From: Ralph Boehme <slow@samba.org>
Date: Tue, 20 Jun 2023 09:35:41 +0000 (+0200)
Subject: CVE-2023-34968: rpcclient: remove response blob allocation
X-Git-Tag: samba-4.16.11~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=739f72a07032da15b3a74a8b96959300d555e836;p=thirdparty%2Fsamba.git

CVE-2023-34968: rpcclient: remove response blob allocation

This is alreay done by NDR for us.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---

diff --git a/source3/rpcclient/cmd_spotlight.c b/source3/rpcclient/cmd_spotlight.c
index 24db9893df6..64fe321089c 100644
--- a/source3/rpcclient/cmd_spotlight.c
+++ b/source3/rpcclient/cmd_spotlight.c
@@ -144,13 +144,6 @@ static NTSTATUS cmd_mdssvc_fetch_properties(
 	}
 	request_blob.size = max_fragment_size;
 
-	response_blob.spotlight_blob = talloc_array(mem_ctx, uint8_t, max_fragment_size);
-	if (response_blob.spotlight_blob == NULL) {
-		status = NT_STATUS_INTERNAL_ERROR;
-		goto done;
-	}
-	response_blob.size = max_fragment_size;
-
 	len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size);
 	if (len == -1) {
 		status = NT_STATUS_INTERNAL_ERROR;
@@ -368,15 +361,6 @@ static NTSTATUS cmd_mdssvc_fetch_attributes(
 	}
 	request_blob.size = max_fragment_size;
 
-	response_blob.spotlight_blob = talloc_array(mem_ctx,
-						    uint8_t,
-						    max_fragment_size);
-	if (response_blob.spotlight_blob == NULL) {
-		status = NT_STATUS_INTERNAL_ERROR;
-		goto done;
-	}
-	response_blob.size = max_fragment_size;
-
 	len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size);
 	if (len == -1) {
 		status = NT_STATUS_INTERNAL_ERROR;