CVE-2014-0178 patch for 3.6

author Jiří Šašek <jiri.sasek@oracle.com>

Mon, 15 Sep 2014 17:23:55 +0000 (19:23 +0200)

committer Karolin Seeger <kseeger@samba.org>

Thu, 18 Sep 2014 06:43:13 +0000 (08:43 +0200)
author Jiří Šašek <jiri.sasek@oracle.com>
Mon, 15 Sep 2014 17:23:55 +0000 (19:23 +0200)
committer Karolin Seeger <kseeger@samba.org>
Thu, 18 Sep 2014 06:43:13 +0000 (08:43 +0200)
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c

index 4c145e01dcc806a6ccd3204667168be73254abf9..b9a66208cdd57580a300ee0817fe67cad3c5d879 100644 (file)
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -2303,7 +2303,7 @@ NTSTATUS smb_fsctl(struct files_struct *fsp,
                 if (!labels) {
                         *out_len = 16;
                 } else {
-                       *out_len = 12 + labels_data_count + 4;
+                       *out_len = 12 + labels_data_count;
                 }
  
                 if (max_out_len < *out_len) {
@@ -2313,7 +2313,7 @@ NTSTATUS smb_fsctl(struct files_struct *fsp,
                         return NT_STATUS_BUFFER_TOO_SMALL;
                 }
  
-               cur_pdata = talloc_array(ctx, char, *out_len);
+               cur_pdata = talloc_zero_array(ctx, char, *out_len);
                 if (cur_pdata == NULL) {
                         TALLOC_FREE(shadow_data);
                         return NT_STATUS_NO_MEMORY;
@@ -2330,7 +2330,7 @@ NTSTATUS smb_fsctl(struct files_struct *fsp,
                 }
  
                 /* needed_data_count 4 bytes */
-               SIVAL(cur_pdata, 8, labels_data_count + 4);
+               SIVAL(cur_pdata, 8, labels_data_count);
  
                 cur_pdata += 12;
author	Jiří Šašek <jiri.sasek@oracle.com>
	Mon, 15 Sep 2014 17:23:55 +0000 (19:23 +0200)
committer	Karolin Seeger <kseeger@samba.org>
	Thu, 18 Sep 2014 06:43:13 +0000 (08:43 +0200)