From 1a71f07cee0bfe50ea6821a195a950d2206aab55 Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi@samba.org>
Date: Fri, 2 Nov 2012 08:41:10 +0100
Subject: s3:vfs_gpfs fix memory corruption in gpfs2smb_acl

sys_acl_init returns a SMB_ACL_T with zero entries in the acl array
reallocate the array to proper size before filling it, otherwise we overwrite memory

This one is a result of a improper fixing in 7a6182962966e5edb42728c8

Signed-off-by: Christian Ambach <ambi@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source3/modules/vfs_gpfs.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/source3/modules/vfs_gpfs.c b/source3/modules/vfs_gpfs.c
index e425d2f1c3..f5ac7eb4fb 100644
--- a/source3/modules/vfs_gpfs.c
+++ b/source3/modules/vfs_gpfs.c
@@ -573,6 +573,8 @@ static SMB_ACL_T gpfs2smb_acl(const struct gpfs_acl *pacl, TALLOC_CTX *mem_ctx)
 	}
 
 	result->count = pacl->acl_nace;
+	result->acl = talloc_realloc(result, result->acl, struct smb_acl_entry,
+				     result->count);
 
 	for (i=0; i<pacl->acl_nace; i++) {
 		struct smb_acl_entry *ace = &result->acl[i];
-- 
cgit