diff options
| author | Volker Lendecke <vl@samba.org> | 2016-11-05 21:22:46 +0100 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2016-12-19 10:52:14 +0100 |
| commit | 4b095f105db846158b227a7bdd3ddc91e14a5b59 (patch) | |
| tree | 108c9dae2c9251bcd71a6709d82981fe447ca36a /librpc | |
| parent | 42d2d3844564c152ae21b6e8cabaa99dbf019c36 (diff) | |
| download | samba-4b095f105db846158b227a7bdd3ddc91e14a5b59.tar.gz | |
CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding
this vulnerability with a PoC and a good analysis.
Signed-off-by: Volker Lendecke <vl@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409
Diffstat (limited to 'librpc')
| -rw-r--r-- | librpc/ndr/ndr_dnsp.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c index 3cb96f94a1b..0541261b95f 100644 --- a/librpc/ndr/ndr_dnsp.c +++ b/librpc/ndr/ndr_dnsp.c @@ -56,7 +56,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dnsp_name(struct ndr_pull *ndr, int ndr_flag uint8_t sublen, newlen; NDR_CHECK(ndr_pull_uint8(ndr, ndr_flags, &sublen)); newlen = total_len + sublen; + if (newlen < total_len) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, + "Failed to pull dnsp_name"); + } if (i != count-1) { + if (newlen == UINT8_MAX) { + return ndr_pull_error( + ndr, NDR_ERR_RANGE, + "Failed to pull dnsp_name"); + } newlen++; /* for the '.' */ } ret = talloc_realloc(ndr->current_mem_ctx, ret, char, newlen); |