CVE-2015-5370: s4:librpc/rpc: protect dcerpc_request_recv_data() against too large...

We should only allow a combined payload of a response of at max 4 MBytes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index 567b4dc311623a379cec5d06a0c2d6495cbc063e..60d5b8d03cf692dc3b317e4f1dfff6b161adec76 100644 (file)
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -1569,6 +1569,15 @@ static void dcerpc_request_recv_data(struct dcecli_connection *c,
 
        length = pkt->u.response.stub_and_verifier.length;
 
+       if (req->payload.length + length > DCERPC_NCACN_PAYLOAD_MAX_SIZE) {
+               DEBUG(2,("Unexpected total payload 0x%X > 0x%X dcerpc response\n",
+                        (unsigned)req->payload.length + length,
+                        DCERPC_NCACN_PAYLOAD_MAX_SIZE));
+               req->fault_code = DCERPC_FAULT_OTHER;
+               req->status = NT_STATUS_NET_WRITE_FAULT;
+               goto req_done;
+       }
+
        if (length > 0) {
                req->payload.data = talloc_realloc(req, 
                                                   req->payload.data,