mirror of
https://github.com/samba-team/samba.git
synced 2024-12-31 17:18:04 +03:00
CVE-2023-34968: mdscli: use correct TALLOC memory context when allocating spotlight_blob
d is talloc_free()d at the end of the functions and the buffer was later used after beeing freed in the DCERPC layer when sending the packet. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
parent
8c95f7ae6b
commit
3636b54616
@ -209,7 +209,7 @@ NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx,
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
blob->spotlight_blob = talloc_array(d,
|
||||
blob->spotlight_blob = talloc_array(mem_ctx,
|
||||
uint8_t,
|
||||
ctx->max_fragment_size);
|
||||
if (blob->spotlight_blob == NULL) {
|
||||
@ -293,7 +293,7 @@ NTSTATUS mdscli_blob_get_results(TALLOC_CTX *mem_ctx,
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
blob->spotlight_blob = talloc_array(d,
|
||||
blob->spotlight_blob = talloc_array(mem_ctx,
|
||||
uint8_t,
|
||||
ctx->max_fragment_size);
|
||||
if (blob->spotlight_blob == NULL) {
|
||||
@ -426,7 +426,7 @@ NTSTATUS mdscli_blob_get_path(TALLOC_CTX *mem_ctx,
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
blob->spotlight_blob = talloc_array(d,
|
||||
blob->spotlight_blob = talloc_array(mem_ctx,
|
||||
uint8_t,
|
||||
ctx->max_fragment_size);
|
||||
if (blob->spotlight_blob == NULL) {
|
||||
@ -510,7 +510,7 @@ NTSTATUS mdscli_blob_close_search(TALLOC_CTX *mem_ctx,
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
blob->spotlight_blob = talloc_array(d,
|
||||
blob->spotlight_blob = talloc_array(mem_ctx,
|
||||
uint8_t,
|
||||
ctx->max_fragment_size);
|
||||
if (blob->spotlight_blob == NULL) {
|
||||
|
Loading…
Reference in New Issue
Block a user