sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Code

CVE-2023-34968: mdscli: use correct TALLOC memory context when allocating spotlight_blob

Browse Source 
d is talloc_free()d at the end of the functions and the buffer was later used
after beeing freed in the DCERPC layer when sending the packet.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Ralph Boehme 2023-06-19 17:14:38 +02:00 committed by Jule Anger
parent 8c95f7ae6b
commit 3636b54616
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
source3/rpc_client/cli_mdssvc_util.c
View File

@ -209,7 +209,7 @@ NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
blob->spotlight_blob = talloc_array(d,
blob->spotlight_blob = talloc_array(mem_ctx,
uint8_t,
ctx->max_fragment_size);
if (blob->spotlight_blob == NULL) {
@ -293,7 +293,7 @@ NTSTATUS mdscli_blob_get_results(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
blob->spotlight_blob = talloc_array(d,
blob->spotlight_blob = talloc_array(mem_ctx,
uint8_t,
ctx->max_fragment_size);
if (blob->spotlight_blob == NULL) {
@ -426,7 +426,7 @@ NTSTATUS mdscli_blob_get_path(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
blob->spotlight_blob = talloc_array(d,
blob->spotlight_blob = talloc_array(mem_ctx,
uint8_t,
ctx->max_fragment_size);
if (blob->spotlight_blob == NULL) {
@ -510,7 +510,7 @@ NTSTATUS mdscli_blob_close_search(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
blob->spotlight_blob = talloc_array(d,
blob->spotlight_blob = talloc_array(mem_ctx,
uint8_t,
ctx->max_fragment_size);
if (blob->spotlight_blob == NULL) {