From 34f9f1b37ec07a4f233fe90a0e97ce504e0cdffb Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 20 Jun 2023 11:42:10 +0200
Subject: [PATCH] CVE-2023-34968: mdssvc: remove response blob allocation

This is alreay done by NDR for us.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
index 2fca15cb8a8..2fec2bb6725 100644
--- a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
+++ b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
@@ -164,7 +164,6 @@ void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r)
 	struct auth_session_info *session_info =
 		dcesrv_call_session_info(dce_call);
 	bool ok;
-	char *rbuf;
 	struct mds_ctx *mds_ctx;
 	NTSTATUS status;
 
@@ -221,14 +220,6 @@ void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r)
 		return;
 	}
 
-	rbuf = talloc_zero_array(p->mem_ctx, char, r->in.max_fragment_size1);
-	if (rbuf == NULL) {
-		p->fault_state = DCERPC_FAULT_CANT_PERFORM;
-		return;
-	}
-	r->out.response_blob->spotlight_blob = (uint8_t *)rbuf;
-	r->out.response_blob->size = r->in.max_fragment_size1;
-
 	/* We currently don't use fragmentation at the mdssvc RPC layer */
 	*r->out.fragment = 0;
 
-- 
2.47.2