From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 26 Jun 2015 06:10:46 +0000 (+0200)
Subject: CVE-2015-5370: s4:rpc_server: avoid ZERO_STRUCT() in dcesrv_fault()
X-Git-Tag: samba-4.2.10~65
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ec8b2a33cf8eb2a9d4a4316f7cb461f43db8c9a3;p=thirdparty%2Fsamba.git

CVE-2015-5370: s4:rpc_server: avoid ZERO_STRUCT() in dcesrv_fault()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/source4/rpc_server/common/reply.c b/source4/rpc_server/common/reply.c
index 322138c75e6..5d76f4c1749 100644
--- a/source4/rpc_server/common/reply.c
+++ b/source4/rpc_server/common/reply.c
@@ -101,10 +101,10 @@ NTSTATUS dcesrv_fault(struct dcesrv_call_state *call, uint32_t fault_code)
 {
 	struct ncacn_packet pkt;
 	struct data_blob_list_item *rep;
-	uint8_t zeros[4];
+	static const uint8_t zeros[4] = { 0, };
 	NTSTATUS status;
 
-	/* setup a bind_ack */
+	/* setup a fault */
 	dcesrv_init_hdr(&pkt, lpcfg_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
 	pkt.auth_length = 0;
 	pkt.call_id = call->pkt.call_id;
@@ -114,8 +114,6 @@ NTSTATUS dcesrv_fault(struct dcesrv_call_state *call, uint32_t fault_code)
 	pkt.u.fault.context_id = 0;
 	pkt.u.fault.cancel_count = 0;
 	pkt.u.fault.status = fault_code;
-
-	ZERO_STRUCT(zeros);
 	pkt.u.fault._pad = data_blob_const(zeros, sizeof(zeros));
 
 	rep = talloc_zero(call, struct data_blob_list_item);