diff options
author | Jeremy Allison <jra@samba.org> | 2009-03-05 20:59:48 -0800 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2009-03-05 20:59:48 -0800 |
commit | f03bacbf695f877d27186a39755ae726a22a61c8 (patch) | |
tree | ce4854a8e36ee71bb8dddb8211fea2e278d868b6 | |
parent | 7274d5691a339087f2770acf2f954830506f5cdc (diff) | |
download | samba-f03bacbf695f877d27186a39755ae726a22a61c8.tar.gz |
Now we're allowing a lower bound for auth_len, ensure we
also check for an upper one (integer wrap).
Jeremy.
-rw-r--r-- | source/rpc_server/srv_pipe.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/source/rpc_server/srv_pipe.c b/source/rpc_server/srv_pipe.c index d491bc22450..868f4d03585 100644 --- a/source/rpc_server/srv_pipe.c +++ b/source/rpc_server/srv_pipe.c @@ -2062,7 +2062,11 @@ BOOL api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss auth_len = p->hdr.auth_len; - if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) { + if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN || + auth_len < RPC_HEADER_LEN + + RPC_HDR_REQ_LEN + + RPC_HDR_AUTH_LEN + + auth_len) { DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len )); return False; } |