1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

CVE-2023-34968: mdssvc: remove response blob allocation

This is alreay done by NDR for us.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Ralph Boehme 2023-06-20 11:42:10 +02:00 committed by Jule Anger
parent 739f72a070
commit 34f9f1b37e

View File

@ -164,7 +164,6 @@ void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r)
struct auth_session_info *session_info = struct auth_session_info *session_info =
dcesrv_call_session_info(dce_call); dcesrv_call_session_info(dce_call);
bool ok; bool ok;
char *rbuf;
struct mds_ctx *mds_ctx; struct mds_ctx *mds_ctx;
NTSTATUS status; NTSTATUS status;
@ -221,14 +220,6 @@ void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r)
return; return;
} }
rbuf = talloc_zero_array(p->mem_ctx, char, r->in.max_fragment_size1);
if (rbuf == NULL) {
p->fault_state = DCERPC_FAULT_CANT_PERFORM;
return;
}
r->out.response_blob->spotlight_blob = (uint8_t *)rbuf;
r->out.response_blob->size = r->in.max_fragment_size1;
/* We currently don't use fragmentation at the mdssvc RPC layer */ /* We currently don't use fragmentation at the mdssvc RPC layer */
*r->out.fragment = 0; *r->out.fragment = 0;