diff options
| author | Stefan Metzmacher <metze@samba.org> | 2016-06-20 16:25:12 +0200 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2016-06-24 14:09:02 +0200 |
| commit | 3f7e3ed8a276f16aaed87c1f3cd5b9781aa7e1af (patch) | |
| tree | 734b0f44dc35f82f0f491147faa20e12b3879f21 /librpc/rpc | |
| parent | f386e81b982cd551313eb9c0f7d2f70d65515d80 (diff) | |
| download | samba-3f7e3ed8a276f16aaed87c1f3cd5b9781aa7e1af.tar.gz | |
librpc/rpc: let dcerpc_pull_auth_trailer() check that auth_pad_length fits within the whole pdu.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11982
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Diffstat (limited to 'librpc/rpc')
| -rw-r--r-- | librpc/rpc/dcerpc_util.c | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c index 4d82e9a53a9..ee7b30779c4 100644 --- a/librpc/rpc/dcerpc_util.c +++ b/librpc/rpc/dcerpc_util.c @@ -95,6 +95,7 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt, uint16_t data_and_pad; uint16_t auth_length; uint32_t tmp_length; + uint32_t max_pad_len = 0; ZERO_STRUCTP(auth); if (_auth_length != NULL) { @@ -157,6 +158,42 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt, return ndr_map_error2ntstatus(ndr_err); } + /* + * Make sure the padding would not exceed + * the frag_length. + * + * Here we assume at least 24 bytes for the + * payload specific header the value of + * DCERPC_{REQUEST,RESPONSE}_LENGTH. + * + * We use this also for BIND_*, ALTER_* and AUTH3 pdus. + * + * We need this check before we ignore possible + * invalid values. See also bug #11982. + * + * This check is mainly used to generate the correct + * error for BIND_*, ALTER_* and AUTH3 pdus. + * + * We always have the 'if (data_and_pad < auth->auth_pad_length)' + * protection for REQUEST and RESPONSE pdus, where the + * auth_pad_length field is actually used by the caller. + */ + tmp_length = DCERPC_REQUEST_LENGTH; + tmp_length += DCERPC_AUTH_TRAILER_LENGTH; + tmp_length += pkt->auth_length; + if (tmp_length < pkt->frag_length) { + max_pad_len = pkt->frag_length - tmp_length; + } + if (max_pad_len < auth->auth_pad_length) { + DEBUG(1, (__location__ ": ERROR: pad length to large. " + "max %u got %u\n", + (unsigned)max_pad_len, + (unsigned)auth->auth_pad_length)); + talloc_free(ndr); + ZERO_STRUCTP(auth); + return NT_STATUS_RPC_PROTOCOL_ERROR; + } + if (data_and_pad < auth->auth_pad_length) { DEBUG(1, (__location__ ": ERROR: pad length mismatch. " "Calculated %u got %u\n", |