CVE-2015-5370: s4:rpc_server: avoid ZERO_STRUCT() in dcesrv_fault()
authorStefan Metzmacher <metze@samba.org>
Fri, 26 Jun 2015 06:10:46 +0000 (08:10 +0200)
committerStefan Metzmacher <metze@samba.org>
Tue, 12 Apr 2016 17:25:29 +0000 (19:25 +0200)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: G√ľnther Deschner <gd@samba.org>
source4/rpc_server/common/reply.c

index 5473237d4155cc34392c438464b020701746b52c..b187e208d3c202803694f51a064542b279138ef0 100644 (file)
@@ -101,10 +101,10 @@ NTSTATUS dcesrv_fault(struct dcesrv_call_state *call, uint32_t fault_code)
 {
        struct ncacn_packet pkt;
        struct data_blob_list_item *rep;
-       uint8_t zeros[4];
+       static const uint8_t zeros[4] = { 0, };
        NTSTATUS status;
 
-       /* setup a bind_ack */
+       /* setup a fault */
        dcesrv_init_hdr(&pkt, lpcfg_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
        pkt.auth_length = 0;
        pkt.call_id = call->pkt.call_id;
@@ -114,8 +114,6 @@ NTSTATUS dcesrv_fault(struct dcesrv_call_state *call, uint32_t fault_code)
        pkt.u.fault.context_id = 0;
        pkt.u.fault.cancel_count = 0;
        pkt.u.fault.status = fault_code;
-
-       ZERO_STRUCT(zeros);
        pkt.u.fault._pad = data_blob_const(zeros, sizeof(zeros));
 
        rep = talloc_zero(call, struct data_blob_list_item);