48 lines
1.5 KiB
Diff
48 lines
1.5 KiB
Diff
From cc593a6ac531f02f2fe70fd4f7dfe649a02f9206 Mon Sep 17 00:00:00 2001
|
|
From: Ralph Boehme <slow@samba.org>
|
|
Date: Tue, 20 Jun 2023 11:42:10 +0200
|
|
Subject: [PATCH 13/28] CVE-2023-34968: mdssvc: remove response blob allocation
|
|
|
|
This is alreay done by NDR for us.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
|
|
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
|
|
Conflict: NA
|
|
Reference: https://download.samba.org/pub/samba/patches/security/samba-4.17.10-security-2023-07-19.patch
|
|
---
|
|
source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 9 ---------
|
|
1 file changed, 9 deletions(-)
|
|
|
|
diff --git a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
|
|
index 2fca15cb8a8..2fec2bb6725 100644
|
|
--- a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
|
|
+++ b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
|
|
@@ -164,7 +164,6 @@ void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r)
|
|
struct auth_session_info *session_info =
|
|
dcesrv_call_session_info(dce_call);
|
|
bool ok;
|
|
- char *rbuf;
|
|
struct mds_ctx *mds_ctx;
|
|
NTSTATUS status;
|
|
|
|
@@ -221,14 +220,6 @@ void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r)
|
|
return;
|
|
}
|
|
|
|
- rbuf = talloc_zero_array(p->mem_ctx, char, r->in.max_fragment_size1);
|
|
- if (rbuf == NULL) {
|
|
- p->fault_state = DCERPC_FAULT_CANT_PERFORM;
|
|
- return;
|
|
- }
|
|
- r->out.response_blob->spotlight_blob = (uint8_t *)rbuf;
|
|
- r->out.response_blob->size = r->in.max_fragment_size1;
|
|
-
|
|
/* We currently don't use fragmentation at the mdssvc RPC layer */
|
|
*r->out.fragment = 0;
|
|
|
|
--
|
|
2.34.1
|