CVE-2013-4408:s3:rpc_client: verify frag_len at least contains the header size

author Stefan Metzmacher <metze@samba.org>

Wed, 25 Sep 2013 21:25:12 +0000 (23:25 +0200)

committer Karolin Seeger <kseeger@samba.org>

Mon, 9 Dec 2013 06:05:45 +0000 (07:05 +0100)
author Stefan Metzmacher <metze@samba.org>
Wed, 25 Sep 2013 21:25:12 +0000 (23:25 +0200)
committer Karolin Seeger <kseeger@samba.org>
Mon, 9 Dec 2013 06:05:45 +0000 (07:05 +0100)
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c

index 13423540ecfc1419f5e1f68221449f6ce7e2b2ce..0769d6dbe6bcfae97511d60e59c99ef579a6c915 100644 (file)
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -281,6 +281,10 @@ static struct tevent_req *get_complete_frag_send(TALLOC_CTX *mem_ctx,
         }
  
         state->frag_len = dcerpc_get_frag_length(pdu);
+       if (state->frag_len < RPC_HEADER_LEN) {
+               tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
+               return tevent_req_post(req, ev);
+       }
  
         /*
          * Ensure we have frag_len bytes of data.
@@ -329,6 +333,10 @@ static void get_complete_frag_got_header(struct tevent_req *subreq)
         }
  
         state->frag_len = dcerpc_get_frag_length(state->pdu);
+       if (state->frag_len < RPC_HEADER_LEN) {
+               tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
+               return;
+       }
  
         if (!data_blob_realloc(NULL, state->pdu, state->frag_len)) {
                 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
author	Stefan Metzmacher <metze@samba.org>
	Wed, 25 Sep 2013 21:25:12 +0000 (23:25 +0200)
committer	Karolin Seeger <kseeger@samba.org>
	Mon, 9 Dec 2013 06:05:45 +0000 (07:05 +0100)