summaryrefslogtreecommitdiff
path: root/source4/librpc
diff options
context:
space:
mode:
Diffstat (limited to 'source4/librpc')
-rw-r--r--source4/librpc/rpc/dcerpc.c4
-rw-r--r--source4/librpc/rpc/dcerpc_smb.c6
-rw-r--r--source4/librpc/rpc/dcerpc_smb2.c6
-rw-r--r--source4/librpc/rpc/dcerpc_sock.c6
4 files changed, 22 insertions, 0 deletions
diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index e653cbaea69..2826160a353 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -693,6 +693,10 @@ static NTSTATUS ncacn_pull(struct dcecli_connection *c, DATA_BLOB *blob, TALLOC_
return ndr_map_error2ntstatus(ndr_err);
}
+ if (pkt->frag_length != blob->length) {
+ return NT_STATUS_RPC_PROTOCOL_ERROR;
+ }
+
return NT_STATUS_OK;
}
diff --git a/source4/librpc/rpc/dcerpc_smb.c b/source4/librpc/rpc/dcerpc_smb.c
index e02631e2b11..efb76cf89d7 100644
--- a/source4/librpc/rpc/dcerpc_smb.c
+++ b/source4/librpc/rpc/dcerpc_smb.c
@@ -163,6 +163,12 @@ static NTSTATUS send_read_request_continue(struct dcecli_connection *c, DATA_BLO
} else {
uint32_t frag_length = blob->length>=16?
dcerpc_get_frag_length(blob):0x2000;
+
+ if (frag_length < state->data.length) {
+ talloc_free(state);
+ return NT_STATUS_RPC_PROTOCOL_ERROR;
+ }
+
state->received = blob->length;
state->data = data_blob_talloc(state, NULL, frag_length);
if (!state->data.data) {
diff --git a/source4/librpc/rpc/dcerpc_smb2.c b/source4/librpc/rpc/dcerpc_smb2.c
index 473ca78ad1d..2b1c66e232f 100644
--- a/source4/librpc/rpc/dcerpc_smb2.c
+++ b/source4/librpc/rpc/dcerpc_smb2.c
@@ -173,6 +173,12 @@ static NTSTATUS send_read_request_continue(struct dcecli_connection *c, DATA_BLO
if (state->data.length >= 16) {
uint16_t frag_length = dcerpc_get_frag_length(&state->data);
+
+ if (frag_length < state->data.length) {
+ talloc_free(state);
+ return NT_STATUS_RPC_PROTOCOL_ERROR;
+ }
+
io.in.length = frag_length - state->data.length;
} else {
io.in.length = 0x2000;
diff --git a/source4/librpc/rpc/dcerpc_sock.c b/source4/librpc/rpc/dcerpc_sock.c
index 58fca4ce372..d36af11e923 100644
--- a/source4/librpc/rpc/dcerpc_sock.c
+++ b/source4/librpc/rpc/dcerpc_sock.c
@@ -102,6 +102,12 @@ static NTSTATUS sock_complete_packet(void *private_data, DATA_BLOB blob, size_t
return STATUS_MORE_ENTRIES;
}
*size = dcerpc_get_frag_length(&blob);
+ if (*size < blob.length) {
+ /*
+ * something is wrong, let the caller deal with it
+ */
+ *size = blob.length;
+ }
if (*size > blob.length) {
return STATUS_MORE_ENTRIES;
}
View Lorry Controller Status