src/patches/samba/CVE-2017-15275.patch

   1 From c1a22e59f87783d88dfbaeeb132b89be166b2754 Mon Sep 17 00:00:00 2001
   2 From: Jeremy Allison <jra@samba.org>
   3 Date: Wed, 20 Sep 2017 11:04:50 -0700
   4 Subject: [PATCH 2/2] s3: smbd: Chain code can return uninitialized memory when
   5  talloc buffer is grown.
   6
   7 Ensure we zero out unused grown area.
   8
   9 CVE-2017-15275
  10
  11 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
  12
  13 Signed-off-by: Jeremy Allison <jra@samba.org>
  14 ---
  15  source3/smbd/srvstr.c | 14 ++++++++++++++
  16  1 file changed, 14 insertions(+)
  17
  18 diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c
  19 index 56dceba8c6c..c2d70b32c32 100644
  20 --- a/source3/smbd/srvstr.c
  21 +++ b/source3/smbd/srvstr.c
  22 @@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags)
  23                 DEBUG(0, ("srvstr_push failed\n"));
  24                 return -1;
  25         }
  26 +
  27 +       /*
  28 +        * Ensure we clear out the extra data we have
  29 +        * grown the buffer by, but not written to.
  30 +        */
  31 +       if (buf_size + result < buf_size) {
  32 +               return -1;
  33 +       }
  34 +       if (grow_size < result) {
  35 +               return -1;
  36 +       }
  37 +
  38 +       memset(tmp + buf_size + result, '\0', grow_size - result);
  39 +
  40         set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
  41
  42         *outbuf = tmp;
  43 --
  44 2.11.0
  45