OpenWrt – Blame information for rev 1
?pathlinks?
Rev | Author | Line No. | Line |
---|---|---|---|
1 | office | 1 | From c1a22e59f87783d88dfbaeeb132b89be166b2754 Mon Sep 17 00:00:00 2001 |
2 | From: Jeremy Allison <jra@samba.org> |
||
3 | Date: Wed, 20 Sep 2017 11:04:50 -0700 |
||
4 | Subject: [PATCH 2/2] s3: smbd: Chain code can return uninitialized memory when |
||
5 | talloc buffer is grown. |
||
6 | |||
7 | Ensure we zero out unused grown area. |
||
8 | |||
9 | CVE-2017-15275 |
||
10 | |||
11 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077 |
||
12 | |||
13 | Signed-off-by: Jeremy Allison <jra@samba.org> |
||
14 | --- |
||
15 | source3/smbd/srvstr.c | 14 ++++++++++++++ |
||
16 | 1 file changed, 14 insertions(+) |
||
17 | |||
18 | --- a/source3/smbd/srvstr.c |
||
19 | +++ b/source3/smbd/srvstr.c |
||
20 | @@ -70,6 +70,20 @@ ssize_t message_push_string(uint8 **outb |
||
21 | DEBUG(0, ("srvstr_push failed\n")); |
||
22 | return -1; |
||
23 | } |
||
24 | + |
||
25 | + /* |
||
26 | + * Ensure we clear out the extra data we have |
||
27 | + * grown the buffer by, but not written to. |
||
28 | + */ |
||
29 | + if (buf_size + result < buf_size) { |
||
30 | + return -1; |
||
31 | + } |
||
32 | + if (grow_size < result) { |
||
33 | + return -1; |
||
34 | + } |
||
35 | + |
||
36 | + memset(tmp + buf_size + result, '\0', grow_size - result); |
||
37 | + |
||
38 | set_message_bcc((char *)tmp, smb_buflen(tmp) + result); |
||
39 | |||
40 | *outbuf = tmp; |