diff options
author | Jeremy Allison <jra@samba.org> | 2013-11-07 22:41:22 -0800 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2013-12-05 10:18:10 +0100 |
commit | d96f88c91586c2aed60c9037eb86ffa6bb8259fb (patch) | |
tree | 8d373f94144a721f076db301ff1e64a0a7772b4b /source3/rpcclient | |
parent | c406802cf767929c7016041da51fb512094a7f30 (diff) | |
download | samba-d96f88c91586c2aed60c9037eb86ffa6bb8259fb.tar.gz |
CVE-2013-4408:s3:Ensure LookupRids() replies arrays are range checked.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source3/rpcclient')
-rw-r--r-- | source3/rpcclient/cmd_samr.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c index 5bc8c0b57b8..87882c3ce4e 100644 --- a/source3/rpcclient/cmd_samr.c +++ b/source3/rpcclient/cmd_samr.c @@ -2223,6 +2223,14 @@ static NTSTATUS cmd_samr_lookup_rids(struct rpc_pipe_client *cli, goto done; /* Display results */ + if (num_rids != names.count) { + status = NT_STATUS_INVALID_NETWORK_RESPONSE; + goto done; + } + if (num_rids != types.count) { + status = NT_STATUS_INVALID_NETWORK_RESPONSE; + goto done; + } for (i = 0; i < num_rids; i++) { printf("rid 0x%x: %s (%d)\n", |