc.c
27+++ b/source4/torture/rpc/mdssvc.c
28@@ -536,13 +536,6 @@ static bool test_mdssvc_invalid_ph_cmd(struct torture_context *tctx,
29 request_blob.length = 0;
30 request_blob.size = 0;
31
32- response_blob.spotlight_blob = talloc_array(state,
33- uint8_t,
34- 0);
35- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
36- ok, done, "dalloc_zero failed\n");
37- response_blob.size = 0;
38-
39 status = dcerpc_mdssvc_cmd(b,
40 state,
41 &ph,
42@@ -632,13 +625,6 @@ static bool test_mdssvc_sl_unpack_loop(struct torture_context *tctx,
43 request_blob.size = sizeof(test_sl_unpack_loop_buf);
44 request_blob.length = sizeof(test_sl_unpack_loop_buf);
45
46- response_blob.spotlight_blob = talloc_array(state,
47- uint8_t,
48- 0);
49- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
50- ok, done, "dalloc_zero failed\n");
51- response_blob.size = 0;
52-
53 status = dcerpc_mdssvc_cmd(b,
54 state,
55 &state->ph,
56@@ -764,11 +750,6 @@ static bool test_sl_dict_type_safety(struct torture_context *tctx,
57 torture_assert_goto(tctx, request_blob.length > 0,
58 ok, done, "sl_pack failed\n");
59
60- response_blob.spotlight_blob = talloc_array(state, uint8_t, 0);
61- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
62- ok, done, "dalloc_zero failed\n");
63- response_blob.size = 0;
64-
65 status = dcerpc_mdssvc_cmd(b,
66 state,
67 &state->ph,
68@@ -926,13 +907,6 @@ static bool test_mdssvc_fetch_attr_unknown_cnid(struct torture_context *tctx,
69 ret, done, "dalloc_zero failed\n");
70 request_blob.size = max_fragment_size;
71
72- response_blob.spotlight_blob = talloc_array(state,
73- uint8_t,
74- max_fragment_size);
75- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
76- ret, done, "dalloc_zero failed\n");
77- response_blob.size = max_fragment_size;
78-
79 len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size);
80 torture_assert_goto(tctx, len != -1, ret, done, "sl_pack failed\n");
81
82--
832.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0006.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0006.patch
new file mode 100644
index 0000000000..34526a8c8e
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0006.patch
@@ -0,0 +1,57 @@
1From 449f1280b718c6da3b8e309fe124be4e9bfd8184 Mon Sep 17 00:00:00 2001
2From: Ralph Boehme <slow@samba.org>
3Date: Tue, 20 Jun 2023 11:35:41 +0200
4Subject: [PATCH] CVE-2023-34968: rpcclient: remove response blob allocation
5
6This is alreay done by NDR for us.
7
8BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
9
10Signed-off-by: Ralph Boehme <slow@samba.org>
11Reviewed-by: Stefan Metzmacher <metze@samba.org>
12
13Upstream-Status: Backport [https://github.com/samba-team/samba/commit/449f1280b718c6da3b8e309fe124be4e9bfd8184]
14
15CVE: CVE-2023-34968
16
17Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
18---
19 source3/rpcclient/cmd_spotlight.c | 16 ----------------
20 1 file changed, 16 deletions(-)
21
22diff --git a/source3/rpcclient/cmd_spotlight.c b/source3/rpcclient/cmd_spotlight.c
23index 24db9893df6..64fe321089c 100644
24--- a/source3/rpcclient/cmd_spotlight.c
25+++ b/source3/rpcclient/cmd_spotlight.c
26@@ -144,13 +144,6 @@ static NTSTATUS cmd_mdssvc_fetch_properties(
27 }
28 request_blob.size = max_fragment_size;
29
30- response_blob.spotlight_blob = talloc_array(mem_ctx, uint8_t, max_fragment_size);
31- if (response_blob.spotlight_blob == NULL) {
32- status = NT_STATUS_INTERNAL_ERROR;
33- goto done;
34- }
35- response_blob.size = max_fragment_size;
36-
37 len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size);
38 if (len == -1) {
39 status = NT_STATUS_INTERNAL_ERROR;
40@@ -368,15 +361,6 @@ static NTSTATUS cmd_mdssvc_fetch_attributes(
41 }
42 request_blob.size = max_fragment_size;
43
44- response_blob.spotlight_blob = talloc_array(mem_ctx,
45- uint8_t,
46- max_fragment_size);
47- if (response_blob.spotlight_blob == NULL) {
48- status = NT_STATUS_INTERNAL_ERROR;
49- goto done;
50- }
51- response_blob.size = max_fragment_size;
52-
53 len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size);
54 if (len == -1) {
55 status = NT_STATUS_INTERNAL_ERROR;
56--
572.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0007.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0007.patch
new file mode 100644
index 0000000000..679e174c05
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0007.patch
@@ -0,0 +1,49 @@
1From cc593a6ac531f02f2fe70fd4f7dfe649a02f9206 Mon Sep 17 00:00:00 2001
2From: Ralph Boehme <slow@samba.org>
3Date: Tue, 20 Jun 2023 11:42:10 +0200
4Subject: [PATCH] CVE-2023-34968: mdssvc: remove response blob allocation
5
6This is alreay done by NDR for us.
7
8BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
9
10Signed-off-by: Ralph Boehme <slow@samba.org>
11Reviewed-by: Stefan Metzmacher <metze@samba.org>
12
13Upstream-Status: Backport [https://github.com/samba-team/samba/commit/cc593a6ac531f02f2fe70fd4f7dfe649a02f9206]
14
15CVE: CVE-2023-34968
16
17Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
18---
19 source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 8 --------
20 1 file changed, 8 deletions(-)
21
22diff --git a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
23index b8eed8b..714e6c1 100644
24--- a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
25+++ b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
26@@ -209,7 +209,6 @@ void _mdssvc_unknown1(struct pipes_struct *p, struct mdssvc_unknown1 *r)
27 void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r)
28 {
29 bool ok;
30- char *rbuf;
31 struct mds_ctx *mds_ctx;
32 NTSTATUS status;
33
34@@ -266,13 +265,6 @@ void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r)
35 return;
36 }
37
38- rbuf = talloc_zero_array(p->mem_ctx, char, r->in.max_fragment_size1);
39- if (rbuf == NULL) {
40- p->fault_state = DCERPC_FAULT_CANT_PERFORM;
41- return;
42- }
43- r->out.response_blob->spotlight_blob = (uint8_t *)rbuf;
44- r->out.response_blob->size = r->in.max_fragment_size1;
45
46 /* We currently don't use fragmentation at the mdssvc RPC layer */
47 *r->out.fragment = 0;
48--
492.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0008.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0008.patch
new file mode 100644
index 0000000000..e65379fe83
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0008.patch
@@ -0,0 +1,62 @@
1From 397919e82b493206ae9b60bb9c539d52c3207729 Mon Sep 17 00:00:00 2001
2From: Archana Polampalli <archana.polampalli@windriver.com>
3Date: Fri, 29 Sep 2023 08:59:31 +0000
4Subject: [PATCH] CVE-2023-34968: mdssvc: switch to doing an early return
5
6Just reduce indentation of the code handling the success case. No change in
7behaviour.
8
9BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
10
11Signed-off-by: Ralph Boehme <slow@samba.org>
12Reviewed-by: Stefan Metzmacher <metze@samba.org>
13
14Upstream-Status: Backport [https://github.com/samba-team/samba/commit/397919e82b493206ae9b60bb9c539d52c3207729]
15
16CVE: CVE-2023-34968
17
18Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
19---
20 source3/rpc_server/mdssvc/mdssvc.c | 26 ++++++++++++++------------
21 1 file changed, 14 insertions(+), 12 deletions(-)
22
23diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c
24index a6cc653..0e6a916 100644
25--- a/source3/rpc_server/mdssvc/mdssvc.c
26+++ b/source3/rpc_server/mdssvc/mdssvc.c
27@@ -1798,19 +1798,21 @@ bool mds_dispatch(struct mds_ctx *mds_ctx,
28 }
29
30 ok = slcmd->function(mds_ctx, query, reply);
31- if (ok) {
32- DBG_DEBUG("%s", dalloc_dump(reply, 0));
33-
34- len = sl_pack(reply,
35- (char *)response_blob->spotlight_blob,
36- response_blob->size);
37- if (len == -1) {
38- DBG_ERR("error packing Spotlight RPC reply\n");
39- ok = false;
40- goto cleanup;
41- }
42- response_blob->length = len;
43+ if (!ok) {
44+ goto cleanup;
45+ }
46+
47+ DBG_DEBUG("%s", dalloc_dump(reply, 0));
48+
49+ len = sl_pack(reply,
50+ (char *)response_blob->spotlight_blob,
51+ response_blob->size);
52+ if (len == -1) {
53+ DBG_ERR("error packing Spotlight RPC reply\n");
54+ ok = false;
55+ goto cleanup;
56 }
57+ response_blob->length = len;
58
59 cleanup:
60 talloc_free(query);
61--
622.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0009.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0009.patch
new file mode 100644
index 0000000000..e21f2ba4be
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0009.patch
@@ -0,0 +1,465 @@
1From cb8313e7bee75454ce29d2b2f657927259298f52 Mon Sep 17 00:00:00 2001
2From: Ralph Boehme <slow@samba.org>
3Date: Mon, 19 Jun 2023 18:16:57 +0200
4Subject: [PATCH] CVE-2023-34968: mdssvc: introduce an allocating wrapper to
5 sl_pack()
6
7sl_pack_alloc() does the buffer allocation that previously all callers of
8sl_pack() did themselves.
9
10BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
11
12Signed-off-by: Ralph Boehme <slow@samba.org>
13Reviewed-by: Stefan Metzmacher <metze@samba.org>
14
15Upstream-Status: Backport [https://github.com/samba-team/samba/commit/cb8313e7bee75454ce29d2b2f657927259298f52]
16
17CVE: CVE-2023-34968
18
19Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
20---
21 source3/rpc_client/cli_mdssvc_util.c | 80 +++++------------------
22 source3/rpc_server/mdssvc/marshalling.c | 35 ++++++++--
23 source3/rpc_server/mdssvc/marshalling.h | 9 ++-
24 source3/rpc_server/mdssvc/mdssvc.c | 18 ++---
25 source3/rpc_server/mdssvc/mdssvc.h | 5 +-
26 source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 5 +-
27 source3/rpcclient/cmd_spotlight.c | 32 ++-------
28 source4/torture/rpc/mdssvc.c | 24 ++-----
29 8 files changed, 80 insertions(+), 128 deletions(-)
30
31diff --git a/source3/rpc_client/cli_mdssvc_util.c b/source3/rpc_client/cli_mdssvc_util.c
32index 892a844..a39202d 100644
33--- a/source3/rpc_client/cli_mdssvc_util.c
34+++ b/source3/rpc_client/cli_mdssvc_util.c
35@@ -42,7 +42,7 @@ NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx,
36 sl_array_t *scope_array = NULL;
37 double dval;
38 uint64_t uint64val;
39- ssize_t len;
40+ NTSTATUS status;
41 int ret;
42
43 d = dalloc_new(mem_ctx);
44@@ -209,23 +209,11 @@ NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx,
45 return NT_STATUS_NO_MEMORY;
46 }
47
48- blob->spotlight_blob = talloc_array(mem_ctx,
49- uint8_t,
50- ctx->max_fragment_size);
51- if (blob->spotlight_blob == NULL) {
52- TALLOC_FREE(d);
53- return NT_STATUS_NO_MEMORY;
54- }
55- blob->size = ctx->max_fragment_size;
56-
57- len = sl_pack(d, (char *)blob->spotlight_blob, blob->size);
58+ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size);
59 TALLOC_FREE(d);
60- if (len == -1) {
61- return NT_STATUS_NO_MEMORY;
62+ if (!NT_STATUS_IS_OK(status)) {
63+ return status;
64 }
65-
66- blob->length = len;
67- blob->size = len;
68 return NT_STATUS_OK;
69 }
70
71@@ -238,7 +226,7 @@ NTSTATUS mdscli_blob_get_results(TALLOC_CTX *mem_ctx,
72 uint64_t *uint64p = NULL;
73 sl_array_t *array = NULL;
74 sl_array_t *cmd_array = NULL;
75- ssize_t len;
76+ NTSTATUS status;
77 int ret;
78
79 d = dalloc_new(mem_ctx);
80@@ -293,23 +281,11 @@ NTSTATUS mdscli_blob_get_results(TALLOC_CTX *mem_ctx,
81 return NT_STATUS_NO_MEMORY;
82 }
83
84- blob->spotlight_blob = talloc_array(mem_ctx,
85- uint8_t,
86- ctx->max_fragment_size);
87- if (blob->spotlight_blob == NULL) {
88- TALLOC_FREE(d);
89- return NT_STATUS_NO_MEMORY;
90- }
91- blob->size = ctx->max_fragment_size;
92-
93- len = sl_pack(d, (char *)blob->spotlight_blob, blob->size);
94+ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size);
95 TALLOC_FREE(d);
96- if (len == -1) {
97- return NT_STATUS_NO_MEMORY;
98+ if (!NT_STATUS_IS_OK(status)) {
99+ return status;
100 }
101-
102- blob->length = len;
103- blob->size = len;
104 return NT_STATUS_OK;
105 }
106
107@@ -325,7 +301,7 @@ NTSTATUS mdscli_blob_get_path(TALLOC_CTX *mem_ctx,
108 sl_array_t *cmd_array = NULL;
109 sl_array_t *attr_array = NULL;
110 sl_cnids_t *cnids = NULL;
111- ssize_t len;
112+ NTSTATUS status;
113 int ret;
114
115 d = dalloc_new(mem_ctx);
116@@ -426,23 +402,11 @@ NTSTATUS mdscli_blob_get_path(TALLOC_CTX *mem_ctx,
117 return NT_STATUS_NO_MEMORY;
118 }
119
120- blob->spotlight_blob = talloc_array(mem_ctx,
121- uint8_t,
122- ctx->max_fragment_size);
123- if (blob->spotlight_blob == NULL) {
124- TALLOC_FREE(d);
125- return NT_STATUS_NO_MEMORY;
126- }
127- blob->size = ctx->max_fragment_size;
128-
129- len = sl_pack(d, (char *)blob->spotlight_blob, blob->size);
130+ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size);
131 TALLOC_FREE(d);
132- if (len == -1) {
133- return NT_STATUS_NO_MEMORY;
134+ if (!NT_STATUS_IS_OK(status)) {
135+ return status;
136 }
137-
138- blob->length = len;
139- blob->size = len;
140 return NT_STATUS_OK;
141 }
142
143@@ -455,7 +419,7 @@ NTSTATUS mdscli_blob_close_search(TALLOC_CTX *mem_ctx,
144 uint64_t *uint64p = NULL;
145 sl_array_t *array = NULL;
146 sl_array_t *cmd_array = NULL;
147- ssize_t len;
148+ NTSTATUS status;
149 int ret;
150
151 d = dalloc_new(mem_ctx);
152@@ -510,22 +474,10 @@ NTSTATUS mdscli_blob_close_search(TALLOC_CTX *mem_ctx,
153 return NT_STATUS_NO_MEMORY;
154 }
155
156- blob->spotlight_blob = talloc_array(mem_ctx,
157- uint8_t,
158- ctx->max_fragment_size);
159- if (blob->spotlight_blob == NULL) {
160- TALLOC_FREE(d);
161- return NT_STATUS_NO_MEMORY;
162- }
163- blob->size = ctx->max_fragment_size;
164-
165- len = sl_pack(d, (char *)blob->spotlight_blob, blob->size);
166+ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size);
167 TALLOC_FREE(d);
168- if (len == -1) {
169- return NT_STATUS_NO_MEMORY;
170+ if (!NT_STATUS_IS_OK(status)) {
171+ return status;
172 }
173-
174- blob->length = len;
175- blob->size = len;
176 return NT_STATUS_OK;
177 }
178diff --git a/source3/rpc_server/mdssvc/marshalling.c b/source3/rpc_server/mdssvc/marshalling.c
179index 441d411..34bfda5 100644
180--- a/source3/rpc_server/mdssvc/marshalling.c
181+++ b/source3/rpc_server/mdssvc/marshalling.c
182@@ -78,6 +78,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, const char *buf,
183 ssize_t offset, size_t bufsize,
184 int count, ssize_t toc_offset,
185 int encoding);
186+static ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize);
187
188 /******************************************************************************
189 * Wrapper functions for the *VAL macros with bound checking
190@@ -1190,11 +1191,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
191 return offset;
192 }
193
194-/******************************************************************************
195- * Global functions for packing und unpacking
196- ******************************************************************************/
197-
198-ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize)
199+static ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize)
200 {
201 ssize_t result;
202 char *toc_buf;
203@@ -1274,6 +1271,34 @@ ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize)
204 return len;
205 }
206
207+/******************************************************************************
208+ * Global functions for packing und unpacking
209+ ******************************************************************************/
210+
211+NTSTATUS sl_pack_alloc(TALLOC_CTX *mem_ctx,
212+ DALLOC_CTX *d,
213+ struct mdssvc_blob *b,
214+ size_t max_fragment_size)
215+{
216+ ssize_t len;
217+
218+ b->spotlight_blob = talloc_zero_array(mem_ctx,
219+ uint8_t,
220+ max_fragment_size);
221+ if (b->spotlight_blob == NULL) {
222+ return NT_STATUS_NO_MEMORY;
223+ }
224+
225+ len = sl_pack(d, (char *)b->spotlight_blob, max_fragment_size);
226+ if (len == -1) {
227+ return NT_STATUS_DATA_ERROR;
228+ }
229+
230+ b->length = len;
231+ b->size = len;
232+ return NT_STATUS_OK;
233+}
234+
235 bool sl_unpack(DALLOC_CTX *query, const char *buf, size_t bufsize)
236 {
237 ssize_t result;
238diff --git a/source3/rpc_server/mdssvc/marshalling.h b/source3/rpc_server/mdssvc/marshalling.h
239index 086ca74..2cc1b44 100644
240--- a/source3/rpc_server/mdssvc/marshalling.h
241+++ b/source3/rpc_server/mdssvc/marshalling.h
242@@ -22,6 +22,9 @@
243 #define _MDSSVC_MARSHALLING_H
244
245 #include "dalloc.h"
246+#include "libcli/util/ntstatus.h"
247+#include "lib/util/data_blob.h"
248+#include "librpc/gen_ndr/mdssvc.h"
249
250 #define MAX_SL_FRAGMENT_SIZE 0xFFFFF
251
252@@ -49,7 +52,11 @@ typedef struct {
253 * Function declarations
254 ******************************************************************************/
255
256-extern ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize);
257+extern NTSTATUS sl_pack_alloc(TALLOC_CTX *mem_ctx,
258+ DALLOC_CTX *d,
259+ struct mdssvc_blob *b,
260+ size_t max_fragment_size);
261+
262 extern bool sl_unpack(DALLOC_CTX *query, const char *buf, size_t bufsize);
263
264 #endif
265diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c
266index 0e6a916..19257e8 100644
267--- a/source3/rpc_server/mdssvc/mdssvc.c
268+++ b/source3/rpc_server/mdssvc/mdssvc.c
269@@ -1726,11 +1726,11 @@ error:
270 **/
271 bool mds_dispatch(struct mds_ctx *mds_ctx,
272 struct mdssvc_blob *request_blob,
273- struct mdssvc_blob *response_blob)
274+ struct mdssvc_blob *response_blob,
275+ size_t max_fragment_size)
276 {
277 bool ok;
278 int ret;
279- ssize_t len;
280 DALLOC_CTX *query = NULL;
281 DALLOC_CTX *reply = NULL;
282 char *rpccmd;
283@@ -1738,6 +1738,7 @@ bool mds_dispatch(struct mds_ctx *mds_ctx,
284 const struct smb_filename conn_basedir = {
285 .base_name = mds_ctx->conn->connectpath,
286 };
287+ NTSTATUS status;
288
289 if (CHECK_DEBUGLVL(10)) {
290 const struct sl_query *slq;
291@@ -1804,15 +1805,14 @@ bool mds_dispatch(struct mds_ctx *mds_ctx,
292
293 DBG_DEBUG("%s", dalloc_dump(reply, 0));
294
295- len = sl_pack(reply,
296- (char *)response_blob->spotlight_blob,
297- response_blob->size);
298- if (len == -1) {
299- DBG_ERR("error packing Spotlight RPC reply\n");
300- ok = false;
301+ status = sl_pack_alloc(response_blob,
302+ reply,
303+ response_blob,
304+ max_fragment_size);
305+ if (!NT_STATUS_IS_OK(status)) {
306+ DBG_ERR("sl_pack_alloc() failed\n");
307 goto cleanup;
308 }
309- response_blob->length = len;
310
311 cleanup:
312 talloc_free(query);
313diff --git a/source3/rpc_server/mdssvc/mdssvc.h b/source3/rpc_server/mdssvc/mdssvc.h
314index a097991..b3bd8b9 100644
315--- a/source3/rpc_server/mdssvc/mdssvc.h
316+++ b/source3/rpc_server/mdssvc/mdssvc.h
317@@ -157,9 +157,10 @@ struct mds_ctx *mds_init_ctx(TALLOC_CTX *mem_ctx,
318 int snum,
319 const char *sharename,
320 const char *path);
321-extern bool mds_dispatch(struct mds_ctx *query_ctx,
322+extern bool mds_dispatch(struct mds_ctx *mds_ctx,
323 struct mdssvc_blob *request_blob,
324- struct mdssvc_blob *response_blob);
325+ struct mdssvc_blob *response_blob,
326+ size_t max_fragment_size);
327 bool mds_add_result(struct sl_query *slq, const char *path);
328
329 #endif /* _MDSSVC_H */
330diff --git a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
331index 714e6c1..59e2a97 100644
332--- a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
333+++ b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
334@@ -269,7 +269,10 @@ void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r)
335 /* We currently don't use fragmentation at the mdssvc RPC layer */
336 *r->out.fragment = 0;
337
338- ok = mds_dispatch(mds_ctx, &r->in.request_blob, r->out.response_blob);
339+ ok = mds_dispatch(mds_ctx,
340+ &r->in.request_blob,
341+ r->out.response_blob,
342+ r->in.max_fragment_size1);
343 if (ok) {
344 *r->out.unkn9 = 0;
345 } else {
346diff --git a/source3/rpcclient/cmd_spotlight.c b/source3/rpcclient/cmd_spotlight.c
347index 64fe321..ba3f61f 100644
348--- a/source3/rpcclient/cmd_spotlight.c
349+++ b/source3/rpcclient/cmd_spotlight.c
350@@ -43,7 +43,6 @@ static NTSTATUS cmd_mdssvc_fetch_properties(
351 uint32_t unkn3; /* server always returns 0 ? */
352 struct mdssvc_blob request_blob;
353 struct mdssvc_blob response_blob;
354- ssize_t len;
355 uint32_t max_fragment_size = 64 * 1024;
356 DALLOC_CTX *d, *mds_reply;
357 uint64_t *uint64var;
358@@ -137,20 +136,10 @@ static NTSTATUS cmd_mdssvc_fetch_properties(
359 goto done;
360 }
361
362- request_blob.spotlight_blob = talloc_array(mem_ctx, uint8_t, max_fragment_size);
363- if (request_blob.spotlight_blob == NULL) {
364- status = NT_STATUS_INTERNAL_ERROR;
365- goto done;
366- }
367- request_blob.size = max_fragment_size;
368-
369- len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size);
370- if (len == -1) {
371- status = NT_STATUS_INTERNAL_ERROR;
372+ status = sl_pack_alloc(mem_ctx, d, &request_blob, max_fragment_size);
373+ if (!NT_STATUS_IS_OK(status)) {
374 goto done;
375 }
376- request_blob.length = len;
377- request_blob.size = len;
378
379 status = dcerpc_mdssvc_cmd(b, mem_ctx,
380 &share_handle,
381@@ -204,7 +193,6 @@ static NTSTATUS cmd_mdssvc_fetch_attributes(
382 uint32_t unkn3; /* server always returns 0 ? */
383 struct mdssvc_blob request_blob;
384 struct mdssvc_blob response_blob;
385- ssize_t len;
386 uint32_t max_fragment_size = 64 * 1024;
387 DALLOC_CTX *d, *mds_reply;
388 uint64_t *uint64var;
389@@ -352,22 +340,10 @@ static NTSTATUS cmd_mdssvc_fetch_attributes(
390 goto done;
391 }
392
393- request_blob.spotlight_blob = talloc_array(mem_ctx,
394- uint8_t,
395- max_fragment_size);
396- if (request_blob.spotlight_blob == NULL) {
397- status = NT_STATUS_INTERNAL_ERROR;
398- goto done;
399- }
400- request_blob.size = max_fragment_size;
401-
402- len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size);
403- if (len == -1) {
404- status = NT_STATUS_INTERNAL_ERROR;
405+ status = sl_pack_alloc(mem_ctx, d, &request_blob, max_fragment_size);
406+ if (!NT_STATUS_IS_OK(status)) {
407 goto done;
408 }
409- request_blob.length = len;
410- request_blob.size = len;
411
412 status = dcerpc_mdssvc_cmd(b, mem_ctx,
413 &share_handle,
414diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c
415index e99c82c..1305456 100644
416--- a/source4/torture/rpc/mdssvc.c
417+++ b/source4/torture/rpc/mdssvc.c
418@@ -745,11 +745,9 @@ static bool test_sl_dict_type_safety(struct torture_context *tctx,
419 ok, done, "dalloc_new failed\n");
420 request_blob.size = 64 * 1024;
421
422- request_blob.length = sl_pack(d,
423- (char *)request_blob.spotlight_blob,
424- request_blob.size);
425- torture_assert_goto(tctx, request_blob.length > 0,
426- ok, done, "sl_pack failed\n");
427+ status = sl_pack_alloc(tctx, d, &request_blob, 64 * 1024);
428+ torture_assert_ntstatus_ok_goto(tctx, status, ok, done,
429+ "sl_pack_alloc() failed\n");
430
431 status = dcerpc_mdssvc_cmd(b,
432 state,
433@@ -836,7 +834,6 @@ static bool test_mdssvc_fetch_attr_unknown_cnid(struct torture_context *tctx,
434 const char *path_type = NULL;
435 uint64_t ino64;
436 NTSTATUS status;
437- ssize_t len;
438 int ret;
439 bool ok = true;
440
441@@ -901,19 +898,10 @@ static bool test_mdssvc_fetch_attr_unknown_cnid(struct torture_context *tctx,
442 ret = dalloc_add(array, cnids, sl_cnids_t);
443 torture_assert_goto(tctx, ret == 0, ret, done, "dalloc_add failed\n");
444
445- request_blob.spotlight_blob = talloc_array(state,
446- uint8_t,
447- max_fragment_size);
448- torture_assert_not_null_goto(tctx, request_blob.spotlight_blob,
449- ret, done, "dalloc_zero failed\n");
450- request_blob.size = max_fragment_size;
451-
452- len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size);
453- torture_assert_goto(tctx, len != -1, ret, done, "sl_pack failed\n");
454-
455- request_blob.length = len;
456- request_blob.size = len;
457
458+ status = sl_pack_alloc(tctx, d, &request_blob, max_fragment_size);
459+ torture_assert_ntstatus_ok_goto(tctx, status, ok, done,
460+ "sl_pack_alloc() failed\n");
461 status = dcerpc_mdssvc_cmd(b,
462 state,
463 &state->ph,
464--
4652.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0010.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0010.patch
new file mode 100644
index 0000000000..57668f5eef
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0010.patch
@@ -0,0 +1,484 @@
1From a5c570e262911874e43e82de601d809aa5b1b729 Mon Sep 17 00:00:00 2001
2From: Ralph Boehme <slow@samba.org>
3Date: Sat, 17 Jun 2023 13:53:27 +0200
4Subject: [PATCH] CVE-2023-34968: mdscli: return share relative paths The next
5 commit will change the Samba Spotlight server to return absolute paths that
6 start with the sharename as "/SHARENAME/..." followed by the share path
7 relative appended.
8MIME-Version: 1.0
9Content-Type: text/plain; charset=UTF-8
10Content-Transfer-Encoding: 8bit
11
12So given a share
13
14 [spotlight]
15 path = /foo/bar
16 spotlight = yes
17
18and a file inside this share with a full path of
19
20 /foo/bar/dir/file
21
22previously a search that matched this file would returns the absolute
23server-side pato of the file, ie
24
25 /foo/bar/dir/file
26
27This will be change to
28
29 /spotlight/dir/file
30
31As currently the mdscli library and hence the mdsearch tool print out these
32paths returned from the server, we have to change the output to accomodate these
33fake paths. The only way to do this sensibly is by makeing the paths relative to
34the containing share, so just
35
36 dir/file
37
38in the example above.
39
40The client learns about the share root path prefix – real server-side of fake in
41the future – in an initial handshake in the "share_path" out argument of the
42mdssvc_open() RPC call, so the client can use this path to convert the absolute
43path to relative.
44
45There is however an additional twist: the macOS Spotlight server prefixes this
46absolute path with another prefix, typically "/System/Volumes/Data", so in the
47example above the full path for the same search would be
48
49 /System/Volumes/Data/foo/bar/dir/file
50
51So macOS does return the full server-side path too, just prefixed with an
52additional path. This path prefixed can be queried by the client in the
53mdssvc_cmd() RPC call with an Spotlight command of "fetchPropertiesForContext:"
54and the path is returned in a dictionary with key "kMDSStorePathScopes". Samba
55just returns "/" for this.
56
57Currently the mdscli library doesn't issue this Spotlight RPC
58request (fetchPropertiesForContext), so this is added in this commit. In the
59end, all search result paths are stripped of the combined prefix
60
61 kMDSStorePathScopes + share_path (from mdssvc_open).
62
63eg
64
65 kMDSStorePathScopes = /System/Volumes/Data
66 share_path = /foo/bar
67 search result = /System/Volumes/Data/foo/bar/dir/file
68 relative path returned by mdscli = dir/file
69
70Makes sense? :)
71
72BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
73
74Signed-off-by: Ralph Boehme <slow@samba.org>
75Reviewed-by: Stefan Metzmacher <metze@samba.org>
76
77Upstream-Status: Backport [https://github.com/samba-team/samba/commit/a5c570e262911874e43e82de601d809aa5b1b729]
78
79CVE: CVE-2023-34968
80
81Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
82---
83 python/samba/tests/dcerpc/mdssvc.py | 26 ++--
84 source3/rpc_client/cli_mdssvc.c | 155 +++++++++++++++++++++++-
85 source3/rpc_client/cli_mdssvc_private.h | 4 +
86 source3/rpc_client/cli_mdssvc_util.c | 68 +++++++++++
87 source3/rpc_client/cli_mdssvc_util.h | 4 +
88 5 files changed, 243 insertions(+), 14 deletions(-)
89
90diff --git a/python/samba/tests/dcerpc/mdssvc.py b/python/samba/tests/dcerpc/mdssvc.py
91index b0df509..5002e5d 100644
92--- a/python/samba/tests/dcerpc/mdssvc.py
93+++ b/python/samba/tests/dcerpc/mdssvc.py
94@@ -84,10 +84,11 @@ class MdssvcTests(RpcInterfaceTestCase):
95 self.t = threading.Thread(target=MdssvcTests.http_server, args=(self,))
96 self.t.setDaemon(True)
97 self.t.start()
98+ self.sharepath = os.environ["LOCAL_PATH"]
99 time.sleep(1)
100
101 conn = mdscli.conn(self.pipe, 'spotlight', '/foo')
102- self.sharepath = conn.sharepath()
103+ self.fakepath = conn.sharepath()
104 conn.disconnect(self.pipe)
105
106 for file in testfiles:
107@@ -105,12 +106,11 @@ class MdssvcTests(RpcInterfaceTestCase):
108 self.server.serve_forever()
109
110 def run_test(self, query, expect, json_in, json_out):
111- expect = [s.replace("%BASEPATH%", self.sharepath) for s in expect]
112 self.server.json_in = json_in.replace("%BASEPATH%", self.sharepath)
113 self.server.json_out = json_out.replace("%BASEPATH%", self.sharepath)
114
115 self.conn = mdscli.conn(self.pipe, 'spotlight', '/foo')
116- search = self.conn.search(self.pipe, query, self.sharepath)
117+ search = self.conn.search(self.pipe, query, self.fakepath)
118
119 # Give it some time, the get_results() below returns immediately
120 # what's available, so if we ask to soon, we might get back no results
121@@ -141,7 +141,7 @@ class MdssvcTests(RpcInterfaceTestCase):
122 ]
123 }
124 }'''
125- exp_results = ["%BASEPATH%/foo", "%BASEPATH%/bar"]
126+ exp_results = ["foo", "bar"]
127 self.run_test('*=="samba*"', exp_results, exp_json_query, fake_json_response)
128
129 def test_mdscli_search_escapes(self):
130@@ -181,14 +181,14 @@ class MdssvcTests(RpcInterfaceTestCase):
131 }
132 }'''
133 exp_results = [
134- r"%BASEPATH%/x+x",
135- r"%BASEPATH%/x*x",
136- r"%BASEPATH%/x=x",
137- r"%BASEPATH%/x'x",
138- r"%BASEPATH%/x?x",
139- r"%BASEPATH%/x x",
140- r"%BASEPATH%/x(x",
141- "%BASEPATH%/x\"x",
142- r"%BASEPATH%/x\x",
143+ r"x+x",
144+ r"x*x",
145+ r"x=x",
146+ r"x'x",
147+ r"x?x",
148+ r"x x",
149+ r"x(x",
150+ "x\"x",
151+ r"x\x",
152 ]
153 self.run_test(sl_query, exp_results, exp_json_query, fake_json_response)
154diff --git a/source3/rpc_client/cli_mdssvc.c b/source3/rpc_client/cli_mdssvc.c
155index 07c19b5..a047b91 100644
156--- a/source3/rpc_client/cli_mdssvc.c
157+++ b/source3/rpc_client/cli_mdssvc.c
158@@ -43,10 +43,12 @@ char *mdscli_get_basepath(TALLOC_CTX *mem_ctx,
159 struct mdscli_connect_state {
160 struct tevent_context *ev;
161 struct mdscli_ctx *mdscli_ctx;
162+ struct mdssvc_blob response_blob;
163 };
164
165 static void mdscli_connect_open_done(struct tevent_req *subreq);
166 static void mdscli_connect_unknown1_done(struct tevent_req *subreq);
167+static void mdscli_connect_fetch_props_done(struct tevent_req *subreq);
168
169 struct tevent_req *mdscli_connect_send(TALLOC_CTX *mem_ctx,
170 struct tevent_context *ev,
171@@ -111,6 +113,7 @@ static void mdscli_connect_open_done(struct tevent_req *subreq)
172 struct mdscli_connect_state *state = tevent_req_data(
173 req, struct mdscli_connect_state);
174 struct mdscli_ctx *mdscli_ctx = state->mdscli_ctx;
175+ size_t share_path_len;
176 NTSTATUS status;
177
178 status = dcerpc_mdssvc_open_recv(subreq, state);
179@@ -120,6 +123,18 @@ static void mdscli_connect_open_done(struct tevent_req *subreq)
180 return;
181 }
182
183+ share_path_len = strlen(mdscli_ctx->mdscmd_open.share_path);
184+ if (share_path_len < 1 || share_path_len > UINT16_MAX) {
185+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
186+ return;
187+ }
188+ mdscli_ctx->mdscmd_open.share_path_len = share_path_len;
189+
190+ if (mdscli_ctx->mdscmd_open.share_path[share_path_len-1] == '/') {
191+ mdscli_ctx->mdscmd_open.share_path[share_path_len-1] = '\0';
192+ mdscli_ctx->mdscmd_open.share_path_len--;
193+ }
194+
195 subreq = dcerpc_mdssvc_unknown1_send(
196 state,
197 state->ev,
198@@ -146,6 +161,8 @@ static void mdscli_connect_unknown1_done(struct tevent_req *subreq)
199 subreq, struct tevent_req);
200 struct mdscli_connect_state *state = tevent_req_data(
201 req, struct mdscli_connect_state);
202+ struct mdscli_ctx *mdscli_ctx = state->mdscli_ctx;
203+ struct mdssvc_blob request_blob;
204 NTSTATUS status;
205
206 status = dcerpc_mdssvc_unknown1_recv(subreq, state);
207@@ -153,6 +170,108 @@ static void mdscli_connect_unknown1_done(struct tevent_req *subreq)
208 if (tevent_req_nterror(req, status)) {
209 return;
210 }
211+ status = mdscli_blob_fetch_props(state,
212+ state->mdscli_ctx,
213+ &request_blob);
214+ if (tevent_req_nterror(req, status)) {
215+ return;
216+ }
217+
218+ subreq = dcerpc_mdssvc_cmd_send(state,
219+ state->ev,
220+ mdscli_ctx->bh,
221+ &mdscli_ctx->ph,
222+ 0,
223+ mdscli_ctx->dev,
224+ mdscli_ctx->mdscmd_open.unkn2,
225+ 0,
226+ mdscli_ctx->flags,
227+ request_blob,
228+ 0,
229+ mdscli_ctx->max_fragment_size,
230+ 1,
231+ mdscli_ctx->max_fragment_size,
232+ 0,
233+ 0,
234+ &mdscli_ctx->mdscmd_cmd.fragment,
235+ &state->response_blob,
236+ &mdscli_ctx->mdscmd_cmd.unkn9);
237+ if (tevent_req_nomem(subreq, req)) {
238+ return;
239+ }
240+ tevent_req_set_callback(subreq, mdscli_connect_fetch_props_done, req);
241+ mdscli_ctx->async_pending++;
242+ return;
243+}
244+
245+static void mdscli_connect_fetch_props_done(struct tevent_req *subreq)
246+{
247+ struct tevent_req *req = tevent_req_callback_data(
248+ subreq, struct tevent_req);
249+ struct mdscli_connect_state *state = tevent_req_data(
250+ req, struct mdscli_connect_state);
251+ struct mdscli_ctx *mdscli_ctx = state->mdscli_ctx;
252+ DALLOC_CTX *d = NULL;
253+ sl_array_t *path_scope_array = NULL;
254+ char *path_scope = NULL;
255+ NTSTATUS status;
256+ bool ok;
257+
258+ status = dcerpc_mdssvc_cmd_recv(subreq, state);
259+ TALLOC_FREE(subreq);
260+ state->mdscli_ctx->async_pending--;
261+ if (tevent_req_nterror(req, status)) {
262+ return;
263+ }
264+
265+ d = dalloc_new(state);
266+ if (tevent_req_nomem(d, req)) {
267+ return;
268+ }
269+
270+ ok = sl_unpack(d,
271+ (char *)state->response_blob.spotlight_blob,
272+ state->response_blob.length);
273+ if (!ok) {
274+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
275+ return;
276+ }
277+
278+ path_scope_array = dalloc_value_for_key(d,
279+ "DALLOC_CTX", 0,
280+ "kMDSStorePathScopes",
281+ "sl_array_t");
282+ if (path_scope_array == NULL) {
283+ DBG_ERR("Missing kMDSStorePathScopes\n");
284+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
285+ return;
286+ }
287+
288+ path_scope = dalloc_get(path_scope_array, "char *", 0);
289+ if (path_scope == NULL) {
290+ DBG_ERR("Missing path in kMDSStorePathScopes\n");
291+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
292+ return;
293+ }
294+
295+ mdscli_ctx->path_scope_len = strlen(path_scope);
296+ if (mdscli_ctx->path_scope_len < 1 ||
297+ mdscli_ctx->path_scope_len > UINT16_MAX)
298+ {
299+ DBG_ERR("Bad path_scope: %s\n", path_scope);
300+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
301+ return;
302+ }
303+ mdscli_ctx->path_scope = talloc_strdup(mdscli_ctx, path_scope);
304+ if (tevent_req_nomem(mdscli_ctx->path_scope, req)) {
305+ return;
306+ }
307+
308+ if (mdscli_ctx->path_scope[mdscli_ctx->path_scope_len-1] == '/') {
309+ mdscli_ctx->path_scope[mdscli_ctx->path_scope_len-1] = '\0';
310+ mdscli_ctx->path_scope_len--;
311+ }
312+
313
314 tevent_req_done(req);
315 }
316@@ -697,7 +816,10 @@ static void mdscli_get_path_done(struct tevent_req *subreq)
317 struct mdscli_get_path_state *state = tevent_req_data(
318 req, struct mdscli_get_path_state);
319 DALLOC_CTX *d = NULL;
320+ size_t pathlen;
321+ size_t prefixlen;
322 char *path = NULL;
323+ const char *p = NULL;
324 NTSTATUS status;
325 bool ok;
326
327@@ -732,7 +854,38 @@ static void mdscli_get_path_done(struct tevent_req *subreq)
328 tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
329 return;
330 }
331- state->path = talloc_move(state, &path);
332+
333+ /* Path is prefixed by /PATHSCOPE/SHARENAME/, strip it */
334+ pathlen = strlen(path);
335+
336+ /*
337+ * path_scope_len and share_path_len are already checked to be smaller
338+ * then UINT16_MAX so this can't overflow
339+ */
340+ prefixlen = state->mdscli_ctx->path_scope_len
341+ + state->mdscli_ctx->mdscmd_open.share_path_len;
342+
343+ if (pathlen < prefixlen) {
344+ DBG_DEBUG("Bad path: %s\n", path);
345+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
346+ return;
347+ }
348+
349+ p = path + prefixlen;
350+ while (*p == '/') {
351+ p++;
352+ }
353+ if (*p == '\0') {
354+ DBG_DEBUG("Bad path: %s\n", path);
355+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
356+ return;
357+ }
358+
359+ state->path = talloc_strdup(state, p);
360+ if (state->path == NULL) {
361+ tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
362+ return;
363+ }
364 DBG_DEBUG("path: %s\n", state->path);
365
366 tevent_req_done(req);
367diff --git a/source3/rpc_client/cli_mdssvc_private.h b/source3/rpc_client/cli_mdssvc_private.h
368index 031af85..b10aca0 100644
369--- a/source3/rpc_client/cli_mdssvc_private.h
370+++ b/source3/rpc_client/cli_mdssvc_private.h
371@@ -42,6 +42,7 @@ struct mdscli_ctx {
372 /* cmd specific or unknown fields */
373 struct {
374 char share_path[1025];
375+ size_t share_path_len;
376 uint32_t unkn2;
377 uint32_t unkn3;
378 } mdscmd_open;
379@@ -56,6 +57,9 @@ struct mdscli_ctx {
380 struct {
381 uint32_t status;
382 } mdscmd_close;
383+
384+ char *path_scope;
385+ size_t path_scope_len;
386 };
387
388 struct mdscli_search_ctx {
389diff --git a/source3/rpc_client/cli_mdssvc_util.c b/source3/rpc_client/cli_mdssvc_util.c
390index a39202d..1eaaca7 100644
391--- a/source3/rpc_client/cli_mdssvc_util.c
392+++ b/source3/rpc_client/cli_mdssvc_util.c
393@@ -28,6 +28,74 @@
394 #include "rpc_server/mdssvc/dalloc.h"
395 #include "rpc_server/mdssvc/marshalling.h"
396
397+NTSTATUS mdscli_blob_fetch_props(TALLOC_CTX *mem_ctx,
398+ struct mdscli_ctx *ctx,
399+ struct mdssvc_blob *blob)
400+{
401+ DALLOC_CTX *d = NULL;
402+ uint64_t *uint64p = NULL;
403+ sl_array_t *array = NULL;
404+ sl_array_t *cmd_array = NULL;
405+ NTSTATUS status;
406+ int ret;
407+
408+ d = dalloc_new(mem_ctx);
409+ if (d == NULL) {
410+ return NT_STATUS_NO_MEMORY;
411+ }
412+
413+ array = dalloc_zero(d, sl_array_t);
414+ if (array == NULL) {
415+ TALLOC_FREE(d);
416+ return NT_STATUS_NO_MEMORY;
417+ }
418+
419+ ret = dalloc_add(d, array, sl_array_t);
420+ if (ret != 0) {
421+ TALLOC_FREE(d);
422+ return NT_STATUS_NO_MEMORY;
423+ }
424+
425+ cmd_array = dalloc_zero(d, sl_array_t);
426+ if (cmd_array == NULL) {
427+ TALLOC_FREE(d);
428+ return NT_STATUS_NO_MEMORY;
429+ }
430+
431+ ret = dalloc_add(array, cmd_array, sl_array_t);
432+ if (ret != 0) {
433+ TALLOC_FREE(d);
434+ return NT_STATUS_NO_MEMORY;
435+ }
436+
437+ ret = dalloc_stradd(cmd_array, "fetchPropertiesForContext:");
438+ if (ret != 0) {
439+ TALLOC_FREE(d);
440+ return NT_STATUS_NO_MEMORY;
441+ }
442+
443+ uint64p = talloc_zero_array(cmd_array, uint64_t, 2);
444+ if (uint64p == NULL) {
445+ TALLOC_FREE(d);
446+ return NT_STATUS_NO_MEMORY;
447+ }
448+
449+ talloc_set_name(uint64p, "uint64_t *");
450+
451+ ret = dalloc_add(cmd_array, uint64p, uint64_t *);
452+ if (ret != 0) {
453+ TALLOC_FREE(d);
454+ return NT_STATUS_NO_MEMORY;
455+ }
456+
457+ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size);
458+ TALLOC_FREE(d);
459+ if (!NT_STATUS_IS_OK(status)) {
460+ return status;
461+ }
462+ return NT_STATUS_OK;
463+}
464+
465 NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx,
466 struct mdscli_search_ctx *search,
467 struct mdssvc_blob *blob)
468diff --git a/source3/rpc_client/cli_mdssvc_util.h b/source3/rpc_client/cli_mdssvc_util.h
469index 7a98c85..3f32475 100644
470--- a/source3/rpc_client/cli_mdssvc_util.h
471+++ b/source3/rpc_client/cli_mdssvc_util.h
472@@ -21,6 +21,10 @@
473 #ifndef _MDSCLI_UTIL_H_
474 #define _MDSCLI_UTIL_H_
475
476+NTSTATUS mdscli_blob_fetch_props(TALLOC_CTX *mem_ctx,
477+ struct mdscli_ctx *ctx,
478+ struct mdssvc_blob *blob);
479+
480 NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx,
481 struct mdscli_search_ctx *search,
482 struct mdssvc_blob *blob);
483--
4842.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0011.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0011.patch
new file mode 100644
index 0000000000..d2bef187f7
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0011.patch
@@ -0,0 +1,295 @@
1From 091b0265fe42878d676def5d4f5b4f8f3977b0e2 Mon Sep 17 00:00:00 2001
2From: Ralph Boehme <slow@samba.org>
3Date: Mon, 5 Jun 2023 18:02:20 +0200
4Subject: [PATCH] CVE-2023-34968: mdssvc: return a fake share path Instead of
5 returning the real server-side absolute path of shares and search results,
6 return a fake absolute path replacing the path of the share with the share
7 name, iow for a share "test" with a server-side path of "/foo/bar", we
8 previously returned
9
10 /foo/bar and
11 /foo/bar/search/result
12
13and now return
14
15 /test and
16 /test/search/result
17
18BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
19
20Signed-off-by: Ralph Boehme <slow@samba.org>
21Reviewed-by: Stefan Metzmacher <metze@samba.org>
22
23Upstream-Status: Backport [https://github.com/samba-team/samba/commit/091b0265fe42878d676def5d4f5b4f8f3977b0e2]
24
25CVE: CVE-2023-34968
26
27Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
28---
29 source3/lib/util_path.c | 52 ++++++++++++++++++++
30 source3/lib/util_path.h | 5 ++
31 source3/rpc_server/mdssvc/mdssvc.c | 60 +++++++++++++++++++++--
32 source3/rpc_server/mdssvc/mdssvc.h | 1 +
33 source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 17 +++++--
34 6 files changed, 128 insertions(+), 7 deletions(-)
35 mode change 100755 => 100644 source3/libads/ldap.c
36
37diff --git a/source3/lib/util_path.c b/source3/lib/util_path.c
38index c34b734..5b5a51c 100644
39--- a/source3/lib/util_path.c
40+++ b/source3/lib/util_path.c
41@@ -21,8 +21,10 @@
42 * along with this program. If not, see <http://www.gnu.org/licenses/>.
43 */
44
45+#include "includes.h"
46 #include "replace.h"
47 #include <talloc.h>
48+#include "lib/util/debug.h"
49 #include "lib/util/samba_util.h"
50 #include "lib/util_path.h"
51
52@@ -210,3 +212,53 @@ char *canonicalize_absolute_path(TALLOC_CTX *ctx, const char *pathname_in)
53 *p++ = '\0';
54 return pathname;
55 }
56+
57+/*
58+ * Take two absolute paths, figure out if "subdir" is a proper
59+ * subdirectory of "parent". Return the component relative to the
60+ * "parent" without the potential "/". Take care of "parent"
61+ * possibly ending in "/".
62+ */
63+bool subdir_of(const char *parent,
64+ size_t parent_len,
65+ const char *subdir,
66+ const char **_relative)
67+{
68+ const char *relative = NULL;
69+ bool matched;
70+
71+ SMB_ASSERT(parent[0] == '/');
72+ SMB_ASSERT(subdir[0] == '/');
73+
74+ if (parent_len == 1) {
75+ /*
76+ * Everything is below "/"
77+ */
78+ *_relative = subdir+1;
79+ return true;
80+ }
81+
82+ if (parent[parent_len-1] == '/') {
83+ parent_len -= 1;
84+ }
85+
86+ matched = (strncmp(subdir, parent, parent_len) == 0);
87+ if (!matched) {
88+ return false;
89+ }
90+
91+ relative = &subdir[parent_len];
92+
93+ if (relative[0] == '\0') {
94+ *_relative = relative; /* nothing left */
95+ return true;
96+ }
97+
98+ if (relative[0] == '/') {
99+ /* End of parent must match a '/' in subdir. */
100+ *_relative = relative+1;
101+ return true;
102+ }
103+
104+ return false;
105+}
106diff --git a/source3/lib/util_path.h b/source3/lib/util_path.h
107index 3e7d04d..6d2155a 100644
108--- a/source3/lib/util_path.h
109+++ b/source3/lib/util_path.h
110@@ -31,5 +31,10 @@ char *lock_path(TALLOC_CTX *mem_ctx, const char *name);
111 char *state_path(TALLOC_CTX *mem_ctx, const char *name);
112 char *cache_path(TALLOC_CTX *mem_ctx, const char *name);
113 char *canonicalize_absolute_path(TALLOC_CTX *ctx, const char *abs_path);
114+bool subdir_of(const char *parent,
115+ size_t parent_len,
116+ const char *subdir,
117+ const char **_relative);
118+
119
120 #endif
121diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c
122index 19257e8..d442d8d 100644
123--- a/source3/rpc_server/mdssvc/mdssvc.c
124+++ b/source3/rpc_server/mdssvc/mdssvc.c
125@@ -520,11 +520,14 @@ static bool inode_map_add(struct sl_query *slq,
126 bool mds_add_result(struct sl_query *slq, const char *path)
127 {
128 struct smb_filename *smb_fname = NULL;
129+ char *fake_path = NULL;
130+ const char *relative = NULL;
131 struct stat_ex sb;
132 uint32_t attr;
133 uint64_t ino64;
134 int result;
135 NTSTATUS status;
136+ bool sub;
137 bool ok;
138
139 /*
140@@ -610,6 +613,17 @@ bool mds_add_result(struct sl_query *slq, const char *path)
141 }
142 }
143
144+ sub = subdir_of(slq->mds_ctx->spath,
145+ slq->mds_ctx->spath_len,
146+ path,
147+ &relative);
148+ if (!sub) {
149+ DBG_ERR("[%s] is not inside [%s]\n",
150+ path, slq->mds_ctx->spath);
151+ slq->state = SLQ_STATE_ERROR;
152+ return false;
153+ }
154+
155 /*
156 * Add inode number and filemeta to result set, this is what
157 * we return as part of the result set of a query
158@@ -622,18 +636,30 @@ bool mds_add_result(struct sl_query *slq, const char *path)
159 slq->state = SLQ_STATE_ERROR;
160 return false;
161 }
162+
163+ fake_path = talloc_asprintf(slq,
164+ "/%s/%s",
165+ slq->mds_ctx->sharename,
166+ relative);
167+ if (fake_path == NULL) {
168+ slq->state = SLQ_STATE_ERROR;
169+ return false;
170+ }
171+
172 ok = add_filemeta(slq->mds_ctx,
173 slq->reqinfo,
174 slq->query_results->fm_array,
175- path,
176+ fake_path,
177 &sb);
178 if (!ok) {
179 DBG_ERR("add_filemeta error\n");
180+ TALLOC_FREE(fake_path);
181 slq->state = SLQ_STATE_ERROR;
182 return false;
183 }
184
185- ok = inode_map_add(slq, ino64, path, &sb);
186+ ok = inode_map_add(slq, ino64, fake_path, &sb);
187+ TALLOC_FREE(fake_path);
188 if (!ok) {
189 DEBUG(1, ("inode_map_add error\n"));
190 slq->state = SLQ_STATE_ERROR;
191@@ -840,6 +866,32 @@ static void slq_close_timer(struct tevent_context *ev,
192 }
193 }
194
195+/**
196+ * Translate a fake scope from the client like /sharename/dir
197+ * to the real server-side path, replacing the "/sharename" part
198+ * with the absolute server-side path of the share.
199+ **/
200+static bool mdssvc_real_scope(struct sl_query *slq, const char *fake_scope)
201+{
202+ size_t sname_len = strlen(slq->mds_ctx->sharename);
203+ size_t fake_scope_len = strlen(fake_scope);
204+
205+ if (fake_scope_len < sname_len + 1) {
206+ DBG_ERR("Short scope [%s] for share [%s]\n",
207+ fake_scope, slq->mds_ctx->sharename);
208+ return false;
209+ }
210+
211+ slq->path_scope = talloc_asprintf(slq,
212+ "%s%s",
213+ slq->mds_ctx->spath,
214+ fake_scope + sname_len + 1);
215+ if (slq->path_scope == NULL) {
216+ return false;
217+ }
218+ return true;
219+}
220+
221 /**
222 * Begin a search query
223 **/
224@@ -946,8 +998,8 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
225 goto error;
226 }
227
228- slq->path_scope = talloc_strdup(slq, scope);
229- if (slq->path_scope == NULL) {
230+ ok = mdssvc_real_scope(slq, scope);
231+ if (!ok) {
232 goto error;
233 }
234
235diff --git a/source3/rpc_server/mdssvc/mdssvc.h b/source3/rpc_server/mdssvc/mdssvc.h
236index b3bd8b9..8434812 100644
237--- a/source3/rpc_server/mdssvc/mdssvc.h
238+++ b/source3/rpc_server/mdssvc/mdssvc.h
239@@ -127,6 +127,7 @@ struct mds_ctx {
240 int snum;
241 const char *sharename;
242 const char *spath;
243+ size_t spath_len;
244 struct connection_struct *conn;
245 struct sl_query *query_list; /* list of active queries */
246 struct db_context *ino_path_map; /* dbwrap rbt for storing inode->path mappings */
247diff --git a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
248index 59e2a97..b20bd2a 100644
249--- a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
250+++ b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
251@@ -121,6 +121,7 @@ void _mdssvc_open(struct pipes_struct *p, struct mdssvc_open *r)
252 loadparm_s3_global_substitution();
253 int snum;
254 char *outpath = discard_const_p(char, r->out.share_path);
255+ char *fake_path = NULL;
256 char *path;
257 NTSTATUS status;
258
259@@ -144,21 +145,31 @@ void _mdssvc_open(struct pipes_struct *p, struct mdssvc_open *r)
260 return;
261 }
262
263+ fake_path = talloc_asprintf(p->mem_ctx, "/%s", r->in.share_name);
264+ if (fake_path == NULL) {
265+ DBG_ERR("Couldn't create fake share path for %s\n",
266+ r->in.share_name);
267+ talloc_free(path);
268+ p->fault_state = DCERPC_FAULT_CANT_PERFORM;
269+ return;
270+ }
271+
272 status = create_mdssvc_policy_handle(p->mem_ctx, p,
273 snum,
274 r->in.share_name,
275 path,
276 r->out.handle);
277 if (!NT_STATUS_IS_OK(status)) {
278- DBG_ERR("Couldn't create policy handle for %s\n",
279+ DBG_ERR("Couldn't create path for %s\n",
280 r->in.share_name);
281 talloc_free(path);
282+ talloc_free(fake_path);
283 p->fault_state = DCERPC_FAULT_CANT_PERFORM;
284 return;
285 }
286
287- strlcpy(outpath, path, 1024);
288- talloc_free(path);
289+ strlcpy(outpath, fake_path, 1024);
290+ talloc_free(fake_path);
291 return;
292 }
293
294--
2952.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
index 73e8a82e89..aa27592cb0 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
@@ -38,6 +38,17 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
38 file://CVE-2022-2127.patch \ 38 file://CVE-2022-2127.patch \
39 file://CVE-2023-34967_0001.patch \ 39 file://CVE-2023-34967_0001.patch \
40 file://CVE-2023-34967_0002.patch \ 40 file://CVE-2023-34967_0002.patch \
41 file://CVE-2023-34968_0001.patch \
42 file://CVE-2023-34968_0002.patch \
43 file://CVE-2023-34968_0003.patch \
44 file://CVE-2023-34968_0004.patch \
45 file://CVE-2023-34968_0005.patch \
46 file://CVE-2023-34968_0006.patch \
47 file://CVE-2023-34968_0007.patch \
48 file://CVE-2023-34968_0008.patch \
49 file://CVE-2023-34968_0009.patch \
50 file://CVE-2023-34968_0010.patch \
51 file://CVE-2023-34968_0011.patch \
41 " 52 "
42 53
43SRC_URI:append:libc-musl = " \ 54SRC_URI:append:libc-musl = " \
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-25 23:27:01 +0000