Ensure we don't return uninitialized memory in the pad bytes.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@suse.de>

diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index b243af8f279c4a1d7ec6faecf1c93eeac2dbc33a..df6fe92c3aa627bebbb2caa7aaaf6f67168e1800 100644 (file)
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -480,6 +480,7 @@ static NTSTATUS fill_ea_chained_buffer(TALLOC_CTX *mem_ctx,
                size_t dos_namelen;
                fstring dos_ea_name;
                size_t this_size;
+               size_t pad = 0;
 
                if (last_start != NULL && do_store_data) {
                        SIVAL(last_start, 0, PTR_DIFF(p, last_start));
@@ -498,7 +499,7 @@ static NTSTATUS fill_ea_chained_buffer(TALLOC_CTX *mem_ctx,
                this_size = 0x08 + dos_namelen + 1 + ea_list->ea.value.length;
 
                if (ea_list->next) {
-                       size_t pad = 4 - (this_size % 4);
+                       pad = 4 - (this_size % 4);
                        this_size += pad;
                }
 
@@ -514,6 +515,11 @@ static NTSTATUS fill_ea_chained_buffer(TALLOC_CTX *mem_ctx,
                        SSVAL(p, 0x06, ea_list->ea.value.length);
                        strlcpy((char *)(p+0x08), dos_ea_name, dos_namelen+1);
                        memcpy(p + 0x08 + dos_namelen + 1, ea_list->ea.value.data, ea_list->ea.value.length);
+                       if (pad) {
+                               memset(p + 0x08 + dos_namelen + 1 + ea_list->ea.value.length,
+                                       '\0',
+                                       pad);
+                       }
                        total_data_size -= this_size;
                }