CVE-2025-9640: s3/modules/vfs_streams_xattr fix unitialized write

This commit fixes a situation in which vfs_streams_xattr could
write unitialized memory into alternate data streams if the
user writes to an offset that is beyond the current end of file
to insert a hole in it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15885

Signed-off-by: Andrew Walker <andrew.walker@truenas.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Oct 16 19:47:19 UTC 2025 on atb-devel-224

diff --git a/source3/modules/vfs_streams_xattr.c b/source3/modules/vfs_streams_xattr.c
index 93044924b347b23f1ab270177fbe480613faab18..7ac67d3fb98317649cb8f9d9c2dc4bac743bba6c 100644 (file)
--- a/source3/modules/vfs_streams_xattr.c
+++ b/source3/modules/vfs_streams_xattr.c
@@ -1051,15 +1051,18 @@ static ssize_t streams_xattr_pwrite(vfs_handle_struct *handle,
 
         if ((offset + n) > ea.value.length-1) {
                uint8_t *tmp;
+               size_t new_sz = offset + n + 1;
 
                tmp = talloc_realloc(talloc_tos(), ea.value.data, uint8_t,
-                                          offset + n + 1);
+                                          new_sz);
 
                if (tmp == NULL) {
                        TALLOC_FREE(ea.value.data);
                         errno = ENOMEM;
                         return -1;
                 }
+
+               memset(tmp + ea.value.length, 0, new_sz - ea.value.length);
                ea.value.data = tmp;
                ea.value.length = offset + n + 1;
                ea.value.data[offset+n] = 0;