From 3636b54616ee63e17d8571af610a0e21d667b592 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Mon, 19 Jun 2023 17:14:38 +0200
Subject: [PATCH] CVE-2023-34968: mdscli: use correct TALLOC memory context
 when allocating spotlight_blob

d is talloc_free()d at the end of the functions and the buffer was later used
after beeing freed in the DCERPC layer when sending the packet.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source3/rpc_client/cli_mdssvc_util.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/source3/rpc_client/cli_mdssvc_util.c b/source3/rpc_client/cli_mdssvc_util.c
index fe5092c3790..892a844e71a 100644
--- a/source3/rpc_client/cli_mdssvc_util.c
+++ b/source3/rpc_client/cli_mdssvc_util.c
@@ -209,7 +209,7 @@ NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	blob->spotlight_blob = talloc_array(d,
+	blob->spotlight_blob = talloc_array(mem_ctx,
 					    uint8_t,
 					    ctx->max_fragment_size);
 	if (blob->spotlight_blob == NULL) {
@@ -293,7 +293,7 @@ NTSTATUS mdscli_blob_get_results(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	blob->spotlight_blob = talloc_array(d,
+	blob->spotlight_blob = talloc_array(mem_ctx,
 					    uint8_t,
 					    ctx->max_fragment_size);
 	if (blob->spotlight_blob == NULL) {
@@ -426,7 +426,7 @@ NTSTATUS mdscli_blob_get_path(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	blob->spotlight_blob = talloc_array(d,
+	blob->spotlight_blob = talloc_array(mem_ctx,
 					    uint8_t,
 					    ctx->max_fragment_size);
 	if (blob->spotlight_blob == NULL) {
@@ -510,7 +510,7 @@ NTSTATUS mdscli_blob_close_search(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	blob->spotlight_blob = talloc_array(d,
+	blob->spotlight_blob = talloc_array(mem_ctx,
 					    uint8_t,
 					    ctx->max_fragment_size);
 	if (blob->spotlight_blob == NULL) {