CVE-2025-9640: s3/modules/vfs_streams_xattr fix unitialized write

This commit fixes a situation in which vfs_streams_xattr could
write unitialized memory into alternate data streams if the
user writes to an offset that is beyond the current end of file
to insert a hole in it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15885

Signed-off-by: Andrew Walker <andrew.walker@truenas.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

diff --git a/source3/modules/vfs_streams_xattr.c b/source3/modules/vfs_streams_xattr.c
index 03ff6147cb030bd56829670bbdc72f8c22fd5ba4..4fb4f42baa0c50cc0476b564bc59b633ea70d5df 100644 (file)
--- a/source3/modules/vfs_streams_xattr.c
+++ b/source3/modules/vfs_streams_xattr.c
@@ -959,15 +959,18 @@ static ssize_t streams_xattr_pwrite(vfs_handle_struct *handle,
 
         if ((offset + n) > ea.value.length-1) {
                uint8_t *tmp;
+               size_t new_sz = offset + n + 1;
 
                tmp = talloc_realloc(talloc_tos(), ea.value.data, uint8_t,
-                                          offset + n + 1);
+                                          new_sz);
 
                if (tmp == NULL) {
                        TALLOC_FREE(ea.value.data);
                         errno = ENOMEM;
                         return -1;
                 }
+
+               memset(tmp + ea.value.length, 0, new_sz - ea.value.length);
                ea.value.data = tmp;
                ea.value.length = offset + n + 1;
                ea.value.data[offset+n] = 0;