CVE-2013-4408:s3:rpc_client: verify frag_len at least contains the header size

author Stefan Metzmacher <metze@samba.org>

Wed, 25 Sep 2013 21:25:12 +0000 (23:25 +0200)

committer Karolin Seeger <kseeger@samba.org>

Thu, 5 Dec 2013 09:54:15 +0000 (10:54 +0100)
author Stefan Metzmacher <metze@samba.org>
Wed, 25 Sep 2013 21:25:12 +0000 (23:25 +0200)
committer Karolin Seeger <kseeger@samba.org>
Thu, 5 Dec 2013 09:54:15 +0000 (10:54 +0100)
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c

index 24d69ff41ad04cab4a59b737c1f9e07e9d866d92..0bd768f9c2a092179b9f95ae652162b5919a715e 100644 (file)
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -284,6 +284,10 @@ static struct tevent_req *get_complete_frag_send(TALLOC_CTX *mem_ctx,
         }
  
         state->frag_len = dcerpc_get_frag_length(pdu);
+       if (state->frag_len < RPC_HEADER_LEN) {
+               tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
+               return tevent_req_post(req, ev);
+       }
  
         /*
          * Ensure we have frag_len bytes of data.
@@ -332,6 +336,10 @@ static void get_complete_frag_got_header(struct tevent_req *subreq)
         }
  
         state->frag_len = dcerpc_get_frag_length(state->pdu);
+       if (state->frag_len < RPC_HEADER_LEN) {
+               tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
+               return;
+       }
  
         if (!data_blob_realloc(NULL, state->pdu, state->frag_len)) {
                 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
author	Stefan Metzmacher <metze@samba.org>
	Wed, 25 Sep 2013 21:25:12 +0000 (23:25 +0200)
committer	Karolin Seeger <kseeger@samba.org>
	Thu, 5 Dec 2013 09:54:15 +0000 (10:54 +0100)