CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995

Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding this vulnerability with a PoC and a good analysis. Signed-off-by: Volker Lendecke <vl@samba.org> Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409
author: Volker Lendecke <vl@samba.org> 2016-11-05 21:22:46 +0100
committer: Stefan Metzmacher <metze@samba.org> 2016-12-20 07:51:14 +0100
commit: ce9e4a350135c985133af807dfaf8af95088b571 (patch)
tree: 9cd79169097dbe40c02a6d09cb27789b9d0e026f /librpc
parent: 0bb3490329310e81147c56f42fa7b07350cfb384 (diff)
download: samba-ce9e4a350135c985133af807dfaf8af95088b571.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c
index ff77bc7da6d..974ff5ebff2 100644
--- a/librpc/ndr/ndr_dnsp.c
+++ b/librpc/ndr/ndr_dnsp.c
@@ -56,7 +56,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dnsp_name(struct ndr_pull *ndr, int ndr_flag
 		uint8_t sublen, newlen;
 		NDR_CHECK(ndr_pull_uint8(ndr, ndr_flags, &sublen));
 		newlen = total_len + sublen;
+		if (newlen < total_len) {
+			return ndr_pull_error(ndr, NDR_ERR_RANGE,
+					      "Failed to pull dnsp_name");
+		}
 		if (i != count-1) {
+			if (newlen == UINT8_MAX) {
+				return ndr_pull_error(
+					ndr, NDR_ERR_RANGE,
+					"Failed to pull dnsp_name");
+			}
 			newlen++; /* for the '.' */
 		}
 		ret = talloc_realloc(ndr->current_mem_ctx, ret, char, newlen);
author	Volker Lendecke <vl@samba.org>	2016-11-05 21:22:46 +0100
committer	Stefan Metzmacher <metze@samba.org>	2016-12-20 07:51:14 +0100
commit	ce9e4a350135c985133af807dfaf8af95088b571 (patch)
tree	9cd79169097dbe40c02a6d09cb27789b9d0e026f /librpc
parent	0bb3490329310e81147c56f42fa7b07350cfb384 (diff)
download	samba-ce9e4a350135c985133af807dfaf8af95088b571.tar.gz