package/network/services/samba36/patches/029-CVE-2017-15275.patch

   1 From c1a22e59f87783d88dfbaeeb132b89be166b2754 Mon Sep 17 00:00:00 2001
   2 From: Jeremy Allison <jra@samba.org>
   3 Date: Wed, 20 Sep 2017 11:04:50 -0700
   4 Subject: [PATCH 2/2] s3: smbd: Chain code can return uninitialized memory when
   5  talloc buffer is grown.
   6
   7 Ensure we zero out unused grown area.
   8
   9 CVE-2017-15275
  10
  11 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
  12
  13 Signed-off-by: Jeremy Allison <jra@samba.org>
  14 ---
  15  source3/smbd/srvstr.c | 14 ++++++++++++++
  16  1 file changed, 14 insertions(+)
  17
  18 --- a/source3/smbd/srvstr.c
  19 +++ b/source3/smbd/srvstr.c
  20 @@ -70,6 +70,20 @@ ssize_t message_push_string(uint8 **outb
  21                 DEBUG(0, ("srvstr_push failed\n"));
  22                 return -1;
  23         }
  24 +
  25 +       /*
  26 +        * Ensure we clear out the extra data we have
  27 +        * grown the buffer by, but not written to.
  28 +        */
  29 +       if (buf_size + result < buf_size) {
  30 +               return -1;
  31 +       }
  32 +       if (grow_size < result) {
  33 +               return -1;
  34 +       }
  35 +
  36 +       memset(tmp + buf_size + result, '\0', grow_size - result);
  37 +
  38         set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
  39
  40         *outbuf = tmp;