From 43becd6f305bd5d21d886027d38a92d4dff22d75 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 26 Mar 2013 16:46:51 -0700
Subject: [PATCH] Ensure we don't return uninitialized memory in the pad bytes.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@suse.de>
---
 source3/smbd/trans2.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index b243af8f279..df6fe92c3aa 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -480,6 +480,7 @@ static NTSTATUS fill_ea_chained_buffer(TALLOC_CTX *mem_ctx,
 		size_t dos_namelen;
 		fstring dos_ea_name;
 		size_t this_size;
+		size_t pad = 0;
 
 		if (last_start != NULL && do_store_data) {
 			SIVAL(last_start, 0, PTR_DIFF(p, last_start));
@@ -498,7 +499,7 @@ static NTSTATUS fill_ea_chained_buffer(TALLOC_CTX *mem_ctx,
 		this_size = 0x08 + dos_namelen + 1 + ea_list->ea.value.length;
 
 		if (ea_list->next) {
-			size_t pad = 4 - (this_size % 4);
+			pad = 4 - (this_size % 4);
 			this_size += pad;
 		}
 
@@ -514,6 +515,11 @@ static NTSTATUS fill_ea_chained_buffer(TALLOC_CTX *mem_ctx,
 			SSVAL(p, 0x06, ea_list->ea.value.length);
 			strlcpy((char *)(p+0x08), dos_ea_name, dos_namelen+1);
 			memcpy(p + 0x08 + dos_namelen + 1, ea_list->ea.value.data, ea_list->ea.value.length);
+			if (pad) {
+				memset(p + 0x08 + dos_namelen + 1 + ea_list->ea.value.length,
+					'\0',
+					pad);
+			}
 			total_data_size -= this_size;
 		}
 
-- 
2.11.4.GIT