freebsd-ports/net/samba413/files/0017-CVE-2023-34968-mdssvc-remove-response-blob-allocatio.patch

From 88aff628e6ec80622e960796073775651f602134 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 20 Jun 2023 11:42:10 +0200
Subject: [PATCH 17/21] CVE-2023-34968: mdssvc: remove response blob allocation

This is alreay done by NDR for us.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
index 40e37cb3b85..f89a187bd3f 100644
--- a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
+++ b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
@@ -208,7 +208,6 @@ void _mdssvc_unknown1(struct pipes_struct *p, struct mdssvc_unknown1 *r)
 void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r)
 {
 	bool ok;
-	char *rbuf;
 	struct mds_ctx *mds_ctx;
 	NTSTATUS status;
 
@@ -265,14 +264,6 @@ void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r)
 		return;
 	}
 
-	rbuf = talloc_zero_array(p->mem_ctx, char, r->in.max_fragment_size1);
-	if (rbuf == NULL) {
-		p->fault_state = DCERPC_FAULT_CANT_PERFORM;
-		return;
-	}
-	r->out.response_blob->spotlight_blob = (uint8_t *)rbuf;
-	r->out.response_blob->size = r->in.max_fragment_size1;
-
 	/* We currently don't use fragmentation at the mdssvc RPC layer */
 	*r->out.fragment = 0;
 
-- 
2.41.0