blob: 881a76c66c55153df283c56a30764fd8d8e6ebfb (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
From 88aff628e6ec80622e960796073775651f602134 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 20 Jun 2023 11:42:10 +0200
Subject: [PATCH 17/21] CVE-2023-34968: mdssvc: remove response blob allocation
This is alreay done by NDR for us.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 9 ---------
1 file changed, 9 deletions(-)
diff --git a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
index 40e37cb3b85..f89a187bd3f 100644
--- a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
+++ b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
@@ -208,7 +208,6 @@ void _mdssvc_unknown1(struct pipes_struct *p, struct mdssvc_unknown1 *r)
void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r)
{
bool ok;
- char *rbuf;
struct mds_ctx *mds_ctx;
NTSTATUS status;
@@ -265,14 +264,6 @@ void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r)
return;
}
- rbuf = talloc_zero_array(p->mem_ctx, char, r->in.max_fragment_size1);
- if (rbuf == NULL) {
- p->fault_state = DCERPC_FAULT_CANT_PERFORM;
- return;
- }
- r->out.response_blob->spotlight_blob = (uint8_t *)rbuf;
- r->out.response_blob->size = r->in.max_fragment_size1;
-
/* We currently don't use fragmentation at the mdssvc RPC layer */
*r->out.fragment = 0;
--
2.41.0
|
