CVE-2013-4408:s3:Ensure LookupRids() replies arrays are range checked.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 Signed-off-by: Jeremy Allison <jra@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
author: Jeremy Allison <jra@samba.org> 2013-11-07 22:41:22 -0800
committer: Karolin Seeger <kseeger@samba.org> 2013-12-05 10:18:10 +0100
commit: d96f88c91586c2aed60c9037eb86ffa6bb8259fb (patch)
tree: 8d373f94144a721f076db301ff1e64a0a7772b4b /source3/rpcclient
parent: c406802cf767929c7016041da51fb512094a7f30 (diff)
download: samba-d96f88c91586c2aed60c9037eb86ffa6bb8259fb.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c
index 5bc8c0b57b8..87882c3ce4e 100644
--- a/source3/rpcclient/cmd_samr.c
+++ b/source3/rpcclient/cmd_samr.c
@@ -2223,6 +2223,14 @@ static NTSTATUS cmd_samr_lookup_rids(struct rpc_pipe_client *cli,
 		goto done;
 
 	/* Display results */
+	if (num_rids != names.count) {
+		status = NT_STATUS_INVALID_NETWORK_RESPONSE;
+		goto done;
+	}
+	if (num_rids != types.count) {
+		status = NT_STATUS_INVALID_NETWORK_RESPONSE;
+		goto done;
+	}
 
 	for (i = 0; i < num_rids; i++) {
 		printf("rid 0x%x: %s (%d)\n",
author	Jeremy Allison <jra@samba.org>	2013-11-07 22:41:22 -0800
committer	Karolin Seeger <kseeger@samba.org>	2013-12-05 10:18:10 +0100
commit	d96f88c91586c2aed60c9037eb86ffa6bb8259fb (patch)
tree	8d373f94144a721f076db301ff1e64a0a7772b4b /source3/rpcclient
parent	c406802cf767929c7016041da51fb512094a7f30 (diff)
download	samba-d96f88c91586c2aed60c9037eb86ffa6bb8259fb.tar.gz