1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-06 13:18:07 +03:00

CVE-2023-34967: mdssvc: add type checking to dalloc_value_for_key()

Change the dalloc_value_for_key() function to require an additional final
argument which denotes the expected type of the value associated with a key. If
the types don't match, return NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341

Signed-off-by: Ralph Boehme <slow@samba.org>
This commit is contained in:
Ralph Boehme 2023-05-26 15:06:38 +02:00 committed by Jule Anger
parent 92d014bc44
commit 5b4353cc60
2 changed files with 23 additions and 8 deletions

View File

@ -159,7 +159,7 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
int result = 0; int result = 0;
void *p = NULL; void *p = NULL;
va_list args; va_list args;
const char *type; const char *type = NULL;
int elem; int elem;
size_t array_len; size_t array_len;
@ -170,7 +170,6 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
array_len = talloc_array_length(d->dd_talloc_array); array_len = talloc_array_length(d->dd_talloc_array);
elem = va_arg(args, int); elem = va_arg(args, int);
if (elem >= array_len) { if (elem >= array_len) {
va_end(args);
result = -1; result = -1;
goto done; goto done;
} }
@ -178,8 +177,6 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
type = va_arg(args, const char *); type = va_arg(args, const char *);
} }
va_end(args);
array_len = talloc_array_length(d->dd_talloc_array); array_len = talloc_array_length(d->dd_talloc_array);
for (elem = 0; elem + 1 < array_len; elem += 2) { for (elem = 0; elem + 1 < array_len; elem += 2) {
@ -192,8 +189,17 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
break; break;
} }
} }
if (p == NULL) {
goto done;
}
type = va_arg(args, const char *);
if (strcmp(talloc_get_name(p), type) != 0) {
p = NULL;
}
done: done:
va_end(args);
if (result != 0) { if (result != 0) {
p = NULL; p = NULL;
} }

View File

@ -885,7 +885,8 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
querystring = dalloc_value_for_key(query, "DALLOC_CTX", 0, querystring = dalloc_value_for_key(query, "DALLOC_CTX", 0,
"DALLOC_CTX", 1, "DALLOC_CTX", 1,
"kMDQueryString"); "kMDQueryString",
"char *");
if (querystring == NULL) { if (querystring == NULL) {
DEBUG(1, ("missing kMDQueryString\n")); DEBUG(1, ("missing kMDQueryString\n"));
goto error; goto error;
@ -925,8 +926,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
slq->ctx2 = *uint64p; slq->ctx2 = *uint64p;
path_scope = dalloc_value_for_key(query, "DALLOC_CTX", 0, path_scope = dalloc_value_for_key(query, "DALLOC_CTX", 0,
"DALLOC_CTX", 1, "kMDScopeArray"); "DALLOC_CTX", 1,
"kMDScopeArray",
"sl_array_t");
if (path_scope == NULL) { if (path_scope == NULL) {
DBG_ERR("missing kMDScopeArray\n");
goto error; goto error;
} }
@ -947,8 +951,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
} }
reqinfo = dalloc_value_for_key(query, "DALLOC_CTX", 0, reqinfo = dalloc_value_for_key(query, "DALLOC_CTX", 0,
"DALLOC_CTX", 1, "kMDAttributeArray"); "DALLOC_CTX", 1,
"kMDAttributeArray",
"sl_array_t");
if (reqinfo == NULL) { if (reqinfo == NULL) {
DBG_ERR("missing kMDAttributeArray\n");
goto error; goto error;
} }
@ -956,7 +963,9 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
DEBUG(10, ("requested attributes: %s", dalloc_dump(reqinfo, 0))); DEBUG(10, ("requested attributes: %s", dalloc_dump(reqinfo, 0)));
cnids = dalloc_value_for_key(query, "DALLOC_CTX", 0, cnids = dalloc_value_for_key(query, "DALLOC_CTX", 0,
"DALLOC_CTX", 1, "kMDQueryItemArray"); "DALLOC_CTX", 1,
"kMDQueryItemArray",
"sl_array_t");
if (cnids) { if (cnids) {
ok = sort_cnids(slq, cnids->ca_cnids); ok = sort_cnids(slq, cnids->ca_cnids);
if (!ok) { if (!ok) {