030-CVE-2017-15275-v3.6.patch 1013 B

12345678910111213141516171819202122232425262728293031323334353637383940
  1. From c1a22e59f87783d88dfbaeeb132b89be166b2754 Mon Sep 17 00:00:00 2001
  2. From: Jeremy Allison <jra@samba.org>
  3. Date: Wed, 20 Sep 2017 11:04:50 -0700
  4. Subject: [PATCH 2/2] s3: smbd: Chain code can return uninitialized memory when
  5. talloc buffer is grown.
  6. Ensure we zero out unused grown area.
  7. CVE-2017-15275
  8. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
  9. Signed-off-by: Jeremy Allison <jra@samba.org>
  10. ---
  11. source3/smbd/srvstr.c | 14 ++++++++++++++
  12. 1 file changed, 14 insertions(+)
  13. --- a/source3/smbd/srvstr.c
  14. +++ b/source3/smbd/srvstr.c
  15. @@ -70,6 +70,20 @@ ssize_t message_push_string(uint8 **outb
  16. DEBUG(0, ("srvstr_push failed\n"));
  17. return -1;
  18. }
  19. +
  20. + /*
  21. + * Ensure we clear out the extra data we have
  22. + * grown the buffer by, but not written to.
  23. + */
  24. + if (buf_size + result < buf_size) {
  25. + return -1;
  26. + }
  27. + if (grow_size < result) {
  28. + return -1;
  29. + }
  30. +
  31. + memset(tmp + buf_size + result, '\0', grow_size - result);
  32. +
  33. set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
  34. *outbuf = tmp;