CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in dcerpc_pull_auth_trailer()

All callers should have already checked that. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
author: Stefan Metzmacher <metze@samba.org> 2015-06-28 01:19:57 +0200
committer: Stefan Metzmacher <metze@samba.org> 2016-04-12 19:25:31 +0200
commit: 5108d26add4d20edf00429d00a0375034adb263e (patch)
tree: d0887e377ea5ea4810f33473283267061fc3a81f /librpc/rpc
parent: c0f3f308dae897dc7d58d920dc9448dddb706060 (diff)
download: samba-5108d26add4d20edf00429d00a0375034adb263e.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
index 2f81447964f..43e1b7f426f 100644
--- a/librpc/rpc/dcerpc_util.c
+++ b/librpc/rpc/dcerpc_util.c
@@ -102,6 +102,11 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
 	}
 
 	/* Paranoia checks for auth_length. The caller should check this... */
+	if (pkt->auth_length == 0) {
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
+	/* Paranoia checks for auth_length. The caller should check this... */
 	if (pkt->auth_length > pkt->frag_length) {
 		return NT_STATUS_INTERNAL_ERROR;
 	}
author	Stefan Metzmacher <metze@samba.org>	2015-06-28 01:19:57 +0200
committer	Stefan Metzmacher <metze@samba.org>	2016-04-12 19:25:31 +0200
commit	5108d26add4d20edf00429d00a0375034adb263e (patch)
tree	d0887e377ea5ea4810f33473283267061fc3a81f /librpc/rpc
parent	c0f3f308dae897dc7d58d920dc9448dddb706060 (diff)
download	samba-5108d26add4d20edf00429d00a0375034adb263e.tar.gz