Now we're allowing a lower bound for auth_len, ensure we

also check for an upper one (integer wrap). Jeremy.
author: Jeremy Allison <jra@samba.org> 2009-03-05 20:59:48 -0800
committer: Jeremy Allison <jra@samba.org> 2009-03-05 20:59:48 -0800
commit: f03bacbf695f877d27186a39755ae726a22a61c8 (patch)
tree: ce4854a8e36ee71bb8dddb8211fea2e278d868b6
parent: 7274d5691a339087f2770acf2f954830506f5cdc (diff)
download: samba-f03bacbf695f877d27186a39755ae726a22a61c8.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/source/rpc_server/srv_pipe.c b/source/rpc_server/srv_pipe.c
index d491bc22450..868f4d03585 100644
--- a/source/rpc_server/srv_pipe.c
+++ b/source/rpc_server/srv_pipe.c
@@ -2062,7 +2062,11 @@ BOOL api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss
 
 	auth_len = p->hdr.auth_len;
 
-	if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
+	if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
+			auth_len < RPC_HEADER_LEN +
+					RPC_HDR_REQ_LEN +
+					RPC_HDR_AUTH_LEN +
+					auth_len) {
 		DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
 		return False;
 	}
author	Jeremy Allison <jra@samba.org>	2009-03-05 20:59:48 -0800
committer	Jeremy Allison <jra@samba.org>	2009-03-05 20:59:48 -0800
commit	f03bacbf695f877d27186a39755ae726a22a61c8 (patch)
tree	ce4854a8e36ee71bb8dddb8211fea2e278d868b6
parent	7274d5691a339087f2770acf2f954830506f5cdc (diff)
download	samba-f03bacbf695f877d27186a39755ae726a22a61c8.tar.gz