CVE-2013-4408:s3:Ensure LookupNames replies arrays are range checked.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Jeremy Allison <jra@samba.org>
author: Jeremy Allison <jra@samba.org> 2013-11-07 21:40:55 -0800
committer: Karolin Seeger <kseeger@samba.org> 2013-12-09 07:05:46 +0100
commit: 0dc618189469bf389a583eb346ddc6acaad1c644 (patch)
tree: c2a788305792a22c554009077b5ffc9695bd5bbd /source3/rpcclient/cmd_lsarpc.c
parent: b0ba4a562112fc707f540e1ff7c8e55ea02479c9 (diff)
download: samba-0dc618189469bf389a583eb346ddc6acaad1c644.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c
index 0fb371990c4..9117ce65597 100644
--- a/source3/rpcclient/cmd_lsarpc.c
+++ b/source3/rpcclient/cmd_lsarpc.c
@@ -323,7 +323,7 @@ static NTSTATUS cmd_lsa_lookup_names4(struct rpc_pipe_client *cli,
 
 	uint32_t num_names;
 	struct lsa_String *names;
-	struct lsa_RefDomainList *domains;
+	struct lsa_RefDomainList *domains = NULL;
 	struct lsa_TransSidArray3 sids;
 	uint32_t count = 0;
 	int i;
@@ -361,6 +361,10 @@ static NTSTATUS cmd_lsa_lookup_names4(struct rpc_pipe_client *cli,
 		return result;
 	}
 
+	if (sids.count != num_names) {
+		return NT_STATUS_INVALID_NETWORK_RESPONSE;
+	}
+
 	for (i = 0; i < sids.count; i++) {
 		fstring sid_str;
 		sid_to_fstring(sid_str, sids.sids[i].sid);
author	Jeremy Allison <jra@samba.org>	2013-11-07 21:40:55 -0800
committer	Karolin Seeger <kseeger@samba.org>	2013-12-09 07:05:46 +0100
commit	0dc618189469bf389a583eb346ddc6acaad1c644 (patch)
tree	c2a788305792a22c554009077b5ffc9695bd5bbd /source3/rpcclient/cmd_lsarpc.c
parent	b0ba4a562112fc707f540e1ff7c8e55ea02479c9 (diff)
download	samba-0dc618189469bf389a583eb346ddc6acaad1c644.tar.gz