In smbd/posix_acls.c the acl_group_override() function doesn't initialize a SMB_STRUCT_STAT before use.
Patches for 3.4.0, v3-3-test and v3-2-test follows.
Created attachment 4315 [details]
Patch for 3.4.0, v3-3-test and v3-2-test.
This patch, developed on v3-4-test, also applies cleanly to v3-3-test and v3-2-test. Volker please review, and then reassign to Karolin to push if you're ok with it. It passes down the already valid SMB_STRUCT_STAT buffer pointer instead of re-doing a stat.
Wow.... That's a bit scary, isn't it?
After talking to Volker, picked the patch for 3.4.0rc1 and pushed to the other branches, too.
Closing out bug report.
Yes, it's kind of scary :-). I don't think it's exploitable in any fashion though, just would give the wrong result. Thanks for the review !