[SCM] Samba Shared Repository - branch v3-6-stable updated

Thu Sep 18 00:43:44 MDT 2014

The branch, v3-6-stable has been updated
       via  6e1ba4c CVE-2014-0178 patch for 3.6
      from  260ab8a VERSION: Bump version up to 3.6.25.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-stable


- Log -----------------------------------------------------------------
commit 6e1ba4cf362165a2c8120874bd6951615aef4599
Author: Jiří Šašek <jiri.sasek at oracle.com>
Date:   Mon Sep 15 19:23:55 2014 +0200

    CVE-2014-0178 patch for 3.6
    
    Samba 3.6.23 patch for:
    FSCTL_GET_SHADOW_COPY_DATA: Initialize output array to, zero
    ...derived from Christof Schmitt <christof.schmitt at us.ibm.com>'s patch for Samba 4.0
    http://www.samba.org/samba/ftp/patches/security/samba-4.0.17-CVE-2014-0178-CVE-2014-0239.patch
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=10549
    CVE-2014-0178: Malformed FSCTL_SRV_ENUMERATE_SNAPSHOTS response

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/nttrans.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 4c145e0..b9a6620 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -2303,7 +2303,7 @@ NTSTATUS smb_fsctl(struct files_struct *fsp,
 		if (!labels) {
 			*out_len = 16;
 		} else {
-			*out_len = 12 + labels_data_count + 4;
+			*out_len = 12 + labels_data_count;
 		}
 
 		if (max_out_len < *out_len) {
@@ -2313,7 +2313,7 @@ NTSTATUS smb_fsctl(struct files_struct *fsp,
 			return NT_STATUS_BUFFER_TOO_SMALL;
 		}
 
-		cur_pdata = talloc_array(ctx, char, *out_len);
+		cur_pdata = talloc_zero_array(ctx, char, *out_len);
 		if (cur_pdata == NULL) {
 			TALLOC_FREE(shadow_data);
 			return NT_STATUS_NO_MEMORY;
@@ -2330,7 +2330,7 @@ NTSTATUS smb_fsctl(struct files_struct *fsp,
 		}
 
 		/* needed_data_count 4 bytes */
-		SIVAL(cur_pdata, 8, labels_data_count + 4);
+		SIVAL(cur_pdata, 8, labels_data_count);
 
 		cur_pdata += 12;
 


-- 
Samba Shared Repository
