From 6dd87a82a733184df3a6f09e020f6a3c2b365ca2 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 20 Sep 2017 11:04:50 -0700
Subject: [PATCH] s3: smbd: Chain code can return uninitialized memory when
 talloc buffer is grown.

Ensure we zero out unused grown area.

CVE-2017-15275

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077

Signed-off-by: Jeremy Allison <jra@samba.org>
---
 source3/smbd/srvstr.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c
index 56dceba8c6c..c2d70b32c32 100644
--- a/source3/smbd/srvstr.c
+++ b/source3/smbd/srvstr.c
@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags)
 		DEBUG(0, ("srvstr_push failed\n"));
 		return -1;
 	}
+
+	/*
+	 * Ensure we clear out the extra data we have
+	 * grown the buffer by, but not written to.
+	 */
+	if (buf_size + result < buf_size) {
+		return -1;
+	}
+	if (grow_size < result) {
+		return -1;
+	}
+
+	memset(tmp + buf_size + result, '\0', grow_size - result);
+
 	set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
 
 	*outbuf = tmp;
-- 
2.14.2.920.gcf0c67979c-goog