CVE-2023-34968: mdssvc: remove response blob allocation

This is alreay done by NDR for us.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
index 2fca15cb8a8dde732bc389def8ac22c5eb32b645..2fec2bb67251b14c64a6ad7be125bfccaf9f2cb9 100644 (file)
--- a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
+++ b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c
@@ -164,7 +164,6 @@ void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r)
        struct auth_session_info *session_info =
                dcesrv_call_session_info(dce_call);
        bool ok;
-       char *rbuf;
        struct mds_ctx *mds_ctx;
        NTSTATUS status;
 
@@ -221,14 +220,6 @@ void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r)
                return;
        }
 
-       rbuf = talloc_zero_array(p->mem_ctx, char, r->in.max_fragment_size1);
-       if (rbuf == NULL) {
-               p->fault_state = DCERPC_FAULT_CANT_PERFORM;
-               return;
-       }
-       r->out.response_blob->spotlight_blob = (uint8_t *)rbuf;
-       r->out.response_blob->size = r->in.max_fragment_size1;
-
        /* We currently don't use fragmentation at the mdssvc RPC layer */
        *r->out.fragment = 0;