CVE-2013-4408:s4:dcerpc_sock: check for invalid frag_len within sock_complete_packet()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/source4/librpc/rpc/dcerpc_sock.c b/source4/librpc/rpc/dcerpc_sock.c
index a911dba825e1b6f0416f4c89b1e741c23efcae83..4a62b2f497f04630acf861c976984e8c4cb1af23 100644 (file)
--- a/source4/librpc/rpc/dcerpc_sock.c
+++ b/source4/librpc/rpc/dcerpc_sock.c
@@ -102,6 +102,12 @@ static NTSTATUS sock_complete_packet(void *private_data, DATA_BLOB blob, size_t
                return STATUS_MORE_ENTRIES;
        }
        *size = dcerpc_get_frag_length(&blob);
+       if (*size < blob.length) {
+               /*
+                * something is wrong, let the caller deal with it
+                */
+               *size = blob.length;
+       }
        if (*size > blob.length) {
                return STATUS_MORE_ENTRIES;
        }