From: Ralph Boehme <slow@samba.org>
Date: Mon, 19 Jun 2023 16:28:41 +0000 (+0200)
Subject: CVE-2023-34968: mdscli: remove response blob allocation
X-Git-Tag: samba-4.16.11~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=82cc2a422db8d4402378c2e6f1e138ff385b0f15;p=thirdparty%2Fsamba.git

CVE-2023-34968: mdscli: remove response blob allocation

This is handled by the NDR code transparently.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---

diff --git a/source3/rpc_client/cli_mdssvc.c b/source3/rpc_client/cli_mdssvc.c
index 82d14372fe4..07c19b51dd4 100644
--- a/source3/rpc_client/cli_mdssvc.c
+++ b/source3/rpc_client/cli_mdssvc.c
@@ -276,15 +276,6 @@ struct tevent_req *mdscli_search_send(TALLOC_CTX *mem_ctx,
 		return tevent_req_post(req, ev);
 	}
 
-	state->response_blob.spotlight_blob = talloc_array(
-		state,
-		uint8_t,
-		mdscli_ctx->max_fragment_size);
-	if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) {
-		return tevent_req_post(req, ev);
-	}
-	state->response_blob.size = mdscli_ctx->max_fragment_size;
-
 	subreq = dcerpc_mdssvc_cmd_send(state,
 					ev,
 					mdscli_ctx->bh,
@@ -457,15 +448,6 @@ struct tevent_req *mdscli_get_results_send(
 		return tevent_req_post(req, ev);
 	}
 
-	state->response_blob.spotlight_blob = talloc_array(
-		state,
-		uint8_t,
-		mdscli_ctx->max_fragment_size);
-	if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) {
-		return tevent_req_post(req, ev);
-	}
-	state->response_blob.size = mdscli_ctx->max_fragment_size;
-
 	subreq = dcerpc_mdssvc_cmd_send(state,
 					ev,
 					mdscli_ctx->bh,
@@ -681,15 +663,6 @@ struct tevent_req *mdscli_get_path_send(TALLOC_CTX *mem_ctx,
 		return tevent_req_post(req, ev);
 	}
 
-	state->response_blob.spotlight_blob = talloc_array(
-		state,
-		uint8_t,
-		mdscli_ctx->max_fragment_size);
-	if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) {
-		return tevent_req_post(req, ev);
-	}
-	state->response_blob.size = mdscli_ctx->max_fragment_size;
-
 	subreq = dcerpc_mdssvc_cmd_send(state,
 					ev,
 					mdscli_ctx->bh,
@@ -852,15 +825,6 @@ struct tevent_req *mdscli_close_search_send(TALLOC_CTX *mem_ctx,
 		return tevent_req_post(req, ev);
 	}
 
-	state->response_blob.spotlight_blob = talloc_array(
-		state,
-		uint8_t,
-		mdscli_ctx->max_fragment_size);
-	if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) {
-		return tevent_req_post(req, ev);
-	}
-	state->response_blob.size = mdscli_ctx->max_fragment_size;
-
 	subreq = dcerpc_mdssvc_cmd_send(state,
 					ev,
 					mdscli_ctx->bh,