CVE-2013-4408:librpc: check for invalid frag_len within dcerpc_read_ncacn_packet_next_vector()

We should do this explicit instead of relying on tstream_readv_pdu_ask_for_next_vector() to catch the overflow. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
author: Stefan Metzmacher <metze@samba.org> 2013-09-24 05:03:40 +0200
committer: Karolin Seeger <kseeger@samba.org> 2013-12-05 11:11:51 +0100
commit: b13b1426f6c309b6ff3b2b5f9e335a62fd256969 (patch)
tree: 52c2c39746cdcfdc16c81437dd26909275a6accb
parent: d485eff4c13ce3c0ab689cde56fe74ad3a0343f5 (diff)
download: samba-b13b1426f6c309b6ff3b2b5f9e335a62fd256969.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
index 632d70da7dd..b8bf64d655e 100644
--- a/librpc/rpc/dcerpc_util.c
+++ b/librpc/rpc/dcerpc_util.c
@@ -223,6 +223,15 @@ static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
 
 		ofs = state->buffer.length;
 
+		if (frag_len < ofs) {
+			/*
+			 * something is wrong, let the caller deal with it
+			 */
+			*_vector = NULL;
+			*_count = 0;
+			return 0;
+		}
+
 		state->buffer.data = talloc_realloc(state,
 						    state->buffer.data,
 						    uint8_t, frag_len);
author	Stefan Metzmacher <metze@samba.org>	2013-09-24 05:03:40 +0200
committer	Karolin Seeger <kseeger@samba.org>	2013-12-05 11:11:51 +0100
commit	b13b1426f6c309b6ff3b2b5f9e335a62fd256969 (patch)
tree	52c2c39746cdcfdc16c81437dd26909275a6accb
parent	d485eff4c13ce3c0ab689cde56fe74ad3a0343f5 (diff)
download	samba-b13b1426f6c309b6ff3b2b5f9e335a62fd256969.tar.gz