freebsd-ports/net/samba413/files/0016-CVE-2023-34968-rpcclient-remove-response-blob-alloca.patch

From 041ee143748bad9117112bcdd0200e1da9127034 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 20 Jun 2023 11:35:41 +0200
Subject: [PATCH 16/21] CVE-2023-34968: rpcclient: remove response blob
 allocation

This is alreay done by NDR for us.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source3/rpcclient/cmd_spotlight.c | 16 ----------------
 1 file changed, 16 deletions(-)

diff --git a/source3/rpcclient/cmd_spotlight.c b/source3/rpcclient/cmd_spotlight.c
index 661ada7efb8..a0a1d10c45f 100644
--- a/source3/rpcclient/cmd_spotlight.c
+++ b/source3/rpcclient/cmd_spotlight.c
@@ -144,13 +144,6 @@ static NTSTATUS cmd_mdssvc_fetch_properties(
 	}
 	request_blob.size = max_fragment_size;
 
-	response_blob.spotlight_blob = talloc_array(mem_ctx, uint8_t, max_fragment_size);
-	if (response_blob.spotlight_blob == NULL) {
-		status = NT_STATUS_INTERNAL_ERROR;
-		goto done;
-	}
-	response_blob.size = max_fragment_size;
-
 	len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size);
 	if (len == -1) {
 		status = NT_STATUS_INTERNAL_ERROR;
@@ -368,15 +361,6 @@ static NTSTATUS cmd_mdssvc_fetch_attributes(
 	}
 	request_blob.size = max_fragment_size;
 
-	response_blob.spotlight_blob = talloc_array(mem_ctx,
-						    uint8_t,
-						    max_fragment_size);
-	if (response_blob.spotlight_blob == NULL) {
-		status = NT_STATUS_INTERNAL_ERROR;
-		goto done;
-	}
-	response_blob.size = max_fragment_size;
-
 	len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size);
 	if (len == -1) {
 		status = NT_STATUS_INTERNAL_ERROR;
-- 
2.41.0