From: Andrew Walker <andrew.walker@truenas.com>
Date: Thu, 28 Aug 2025 19:36:19 +0000 (+0000)
Subject: CVE-2025-9640: s3/modules/vfs_streams_xattr fix unitialized write
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1e899521e821f2ee4cbb93f6a3befd37f5ba0403;p=thirdparty%2Fsamba.git

CVE-2025-9640: s3/modules/vfs_streams_xattr fix unitialized write

This commit fixes a situation in which vfs_streams_xattr could
write unitialized memory into alternate data streams if the
user writes to an offset that is beyond the current end of file
to insert a hole in it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15885

Signed-off-by: Andrew Walker <andrew.walker@truenas.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Oct 16 19:47:19 UTC 2025 on atb-devel-224
---

diff --git a/source3/modules/vfs_streams_xattr.c b/source3/modules/vfs_streams_xattr.c
index 93044924b34..7ac67d3fb98 100644
--- a/source3/modules/vfs_streams_xattr.c
+++ b/source3/modules/vfs_streams_xattr.c
@@ -1051,15 +1051,18 @@ static ssize_t streams_xattr_pwrite(vfs_handle_struct *handle,
 
         if ((offset + n) > ea.value.length-1) {
 		uint8_t *tmp;
+		size_t new_sz = offset + n + 1;
 
 		tmp = talloc_realloc(talloc_tos(), ea.value.data, uint8_t,
-					   offset + n + 1);
+					   new_sz);
 
 		if (tmp == NULL) {
 			TALLOC_FREE(ea.value.data);
                         errno = ENOMEM;
                         return -1;
                 }
+
+		memset(tmp + ea.value.length, 0, new_sz - ea.value.length);
 		ea.value.data = tmp;
 		ea.value.length = offset + n + 1;
 		ea.value.data[offset+n] = 0;