In smbd/posix_acls.c the acl_group_override() function doesn't initialize a SMB_STRUCT_STAT before use. Patches for 3.4.0, v3-3-test and v3-2-test follows. Jeremy.
Created attachment 4315 [details] Patch for 3.4.0, v3-3-test and v3-2-test. This patch, developed on v3-4-test, also applies cleanly to v3-3-test and v3-2-test. Volker please review, and then reassign to Karolin to push if you're ok with it. It passes down the already valid SMB_STRUCT_STAT buffer pointer instead of re-doing a stat. Jeremy.
Wow.... That's a bit scary, isn't it? Volker
After talking to Volker, picked the patch for 3.4.0rc1 and pushed to the other branches, too. Closing out bug report. Thanks!
Yes, it's kind of scary :-). I don't think it's exploitable in any fashion though, just would give the wrong result. Thanks for the review ! Jeremy.