forked from Lainports/freebsd-ports
fe49557452
The security defects addressed in these fixes are described at https://www.samba.org/samba/history/samba-4.16.11.html PR: 273595 Approved by: maintainer timeout
60 lines
2 KiB
Diff
60 lines
2 KiB
Diff
From 78131d2a8e5c9cfd054bcaa5754df11875d5b331 Mon Sep 17 00:00:00 2001
|
|
From: Ralph Boehme <slow@samba.org>
|
|
Date: Mon, 19 Jun 2023 17:14:38 +0200
|
|
Subject: [PATCH 13/21] CVE-2023-34968: mdscli: use correct TALLOC memory
|
|
context when allocating spotlight_blob
|
|
|
|
d is talloc_free()d at the end of the functions and the buffer was later used
|
|
after beeing freed in the DCERPC layer when sending the packet.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
|
|
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source3/rpc_client/cli_mdssvc_util.c | 8 ++++----
|
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/source3/rpc_client/cli_mdssvc_util.c b/source3/rpc_client/cli_mdssvc_util.c
|
|
index fe5092c3790..892a844e71a 100644
|
|
--- a/source3/rpc_client/cli_mdssvc_util.c
|
|
+++ b/source3/rpc_client/cli_mdssvc_util.c
|
|
@@ -209,7 +209,7 @@ NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx,
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
- blob->spotlight_blob = talloc_array(d,
|
|
+ blob->spotlight_blob = talloc_array(mem_ctx,
|
|
uint8_t,
|
|
ctx->max_fragment_size);
|
|
if (blob->spotlight_blob == NULL) {
|
|
@@ -293,7 +293,7 @@ NTSTATUS mdscli_blob_get_results(TALLOC_CTX *mem_ctx,
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
- blob->spotlight_blob = talloc_array(d,
|
|
+ blob->spotlight_blob = talloc_array(mem_ctx,
|
|
uint8_t,
|
|
ctx->max_fragment_size);
|
|
if (blob->spotlight_blob == NULL) {
|
|
@@ -426,7 +426,7 @@ NTSTATUS mdscli_blob_get_path(TALLOC_CTX *mem_ctx,
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
- blob->spotlight_blob = talloc_array(d,
|
|
+ blob->spotlight_blob = talloc_array(mem_ctx,
|
|
uint8_t,
|
|
ctx->max_fragment_size);
|
|
if (blob->spotlight_blob == NULL) {
|
|
@@ -510,7 +510,7 @@ NTSTATUS mdscli_blob_close_search(TALLOC_CTX *mem_ctx,
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
- blob->spotlight_blob = talloc_array(d,
|
|
+ blob->spotlight_blob = talloc_array(mem_ctx,
|
|
uint8_t,
|
|
ctx->max_fragment_size);
|
|
if (blob->spotlight_blob == NULL) {
|
|
--
|
|
2.41.0
|
|
|