Home Explore Help
Register Sign In
wareck
/
openwrt_lede
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
openwrt_lede
/
package
/
network
/
services
/
samba36
/
patches
/
029-CVE-2017-15275.patch

029-CVE-2017-15275.patch 1013 B
Permalink History Raw

12345678910111213141516171819202122232425262728293031323334353637383940 
  1. From c1a22e59f87783d88dfbaeeb132b89be166b2754 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Jeremy Allison <jra@samba.org>
    3. 

  3. Date: Wed, 20 Sep 2017 11:04:50 -0700
    4. 

  4. Subject: [PATCH 2/2] s3: smbd: Chain code can return uninitialized memory when
    5. 

  5.  talloc buffer is grown.
    6. 

  6. 

  7. Ensure we zero out unused grown area.
    8. 

  8. 

  9. CVE-2017-15275
    10. 

  10. 

  11. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
    12. 

  12. 

  13. Signed-off-by: Jeremy Allison <jra@samba.org>
    14. 

  14. ---
    15. 

  15.  source3/smbd/srvstr.c | 14 ++++++++++++++
    16. 

  16.  1 file changed, 14 insertions(+)
    17. 

  17. 

  18. --- a/source3/smbd/srvstr.c
    19. 

  19. +++ b/source3/smbd/srvstr.c
    20. 

  20. @@ -70,6 +70,20 @@ ssize_t message_push_string(uint8 **outb
    21. 

  21.  		DEBUG(0, ("srvstr_push failed\n"));
    22. 

  22.  		return -1;
    23. 

  23.  	}
    24. 

  24. +
    25. 

  25. +	/*
    26. 

  26. +	 * Ensure we clear out the extra data we have
    27. 

  27. +	 * grown the buffer by, but not written to.
    28. 

  28. +	 */
    29. 

  29. +	if (buf_size + result < buf_size) {
    30. 

  30. +		return -1;
    31. 

  31. +	}
    32. 

  32. +	if (grow_size < result) {
    33. 

  33. +		return -1;
    34. 

  34. +	}
    35. 

  35. +
    36. 

  36. +	memset(tmp + buf_size + result, '\0', grow_size - result);
    37. 

  37. +
    38. 

  38.  	set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
    39. 

  39.  
    40. 

  40.  	*outbuf = tmp;
    41.