s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown.

author Jeremy Allison <jra@samba.org>

Wed, 20 Sep 2017 18:04:50 +0000 (11:04 -0700)

committer Karolin Seeger <kseeger@samba.org>

Tue, 21 Nov 2017 18:42:22 +0000 (19:42 +0100)
author Jeremy Allison <jra@samba.org>
Wed, 20 Sep 2017 18:04:50 +0000 (11:04 -0700)
committer Karolin Seeger <kseeger@samba.org>
Tue, 21 Nov 2017 18:42:22 +0000 (19:42 +0100)
diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c

index 56dceba8c6cb1c40391116643d1c1ddae00004a7..c2d70b32c32459df892c9b3268685065ef4b497a 100644 (file)
--- a/source3/smbd/srvstr.c
+++ b/source3/smbd/srvstr.c
@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags)
                 DEBUG(0, ("srvstr_push failed\n"));
                 return -1;
         }
+
+       /*
+        * Ensure we clear out the extra data we have
+        * grown the buffer by, but not written to.
+        */
+       if (buf_size + result < buf_size) {
+               return -1;
+       }
+       if (grow_size < result) {
+               return -1;
+       }
+
+       memset(tmp + buf_size + result, '\0', grow_size - result);
+
         set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
  
         *outbuf = tmp;
author	Jeremy Allison <jra@samba.org>
	Wed, 20 Sep 2017 18:04:50 +0000 (11:04 -0700)
committer	Karolin Seeger <kseeger@samba.org>
	Tue, 21 Nov 2017 18:42:22 +0000 (19:42 +0100)