1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
From 049c13245649fab412b61a5b55e5a7dea72d7c72 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Fri, 26 May 2023 15:06:38 +0200
Subject: [PATCH] CVE-2023-34967: mdssvc: add type checking to
dalloc_value_for_key()
Change the dalloc_value_for_key() function to require an additional final
argument which denotes the expected type of the value associated with a key. If
the types don't match, return NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341
Signed-off-by: Ralph Boehme <slow@samba.org>
Upstream-Status: Backport [https://github.com/samba-team/samba/commit/4c60e35add4a1abd04334012a8d6edf1c3f396ba]
CVE: CVE-2023-34967
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
source3/rpc_server/mdssvc/dalloc.c | 14 ++++++++++----
source3/rpc_server/mdssvc/mdssvc.c | 17 +++++++++++++----
2 files changed, 23 insertions(+), 8 deletions(-)
diff --git a/source3/rpc_server/mdssvc/dalloc.c b/source3/rpc_server/mdssvc/dalloc.c
index 007702d..8b79b41 100644
--- a/source3/rpc_server/mdssvc/dalloc.c
+++ b/source3/rpc_server/mdssvc/dalloc.c
@@ -159,7 +159,7 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
int result = 0;
void *p = NULL;
va_list args;
- const char *type;
+ const char *type = NULL;
int elem;
size_t array_len;
@@ -170,7 +170,6 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
array_len = talloc_array_length(d->dd_talloc_array);
elem = va_arg(args, int);
if (elem >= array_len) {
- va_end(args);
result = -1;
goto done;
}
@@ -178,8 +177,6 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
type = va_arg(args, const char *);
}
- va_end(args);
-
array_len = talloc_array_length(d->dd_talloc_array);
for (elem = 0; elem + 1 < array_len; elem += 2) {
@@ -192,8 +189,17 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
break;
}
}
+ if (p == NULL) {
+ goto done;
+ }
+
+ type = va_arg(args, const char *);
+ if (strcmp(talloc_get_name(p), type) != 0) {
+ p = NULL;
+ }
done:
+ va_end(args);
if (result != 0) {
p = NULL;
}
diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c
index a983a88..fe6e0c2 100644
--- a/source3/rpc_server/mdssvc/mdssvc.c
+++ b/source3/rpc_server/mdssvc/mdssvc.c
@@ -884,7 +884,8 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
querystring = dalloc_value_for_key(query, "DALLOC_CTX", 0,
"DALLOC_CTX", 1,
- "kMDQueryString");
+ "kMDQueryString",
+ "char *");
if (querystring == NULL) {
DEBUG(1, ("missing kMDQueryString\n"));
goto error;
@@ -924,8 +925,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
slq->ctx2 = *uint64p;
path_scope = dalloc_value_for_key(query, "DALLOC_CTX", 0,
- "DALLOC_CTX", 1, "kMDScopeArray");
+ "DALLOC_CTX", 1,
+ "kMDScopeArray",
+ "sl_array_t");
if (path_scope == NULL) {
+ DBG_ERR("missing kMDScopeArray\n");
goto error;
}
@@ -940,8 +944,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
}
reqinfo = dalloc_value_for_key(query, "DALLOC_CTX", 0,
- "DALLOC_CTX", 1, "kMDAttributeArray");
+ "DALLOC_CTX", 1,
+ "kMDAttributeArray",
+ "sl_array_t");
if (reqinfo == NULL) {
+ DBG_ERR("missing kMDAttributeArray\n");
goto error;
}
@@ -949,7 +956,9 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
DEBUG(10, ("requested attributes: %s", dalloc_dump(reqinfo, 0)));
cnids = dalloc_value_for_key(query, "DALLOC_CTX", 0,
- "DALLOC_CTX", 1, "kMDQueryItemArray");
+ "DALLOC_CTX", 1,
+ "kMDQueryItemArray",
+ "sl_array_t");
if (cnids) {
ok = sort_cnids(slq, cnids->ca_cnids);
if (!ok) {
--
2.40.0
|