From 5b4353cc60b75610f0aa12b1cced36d35a4d04d4 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Fri, 26 May 2023 15:06:38 +0200
Subject: [PATCH 07/25] CVE-2023-34967: mdssvc: add type checking to
 dalloc_value_for_key()

Change the dalloc_value_for_key() function to require an additional final
argument which denotes the expected type of the value associated with a key. If
the types don't match, return NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341

Signed-off-by: Ralph Boehme <slow@samba.org>

Conflict: NA
Reference: https://download.samba.org/pub/samba/patches/security/samba-4.16.11-security-2023-07-19.patch
---
 source3/rpc_server/mdssvc/dalloc.c | 14 ++++++++++----
 source3/rpc_server/mdssvc/mdssvc.c | 17 +++++++++++++----
 2 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/source3/rpc_server/mdssvc/dalloc.c b/source3/rpc_server/mdssvc/dalloc.c
index 28944b8..908d54b 100644
--- a/source3/rpc_server/mdssvc/dalloc.c
+++ b/source3/rpc_server/mdssvc/dalloc.c
@@ -160,7 +160,7 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
 	int result = 0;
 	void *p = NULL;
 	va_list args;
-	const char *type;
+	const char *type = NULL;
 	int elem;
 	size_t array_len;
 
@@ -171,7 +171,6 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
 		array_len = talloc_array_length(d->dd_talloc_array);
 		elem = va_arg(args, int);
 		if (elem >= array_len) {
-			va_end(args);
 			result = -1;
 			goto done;
 		}
@@ -179,8 +178,6 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
 		type = va_arg(args, const char *);
 	}
 
-	va_end(args);
-
 	array_len = talloc_array_length(d->dd_talloc_array);
 
 	for (elem = 0; elem + 1 < array_len; elem += 2) {
@@ -193,8 +190,17 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
 			break;
 		}
 	}
+	if (p == NULL) {
+		goto done;
+	}
+
+	type = va_arg(args, const char *);
+	if (strcmp(talloc_get_name(p), type) != 0) {
+		p = NULL;
+	}
 
 done:
+	va_end(args);
 	if (result != 0) {
 		p = NULL;
 	}
diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c
index 58a219b..dba7c3c 100644
--- a/source3/rpc_server/mdssvc/mdssvc.c
+++ b/source3/rpc_server/mdssvc/mdssvc.c
@@ -1198,7 +1198,8 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
 
 	querystring = dalloc_value_for_key(query, "DALLOC_CTX", 0,
 					   "DALLOC_CTX", 1,
-					   "kMDQueryString");
+					   "kMDQueryString",
+					   "char *");
 	if (querystring == NULL) {
 		DEBUG(1, ("missing kMDQueryString\n"));
 		goto error;
@@ -1228,8 +1229,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
 	slq->ctx2 = *uint64p;
 
 	path_scope = dalloc_value_for_key(query, "DALLOC_CTX", 0,
-					  "DALLOC_CTX", 1, "kMDScopeArray");
+					  "DALLOC_CTX", 1,
+					  "kMDScopeArray",
+					  "sl_array_t");
 	if (path_scope == NULL) {
+		DBG_ERR("missing kMDScopeArray\n");
 		goto error;
 	}
 
@@ -1253,8 +1257,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
 
 
 	reqinfo = dalloc_value_for_key(query, "DALLOC_CTX", 0,
-				       "DALLOC_CTX", 1, "kMDAttributeArray");
+				       "DALLOC_CTX", 1,
+				       "kMDAttributeArray",
+				       "sl_array_t");
 	if (reqinfo == NULL) {
+		DBG_ERR("missing kMDAttributeArray\n");
 		goto error;
 	}
 
@@ -1262,7 +1269,9 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
 	DEBUG(10, ("requested attributes: %s", mds_dalloc_dump(reqinfo, 0)));
 
 	cnids = dalloc_value_for_key(query, "DALLOC_CTX", 0,
-				     "DALLOC_CTX", 1, "kMDQueryItemArray");
+				     "DALLOC_CTX", 1,
+				     "kMDQueryItemArray",
+				     "sl_array_t");
 	if (cnids) {
 		ok = sort_cnids(slq, cnids->ca_cnids);
 		if (!ok) {
-- 
2.27.0