samba36: backport an upstream fix for an information leak (CVE-2017-15275)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This commit is contained in:
parent
d77fe9219a
commit
e5a10bc0fc
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=samba
|
||||
PKG_VERSION:=3.6.25
|
||||
PKG_RELEASE:=6
|
||||
PKG_RELEASE:=7
|
||||
|
||||
PKG_SOURCE_URL:=https://download.samba.org/pub/samba \
|
||||
https://download.samba.org/pub/samba/stable
|
||||
|
|
|
@ -0,0 +1,40 @@
|
|||
From c1a22e59f87783d88dfbaeeb132b89be166b2754 Mon Sep 17 00:00:00 2001
|
||||
From: Jeremy Allison <jra@samba.org>
|
||||
Date: Wed, 20 Sep 2017 11:04:50 -0700
|
||||
Subject: [PATCH 2/2] s3: smbd: Chain code can return uninitialized memory when
|
||||
talloc buffer is grown.
|
||||
|
||||
Ensure we zero out unused grown area.
|
||||
|
||||
CVE-2017-15275
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
|
||||
|
||||
Signed-off-by: Jeremy Allison <jra@samba.org>
|
||||
---
|
||||
source3/smbd/srvstr.c | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
--- a/source3/smbd/srvstr.c
|
||||
+++ b/source3/smbd/srvstr.c
|
||||
@@ -70,6 +70,20 @@ ssize_t message_push_string(uint8 **outb
|
||||
DEBUG(0, ("srvstr_push failed\n"));
|
||||
return -1;
|
||||
}
|
||||
+
|
||||
+ /*
|
||||
+ * Ensure we clear out the extra data we have
|
||||
+ * grown the buffer by, but not written to.
|
||||
+ */
|
||||
+ if (buf_size + result < buf_size) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+ if (grow_size < result) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ memset(tmp + buf_size + result, '\0', grow_size - result);
|
||||
+
|
||||
set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
|
||||
|
||||
*outbuf = tmp;
|
Loading…
Reference in New Issue