From c1a22e59f87783d88dfbaeeb132b89be166b2754 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 20 Sep 2017 11:04:50 -0700
Subject: [PATCH 2/2] s3: smbd: Chain code can return uninitialized memory when
 talloc buffer is grown.

Ensure we zero out unused grown area.

CVE-2017-15275

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077

Signed-off-by: Jeremy Allison <jra@samba.org>
---
 source3/smbd/srvstr.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

--- a/source3/smbd/srvstr.c
+++ b/source3/smbd/srvstr.c
@@ -70,6 +70,20 @@ ssize_t message_push_string(uint8 **outb
 		DEBUG(0, ("srvstr_push failed\n"));
 		return -1;
 	}
+
+	/*
+	 * Ensure we clear out the extra data we have
+	 * grown the buffer by, but not written to.
+	 */
+	if (buf_size + result < buf_size) {
+		return -1;
+	}
+	if (grow_size < result) {
+		return -1;
+	}
+
+	memset(tmp + buf_size + result, '\0', grow_size - result);
+
 	set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
 
 	*outbuf = tmp;