diff options
author | Stefan Metzmacher <metze@samba.org> | 2013-09-24 05:03:40 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2013-12-05 11:11:52 +0100 |
commit | ba9728b86c52ad2da4d80d80edb17c07bd09be2c (patch) | |
tree | 2598e1064cfcebe00c100697520f852f5a15d706 | |
parent | fc294c4842cfaea19ddcec2a5be37322ab8b5b45 (diff) | |
download | samba-ba9728b86c52ad2da4d80d80edb17c07bd09be2c.tar.gz |
CVE-2013-4408:s4:dcerpc_sock: check for invalid frag_len within sock_complete_packet()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
-rw-r--r-- | source4/librpc/rpc/dcerpc_sock.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/source4/librpc/rpc/dcerpc_sock.c b/source4/librpc/rpc/dcerpc_sock.c index f0451ac6745..9a596da47da 100644 --- a/source4/librpc/rpc/dcerpc_sock.c +++ b/source4/librpc/rpc/dcerpc_sock.c @@ -102,6 +102,12 @@ static NTSTATUS sock_complete_packet(void *private_data, DATA_BLOB blob, size_t return STATUS_MORE_ENTRIES; } *size = dcerpc_get_frag_length(&blob); + if (*size < blob.length) { + /* + * something is wrong, let the caller deal with it + */ + *size = blob.length; + } if (*size > blob.length) { return STATUS_MORE_ENTRIES; } |