From c46d21ea9a289af08139328516ef3c3dfda8ee33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ji=C5=99=C3=AD=20=C5=A0a=C5=A1ek?= Date: Mon, 15 Sep 2014 19:23:55 +0200 Subject: [PATCH] CVE-2014-0178 patch for 3.6 Samba 3.6.23 patch for: FSCTL_GET_SHADOW_COPY_DATA: Initialize output array to, zero ...derived from Christof Schmitt 's patch for Samba 4.0 http://www.samba.org/samba/ftp/patches/security/samba-4.0.17-CVE-2014-0178-CVE-2014-0239.patch --- source3/smbd/nttrans.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 4c145e0..b9a6620 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -2303,7 +2303,7 @@ NTSTATUS smb_fsctl(struct files_struct *fsp, if (!labels) { *out_len = 16; } else { - *out_len = 12 + labels_data_count + 4; + *out_len = 12 + labels_data_count; } if (max_out_len < *out_len) { @@ -2313,7 +2313,7 @@ NTSTATUS smb_fsctl(struct files_struct *fsp, return NT_STATUS_BUFFER_TOO_SMALL; } - cur_pdata = talloc_array(ctx, char, *out_len); + cur_pdata = talloc_zero_array(ctx, char, *out_len); if (cur_pdata == NULL) { TALLOC_FREE(shadow_data); return NT_STATUS_NO_MEMORY; @@ -2330,7 +2330,7 @@ NTSTATUS smb_fsctl(struct files_struct *fsp, } /* needed_data_count 4 bytes */ - SIVAL(cur_pdata, 8, labels_data_count + 4); + SIVAL(cur_pdata, 8, labels_data_count); cur_pdata += 12; -- 1.9.3