From f386e81b982cd551313eb9c0f7d2f70d65515d80 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 20 Jun 2016 16:17:45 +0200
Subject: librpc/rpc: let dcerpc_pull_auth_trailer() only accept
 auth_length!=NULL or auth_data_only=true

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11982

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
 librpc/rpc/dcerpc_util.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'librpc/rpc')

diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
index 43e1b7f426f..4d82e9a53a9 100644
--- a/librpc/rpc/dcerpc_util.c
+++ b/librpc/rpc/dcerpc_util.c
@@ -99,6 +99,14 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
 	ZERO_STRUCTP(auth);
 	if (_auth_length != NULL) {
 		*_auth_length = 0;
+
+		if (auth_data_only) {
+			return NT_STATUS_INTERNAL_ERROR;
+		}
+	} else {
+		if (!auth_data_only) {
+			return NT_STATUS_INTERNAL_ERROR;
+		}
 	}
 
 	/* Paranoia checks for auth_length. The caller should check this... */
-- 
cgit v1.2.1