1 files changed, 83 insertions, 0 deletions

diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0005.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0005.patch
new file mode 100644
index 0000000000..308b441e95
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0005.patch
@@ -0,0 +1,83 @@
+From 353a9ccea6ff93ea2cd604dcc2b0372f056f819d Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Tue, 20 Jun 2023 11:28:47 +0200
+Subject: [PATCH] CVE-2023-34968: smbtorture: remove response blob allocation
+ in mdssvc.c
+
+This is alreay done by NDR for us.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/353a9ccea6ff93ea2cd604dcc2b0372f056f819d]
+
+CVE: CVE-2023-34968
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+
+---
+ source4/torture/rpc/mdssvc.c | 26 --------------------------
+ 1 file changed, 26 deletions(-)
+
+diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c
+index 3689692f7de..a16bd5b47e3 100644
+--- a/source4/torture/rpc/mdssvc.c
++++ b/source4/torture/rpc/mdssvc.c
+@@ -536,13 +536,6 @@ static bool test_mdssvc_invalid_ph_cmd(struct torture_context *tctx,
+	request_blob.length = 0;
+	request_blob.size = 0;
+
+-	response_blob.spotlight_blob = talloc_array(state,
+-						    uint8_t,
+-						    0);
+-	torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
+-				     ok, done, "dalloc_zero failed\n");
+-	response_blob.size = 0;
+-
+	status =  dcerpc_mdssvc_cmd(b,
+				    state,
+				    &ph,
+@@ -632,13 +625,6 @@ static bool test_mdssvc_sl_unpack_loop(struct torture_context *tctx,
+	request_blob.size = sizeof(test_sl_unpack_loop_buf);
+	request_blob.length = sizeof(test_sl_unpack_loop_buf);
+
+-	response_blob.spotlight_blob = talloc_array(state,
+-						    uint8_t,
+-						    0);
+-	torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
+-				     ok, done, "dalloc_zero failed\n");
+-	response_blob.size = 0;
+-
+	status = dcerpc_mdssvc_cmd(b,
+				   state,
+				   &state->ph,
+@@ -764,11 +750,6 @@ static bool test_sl_dict_type_safety(struct torture_context *tctx,
+	torture_assert_goto(tctx, request_blob.length > 0,
+			    ok, done, "sl_pack failed\n");
+
+-	response_blob.spotlight_blob = talloc_array(state, uint8_t, 0);
+-	torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
+-				     ok, done, "dalloc_zero failed\n");
+-	response_blob.size = 0;
+-
+	status = dcerpc_mdssvc_cmd(b,
+				   state,
+				   &state->ph,
+@@ -926,13 +907,6 @@ static bool test_mdssvc_fetch_attr_unknown_cnid(struct torture_context *tctx,
+				     ret, done, "dalloc_zero failed\n");
+	request_blob.size = max_fragment_size;
+
+-	response_blob.spotlight_blob = talloc_array(state,
+-						    uint8_t,
+-						    max_fragment_size);
+-	torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
+-				     ret, done, "dalloc_zero failed\n");
+-	response_blob.size = max_fragment_size;
+-
+	len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size);
+	torture_assert_goto(tctx, len != -1, ret, done, "sl_pack failed\n");
+
+--
+2.40.0