1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00

CVE-2023-34966: CI: test for sl_unpack_loop()

Send a maliciously crafted packet where a nil type has a subcount of 0. This
triggers an endless loop in mdssvc sl_unpack_loop().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340

Signed-off-by: Ralph Boehme <slow@samba.org>
This commit is contained in:
Ralph Boehme 2023-05-31 15:34:26 +02:00 committed by Jule Anger
parent e067c523b1
commit 10b6890d26

View File

@ -581,6 +581,102 @@ done:
return ok;
}
static uint8_t test_sl_unpack_loop_buf[] = {
0x34, 0x33, 0x32, 0x31, 0x33, 0x30, 0x64, 0x6d,
0x1d, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x02, 0x02, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x02, 0x03, 0x00, 0x00, 0x00,
0x06, 0x00, 0x00, 0x07, 0x04, 0x00, 0x00, 0x00,
0x66, 0x65, 0x74, 0x63, 0x68, 0x41, 0x74, 0x74,
0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x3a,
0x66, 0x6f, 0x72, 0x4f, 0x49, 0x44, 0x41, 0x72,
0x72, 0x61, 0x79, 0x3a, 0x63, 0x6f, 0x6e, 0x74,
0x65, 0x78, 0x74, 0x3a, 0x00, 0x00, 0x00, 0xea,
0x02, 0x00, 0x00, 0x84, 0x02, 0x00, 0x00, 0x00,
0x0a, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x02, 0x04, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x02, 0x05, 0x00, 0x00, 0x00,
0x03, 0x00, 0x00, 0x07, 0x03, 0x00, 0x00, 0x00,
0x6b, 0x4d, 0x44, 0x49, 0x74, 0x65, 0x6d, 0x50,
0x61, 0x74, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x02, 0x06, 0x00, 0x00, 0x00,
0x03, 0x00, 0x00, 0x87, 0x08, 0x00, 0x00, 0x00,
0x01, 0x00, 0xdd, 0x0a, 0x20, 0x00, 0x00, 0x6b,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x07, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x00,
0x02, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00,
0x03, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00,
0x04, 0x00, 0x00, 0x0c, 0x04, 0x00, 0x00, 0x00,
0x0e, 0x00, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x00,
0x0f, 0x00, 0x00, 0x0c, 0x03, 0x00, 0x00, 0x00,
0x13, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00
};
static bool test_mdssvc_sl_unpack_loop(struct torture_context *tctx,
void *data)
{
struct torture_mdsscv_state *state = talloc_get_type_abort(
data, struct torture_mdsscv_state);
struct dcerpc_binding_handle *b = state->p->binding_handle;
struct mdssvc_blob request_blob;
struct mdssvc_blob response_blob;
uint32_t device_id;
uint32_t unkn2;
uint32_t unkn9;
uint32_t fragment;
uint32_t flags;
NTSTATUS status;
bool ok = true;
device_id = UINT32_C(0x2f000045);
unkn2 = 23;
unkn9 = 0;
fragment = 0;
flags = UINT32_C(0x6b000001);
request_blob.spotlight_blob = test_sl_unpack_loop_buf;
request_blob.size = sizeof(test_sl_unpack_loop_buf);
request_blob.length = sizeof(test_sl_unpack_loop_buf);
response_blob.spotlight_blob = talloc_array(state,
uint8_t,
0);
torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
ok, done, "dalloc_zero failed\n");
response_blob.size = 0;
status = dcerpc_mdssvc_cmd(b,
state,
&state->ph,
0,
device_id,
unkn2,
0,
flags,
request_blob,
0,
64 * 1024,
1,
64 * 1024,
0,
0,
&fragment,
&response_blob,
&unkn9);
torture_assert_ntstatus_ok_goto(
tctx, status, ok, done,
"dcerpc_mdssvc_unknown1 failed\n");
done:
return ok;
}
static bool test_mdssvc_invalid_ph_close(struct torture_context *tctx,
void *data)
{
@ -856,5 +952,9 @@ struct torture_suite *torture_rpc_mdssvc(TALLOC_CTX *mem_ctx)
"fetch_unknown_cnid",
test_mdssvc_fetch_attr_unknown_cnid);
torture_tcase_add_simple_test(tcase,
"mdssvc_sl_unpack_loop",
test_mdssvc_sl_unpack_loop);
return suite;
}