1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
From 353a9ccea6ff93ea2cd604dcc2b0372f056f819d Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 20 Jun 2023 11:28:47 +0200
Subject: [PATCH] CVE-2023-34968: smbtorture: remove response blob allocation
in mdssvc.c
This is alreay done by NDR for us.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Upstream-Status: Backport [https://github.com/samba-team/samba/commit/353a9ccea6ff93ea2cd604dcc2b0372f056f819d]
CVE: CVE-2023-34968
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
source4/torture/rpc/mdssvc.c | 26 --------------------------
1 file changed, 26 deletions(-)
diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c
index 3689692f7de..a16bd5b47e3 100644
--- a/source4/torture/rpc/mdssvc.c
+++ b/source4/torture/rpc/mdssvc.c
@@ -536,13 +536,6 @@ static bool test_mdssvc_invalid_ph_cmd(struct torture_context *tctx,
request_blob.length = 0;
request_blob.size = 0;
- response_blob.spotlight_blob = talloc_array(state,
- uint8_t,
- 0);
- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
- ok, done, "dalloc_zero failed\n");
- response_blob.size = 0;
-
status = dcerpc_mdssvc_cmd(b,
state,
&ph,
@@ -632,13 +625,6 @@ static bool test_mdssvc_sl_unpack_loop(struct torture_context *tctx,
request_blob.size = sizeof(test_sl_unpack_loop_buf);
request_blob.length = sizeof(test_sl_unpack_loop_buf);
- response_blob.spotlight_blob = talloc_array(state,
- uint8_t,
- 0);
- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
- ok, done, "dalloc_zero failed\n");
- response_blob.size = 0;
-
status = dcerpc_mdssvc_cmd(b,
state,
&state->ph,
@@ -764,11 +750,6 @@ static bool test_sl_dict_type_safety(struct torture_context *tctx,
torture_assert_goto(tctx, request_blob.length > 0,
ok, done, "sl_pack failed\n");
- response_blob.spotlight_blob = talloc_array(state, uint8_t, 0);
- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
- ok, done, "dalloc_zero failed\n");
- response_blob.size = 0;
-
status = dcerpc_mdssvc_cmd(b,
state,
&state->ph,
@@ -926,13 +907,6 @@ static bool test_mdssvc_fetch_attr_unknown_cnid(struct torture_context *tctx,
ret, done, "dalloc_zero failed\n");
request_blob.size = max_fragment_size;
- response_blob.spotlight_blob = talloc_array(state,
- uint8_t,
- max_fragment_size);
- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
- ret, done, "dalloc_zero failed\n");
- response_blob.size = max_fragment_size;
-
len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size);
torture_assert_goto(tctx, len != -1, ret, done, "sl_pack failed\n");
--
2.40.0
|
