aboutsummaryrefslogtreecommitdiffstats
path: root/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0002.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0002.patch')
-rw-r--r--meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0002.patch140
1 files changed, 140 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0002.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0002.patch
new file mode 100644
index 0000000000..a86d1729cf
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0002.patch
@@ -0,0 +1,140 @@
+From 10b6890d26b3c7a829a9e9a05ad1d1ff54daeca9 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Wed, 31 May 2023 15:34:26 +0200
+Subject: [PATCH] CVE-2023-34966: CI: test for sl_unpack_loop()
+
+Send a maliciously crafted packet where a nil type has a subcount of 0. This
+triggers an endless loop in mdssvc sl_unpack_loop().
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/10b6890d26b3c7a829a9e9a05ad1d1ff54daeca9]
+
+CVE: CVE-2023-34966
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ source4/torture/rpc/mdssvc.c | 100 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 100 insertions(+)
+
+diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c
+index 2d2a8306412..a9956ef8f1d 100644
+--- a/source4/torture/rpc/mdssvc.c
++++ b/source4/torture/rpc/mdssvc.c
+@@ -581,6 +581,102 @@ done:
+ return ok;
+ }
+
++static uint8_t test_sl_unpack_loop_buf[] = {
++ 0x34, 0x33, 0x32, 0x31, 0x33, 0x30, 0x64, 0x6d,
++ 0x1d, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00,
++ 0x01, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00,
++ 0x01, 0x00, 0x00, 0x02, 0x02, 0x00, 0x00, 0x00,
++ 0x01, 0x00, 0x00, 0x02, 0x03, 0x00, 0x00, 0x00,
++ 0x06, 0x00, 0x00, 0x07, 0x04, 0x00, 0x00, 0x00,
++ 0x66, 0x65, 0x74, 0x63, 0x68, 0x41, 0x74, 0x74,
++ 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x3a,
++ 0x66, 0x6f, 0x72, 0x4f, 0x49, 0x44, 0x41, 0x72,
++ 0x72, 0x61, 0x79, 0x3a, 0x63, 0x6f, 0x6e, 0x74,
++ 0x65, 0x78, 0x74, 0x3a, 0x00, 0x00, 0x00, 0xea,
++ 0x02, 0x00, 0x00, 0x84, 0x02, 0x00, 0x00, 0x00,
++ 0x0a, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x01, 0x00, 0x00, 0x02, 0x04, 0x00, 0x00, 0x00,
++ 0x01, 0x00, 0x00, 0x02, 0x05, 0x00, 0x00, 0x00,
++ 0x03, 0x00, 0x00, 0x07, 0x03, 0x00, 0x00, 0x00,
++ 0x6b, 0x4d, 0x44, 0x49, 0x74, 0x65, 0x6d, 0x50,
++ 0x61, 0x74, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x01, 0x00, 0x00, 0x02, 0x06, 0x00, 0x00, 0x00,
++ 0x03, 0x00, 0x00, 0x87, 0x08, 0x00, 0x00, 0x00,
++ 0x01, 0x00, 0xdd, 0x0a, 0x20, 0x00, 0x00, 0x6b,
++ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x07, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x00,
++ 0x02, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00,
++ 0x03, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00,
++ 0x04, 0x00, 0x00, 0x0c, 0x04, 0x00, 0x00, 0x00,
++ 0x0e, 0x00, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x00,
++ 0x0f, 0x00, 0x00, 0x0c, 0x03, 0x00, 0x00, 0x00,
++ 0x13, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00
++};
++
++static bool test_mdssvc_sl_unpack_loop(struct torture_context *tctx,
++ void *data)
++{
++ struct torture_mdsscv_state *state = talloc_get_type_abort(
++ data, struct torture_mdsscv_state);
++ struct dcerpc_binding_handle *b = state->p->binding_handle;
++ struct mdssvc_blob request_blob;
++ struct mdssvc_blob response_blob;
++ uint32_t device_id;
++ uint32_t unkn2;
++ uint32_t unkn9;
++ uint32_t fragment;
++ uint32_t flags;
++ NTSTATUS status;
++ bool ok = true;
++
++ device_id = UINT32_C(0x2f000045);
++ unkn2 = 23;
++ unkn9 = 0;
++ fragment = 0;
++ flags = UINT32_C(0x6b000001);
++
++ request_blob.spotlight_blob = test_sl_unpack_loop_buf;
++ request_blob.size = sizeof(test_sl_unpack_loop_buf);
++ request_blob.length = sizeof(test_sl_unpack_loop_buf);
++
++ response_blob.spotlight_blob = talloc_array(state,
++ uint8_t,
++ 0);
++ torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
++ ok, done, "dalloc_zero failed\n");
++ response_blob.size = 0;
++
++ status = dcerpc_mdssvc_cmd(b,
++ state,
++ &state->ph,
++ 0,
++ device_id,
++ unkn2,
++ 0,
++ flags,
++ request_blob,
++ 0,
++ 64 * 1024,
++ 1,
++ 64 * 1024,
++ 0,
++ 0,
++ &fragment,
++ &response_blob,
++ &unkn9);
++ torture_assert_ntstatus_ok_goto(
++ tctx, status, ok, done,
++ "dcerpc_mdssvc_unknown1 failed\n");
++
++done:
++ return ok;
++}
++
+ static bool test_mdssvc_invalid_ph_close(struct torture_context *tctx,
+ void *data)
+ {
+@@ -856,5 +952,9 @@ struct torture_suite *torture_rpc_mdssvc(TALLOC_CTX *mem_ctx)
+ "fetch_unknown_cnid",
+ test_mdssvc_fetch_attr_unknown_cnid);
+
++ torture_tcase_add_simple_test(tcase,
++ "mdssvc_sl_unpack_loop",
++ test_mdssvc_sl_unpack_loop);
++
+ return suite;
+ }
+--
+2.40.0
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-01 01:42:56 +0000