diff options
author | Jeremy Allison <jra@samba.org> | 2013-11-07 21:40:55 -0800 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2013-12-09 07:05:46 +0100 |
commit | 0dc618189469bf389a583eb346ddc6acaad1c644 (patch) | |
tree | c2a788305792a22c554009077b5ffc9695bd5bbd /source3/rpcclient | |
parent | b0ba4a562112fc707f540e1ff7c8e55ea02479c9 (diff) | |
download | samba-0dc618189469bf389a583eb346ddc6acaad1c644.tar.gz |
CVE-2013-4408:s3:Ensure LookupNames replies arrays are range checked.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source3/rpcclient')
-rw-r--r-- | source3/rpcclient/cmd_lsarpc.c | 6 | ||||
-rw-r--r-- | source3/rpcclient/cmd_samr.c | 58 |
2 files changed, 62 insertions, 2 deletions
diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c index 0fb371990c4..9117ce65597 100644 --- a/source3/rpcclient/cmd_lsarpc.c +++ b/source3/rpcclient/cmd_lsarpc.c @@ -323,7 +323,7 @@ static NTSTATUS cmd_lsa_lookup_names4(struct rpc_pipe_client *cli, uint32_t num_names; struct lsa_String *names; - struct lsa_RefDomainList *domains; + struct lsa_RefDomainList *domains = NULL; struct lsa_TransSidArray3 sids; uint32_t count = 0; int i; @@ -361,6 +361,10 @@ static NTSTATUS cmd_lsa_lookup_names4(struct rpc_pipe_client *cli, return result; } + if (sids.count != num_names) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + for (i = 0; i < sids.count; i++) { fstring sid_str; sid_to_fstring(sid_str, sids.sids[i].sid); diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c index 022230becb5..5bc8c0b57b8 100644 --- a/source3/rpcclient/cmd_samr.c +++ b/source3/rpcclient/cmd_samr.c @@ -385,7 +385,17 @@ static NTSTATUS cmd_samr_query_user(struct rpc_pipe_client *cli, if (!NT_STATUS_IS_OK(status)) { goto done; } + if (NT_STATUS_IS_OK(result)) { + if (rids.count != 1) { + status = NT_STATUS_INVALID_NETWORK_RESPONSE; + goto done; + } + if (types.count != 1) { + status = NT_STATUS_INVALID_NETWORK_RESPONSE; + goto done; + } + status = dcerpc_samr_OpenUser(b, mem_ctx, &domain_pol, access_mask, @@ -1453,6 +1463,15 @@ static NTSTATUS cmd_samr_delete_alias(struct rpc_pipe_client *cli, goto done; } if (NT_STATUS_IS_OK(result)) { + if (rids.count != 1) { + status = NT_STATUS_INVALID_NETWORK_RESPONSE; + goto done; + } + if (types.count != 1) { + status = NT_STATUS_INVALID_NETWORK_RESPONSE; + goto done; + } + status = dcerpc_samr_OpenAlias(b, mem_ctx, &domain_pol, access_mask, @@ -2115,6 +2134,14 @@ static NTSTATUS cmd_samr_lookup_names(struct rpc_pipe_client *cli, status = result; goto done; } + if (rids.count != num_names) { + status = NT_STATUS_INVALID_NETWORK_RESPONSE; + goto done; + } + if (name_types.count != num_names) { + status = NT_STATUS_INVALID_NETWORK_RESPONSE; + goto done; + } /* Display results */ @@ -2272,6 +2299,14 @@ static NTSTATUS cmd_samr_delete_dom_group(struct rpc_pipe_client *cli, status = result; goto done; } + if (group_rids.count != 1) { + status = NT_STATUS_INVALID_NETWORK_RESPONSE; + goto done; + } + if (name_types.count != 1) { + status = NT_STATUS_INVALID_NETWORK_RESPONSE; + goto done; + } status = dcerpc_samr_OpenGroup(b, mem_ctx, &domain_pol, @@ -2375,6 +2410,14 @@ static NTSTATUS cmd_samr_delete_dom_user(struct rpc_pipe_client *cli, status = result; goto done; } + if (user_rids.count != 1) { + status = NT_STATUS_INVALID_NETWORK_RESPONSE; + goto done; + } + if (name_types.count != 1) { + status = NT_STATUS_INVALID_NETWORK_RESPONSE; + goto done; + } status = dcerpc_samr_OpenUser(b, mem_ctx, &domain_pol, @@ -2763,6 +2806,14 @@ static NTSTATUS cmd_samr_chgpasswd(struct rpc_pipe_client *cli, status = result; goto done; } + if (rids.count != 1) { + status = NT_STATUS_INVALID_NETWORK_RESPONSE; + goto done; + } + if (types.count != 1) { + status = NT_STATUS_INVALID_NETWORK_RESPONSE; + goto done; + } status = dcerpc_samr_OpenUser(b, mem_ctx, &domain_pol, @@ -3166,7 +3217,12 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, if (!NT_STATUS_IS_OK(result)) { return result; } - + if (rids.count != 1) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + if (types.count != 1) { + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } status = dcerpc_samr_OpenUser(b, mem_ctx, &domain_pol, |