Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
samba36: backport an upstream fix for an information leak (CVE-2017-1…
…5275) Signed-off-by: Felix Fietkau <nbd@nbd.name>
- Loading branch information
Showing
2 changed files
with
41 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
40 changes: 40 additions & 0 deletions
40
package/network/services/samba36/patches/029-CVE-2017-15275.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
From c1a22e59f87783d88dfbaeeb132b89be166b2754 Mon Sep 17 00:00:00 2001 | ||
From: Jeremy Allison <jra@samba.org> | ||
Date: Wed, 20 Sep 2017 11:04:50 -0700 | ||
Subject: [PATCH 2/2] s3: smbd: Chain code can return uninitialized memory when | ||
talloc buffer is grown. | ||
|
||
Ensure we zero out unused grown area. | ||
|
||
CVE-2017-15275 | ||
|
||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077 | ||
|
||
Signed-off-by: Jeremy Allison <jra@samba.org> | ||
--- | ||
source3/smbd/srvstr.c | 14 ++++++++++++++ | ||
1 file changed, 14 insertions(+) | ||
|
||
--- a/source3/smbd/srvstr.c | ||
+++ b/source3/smbd/srvstr.c | ||
@@ -70,6 +70,20 @@ ssize_t message_push_string(uint8 **outb | ||
DEBUG(0, ("srvstr_push failed\n")); | ||
return -1; | ||
} | ||
+ | ||
+ /* | ||
+ * Ensure we clear out the extra data we have | ||
+ * grown the buffer by, but not written to. | ||
+ */ | ||
+ if (buf_size + result < buf_size) { | ||
+ return -1; | ||
+ } | ||
+ if (grow_size < result) { | ||
+ return -1; | ||
+ } | ||
+ | ||
+ memset(tmp + buf_size + result, '\0', grow_size - result); | ||
+ | ||
set_message_bcc((char *)tmp, smb_buflen(tmp) + result); | ||
|
||
*outbuf = tmp; |