diff options
| author | Stefan Metzmacher <metze@samba.org> | 2013-09-25 23:25:12 +0200 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2013-12-09 07:05:45 +0100 |
| commit | 77c3518152eca9abcc04c1c446eeec0f442a4b89 (patch) | |
| tree | 7f3eaeee8289713b0806742c60db69855bd01de8 /source4/librpc | |
| parent | 3be7907fd91749f228bf5f104ab0c673be3fef05 (diff) | |
| download | samba-77c3518152eca9abcc04c1c446eeec0f442a4b89.tar.gz | |
CVE-2013-4408:s4:dcerpc_smb2: check for invalid frag_len in send_read_request_continue()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source4/librpc')
| -rw-r--r-- | source4/librpc/rpc/dcerpc_smb2.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/source4/librpc/rpc/dcerpc_smb2.c b/source4/librpc/rpc/dcerpc_smb2.c index 473ca78ad1d..2b1c66e232f 100644 --- a/source4/librpc/rpc/dcerpc_smb2.c +++ b/source4/librpc/rpc/dcerpc_smb2.c @@ -173,6 +173,12 @@ static NTSTATUS send_read_request_continue(struct dcecli_connection *c, DATA_BLO if (state->data.length >= 16) { uint16_t frag_length = dcerpc_get_frag_length(&state->data); + + if (frag_length < state->data.length) { + talloc_free(state); + return NT_STATUS_RPC_PROTOCOL_ERROR; + } + io.in.length = frag_length - state->data.length; } else { io.in.length = 0x2000; |