diff options
author | Stefan Metzmacher <metze@samba.org> | 2015-06-28 01:19:57 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2016-04-12 19:25:31 +0200 |
commit | 5108d26add4d20edf00429d00a0375034adb263e (patch) | |
tree | d0887e377ea5ea4810f33473283267061fc3a81f /librpc/rpc | |
parent | c0f3f308dae897dc7d58d920dc9448dddb706060 (diff) | |
download | samba-5108d26add4d20edf00429d00a0375034adb263e.tar.gz |
CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in dcerpc_pull_auth_trailer()
All callers should have already checked that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Diffstat (limited to 'librpc/rpc')
-rw-r--r-- | librpc/rpc/dcerpc_util.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c index 2f81447964f..43e1b7f426f 100644 --- a/librpc/rpc/dcerpc_util.c +++ b/librpc/rpc/dcerpc_util.c @@ -102,6 +102,11 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt, } /* Paranoia checks for auth_length. The caller should check this... */ + if (pkt->auth_length == 0) { + return NT_STATUS_INTERNAL_ERROR; + } + + /* Paranoia checks for auth_length. The caller should check this... */ if (pkt->auth_length > pkt->frag_length) { return NT_STATUS_INTERNAL_ERROR; } |