[Pkg-samba-maint] [samba] 01/04: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown.

[Mathieu Parent]

This is an automated email from the git hooks/post-receive script.

sathieu pushed a commit to annotated tag debian/2%4.5.12+dfsg-2+deb9u1
in repository samba.

commit 78bf4a5c8dd66e96847531832b506b4c373b08f6
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Sep 20 11:04:50 2017 -0700

    s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown.
    
    Ensure we zero out unused grown area.
    
    CVE-2017-15275
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 9227f4d46d707aa892fce50b5954b3de061fb477)
---
 source3/smbd/srvstr.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c
index 56dceba..c2d70b3 100644
--- a/source3/smbd/srvstr.c
+++ b/source3/smbd/srvstr.c
@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags)
 		DEBUG(0, ("srvstr_push failed\n"));
 		return -1;
 	}
+
+	/*
+	 * Ensure we clear out the extra data we have
+	 * grown the buffer by, but not written to.
+	 */
+	if (buf_size + result < buf_size) {
+		return -1;
+	}
+	if (grow_size < result) {
+		return -1;
+	}
+
+	memset(tmp + buf_size + result, '\0', grow_size - result);
+
 	set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
 
 	*outbuf = tmp;

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git