diff options
author | Stefan Metzmacher <metze@samba.org> | 2013-09-25 23:25:12 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2013-12-05 11:11:51 +0100 |
commit | 288337429fe8f3a830e592a53b8b12e1a060d299 (patch) | |
tree | 0da2b4d5daacb1aeadb7d265718d2998f98c6679 | |
parent | 4487b19619fa0fbfc64c33cd073e67ceae8563c3 (diff) | |
download | samba-288337429fe8f3a830e592a53b8b12e1a060d299.tar.gz |
CVE-2013-4408:s3:rpc_client: verify frag_len at least contains the header size
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
-rw-r--r-- | source3/rpc_client/cli_pipe.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 4e5fd71e890..57dcddc66d8 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -281,6 +281,10 @@ static struct tevent_req *get_complete_frag_send(TALLOC_CTX *mem_ctx, } state->frag_len = dcerpc_get_frag_length(pdu); + if (state->frag_len < RPC_HEADER_LEN) { + tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR); + return tevent_req_post(req, ev); + } /* * Ensure we have frag_len bytes of data. @@ -329,6 +333,10 @@ static void get_complete_frag_got_header(struct tevent_req *subreq) } state->frag_len = dcerpc_get_frag_length(state->pdu); + if (state->frag_len < RPC_HEADER_LEN) { + tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR); + return; + } if (!data_blob_realloc(NULL, state->pdu, state->frag_len)) { tevent_req_nterror(req, NT_STATUS_NO_MEMORY); |