CVE-2014-0178 patch for 3.6

Samba 3.6.23 patch for:
FSCTL_GET_SHADOW_COPY_DATA: Initialize output array to, zero
...derived from Christof Schmitt <christof.schmitt@us.ibm.com>'s patch for Samba 4.0
http://www.samba.org/samba/ftp/patches/security/samba-4.0.17-CVE-2014-0178-CVE-2014-0239.patch

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10549
CVE-2014-0178: Malformed FSCTL_SRV_ENUMERATE_SNAPSHOTS response

1 files changed, 3 insertions, 3 deletions

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 4c145e01dcc..b9a66208cdd 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -2303,7 +2303,7 @@ NTSTATUS smb_fsctl(struct files_struct *fsp,
 		if (!labels) {
 			*out_len = 16;
 		} else {
-			*out_len = 12 + labels_data_count + 4;
+			*out_len = 12 + labels_data_count;
 		}
 
 		if (max_out_len < *out_len) {
@@ -2313,7 +2313,7 @@ NTSTATUS smb_fsctl(struct files_struct *fsp,
 			return NT_STATUS_BUFFER_TOO_SMALL;
 		}
 
-		cur_pdata = talloc_array(ctx, char, *out_len);
+		cur_pdata = talloc_zero_array(ctx, char, *out_len);
 		if (cur_pdata == NULL) {
 			TALLOC_FREE(shadow_data);
 			return NT_STATUS_NO_MEMORY;
@@ -2330,7 +2330,7 @@ NTSTATUS smb_fsctl(struct files_struct *fsp,
 		}
 
 		/* needed_data_count 4 bytes */
-		SIVAL(cur_pdata, 8, labels_data_count + 4);
+		SIVAL(cur_pdata, 8, labels_data_count);
 
 		cur_pdata += 12;