forked from Lainports/freebsd-ports
fe49557452
The security defects addressed in these fixes are described at https://www.samba.org/samba/history/samba-4.16.11.html PR: 273595 Approved by: maintainer timeout
77 lines
2.6 KiB
Diff
77 lines
2.6 KiB
Diff
From d4ba49e029be14287661d4c7a6899b50d3881f7b Mon Sep 17 00:00:00 2001
|
|
From: Ralph Boehme <slow@samba.org>
|
|
Date: Tue, 20 Jun 2023 11:28:47 +0200
|
|
Subject: [PATCH 15/21] CVE-2023-34968: smbtorture: remove response blob
|
|
allocation in mdssvc.c
|
|
|
|
This is alreay done by NDR for us.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
|
|
|
|
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source4/torture/rpc/mdssvc.c | 26 --------------------------
|
|
1 file changed, 26 deletions(-)
|
|
|
|
diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c
|
|
index 20b903f93fa..76a740c41db 100644
|
|
--- a/source4/torture/rpc/mdssvc.c
|
|
+++ b/source4/torture/rpc/mdssvc.c
|
|
@@ -537,13 +537,6 @@ static bool test_mdssvc_invalid_ph_cmd(struct torture_context *tctx,
|
|
request_blob.length = 0;
|
|
request_blob.size = 0;
|
|
|
|
- response_blob.spotlight_blob = talloc_array(state,
|
|
- uint8_t,
|
|
- 0);
|
|
- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
|
|
- ok, done, "dalloc_zero failed\n");
|
|
- response_blob.size = 0;
|
|
-
|
|
status = dcerpc_mdssvc_cmd(b,
|
|
state,
|
|
&ph,
|
|
@@ -633,13 +626,6 @@ static bool test_mdssvc_sl_unpack_loop(struct torture_context *tctx,
|
|
request_blob.size = sizeof(test_sl_unpack_loop_buf);
|
|
request_blob.length = sizeof(test_sl_unpack_loop_buf);
|
|
|
|
- response_blob.spotlight_blob = talloc_array(state,
|
|
- uint8_t,
|
|
- 0);
|
|
- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
|
|
- ok, done, "dalloc_zero failed\n");
|
|
- response_blob.size = 0;
|
|
-
|
|
status = dcerpc_mdssvc_cmd(b,
|
|
state,
|
|
&state->ph,
|
|
@@ -765,11 +751,6 @@ static bool test_sl_dict_type_safety(struct torture_context *tctx,
|
|
torture_assert_goto(tctx, request_blob.length > 0,
|
|
ok, done, "sl_pack failed\n");
|
|
|
|
- response_blob.spotlight_blob = talloc_array(state, uint8_t, 0);
|
|
- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
|
|
- ok, done, "dalloc_zero failed\n");
|
|
- response_blob.size = 0;
|
|
-
|
|
status = dcerpc_mdssvc_cmd(b,
|
|
state,
|
|
&state->ph,
|
|
@@ -927,13 +908,6 @@ static bool test_mdssvc_fetch_attr_unknown_cnid(struct torture_context *tctx,
|
|
ret, done, "dalloc_zero failed\n");
|
|
request_blob.size = max_fragment_size;
|
|
|
|
- response_blob.spotlight_blob = talloc_array(state,
|
|
- uint8_t,
|
|
- max_fragment_size);
|
|
- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
|
|
- ret, done, "dalloc_zero failed\n");
|
|
- response_blob.size = max_fragment_size;
|
|
-
|
|
len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size);
|
|
torture_assert_goto(tctx, len != -1, ret, done, "sl_pack failed\n");
|
|
|
|
--
|
|
2.41.0
|
|
|