git.samba.org / abartlet / samba.git / .git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c65ad56)
CVE-2013-4408:librpc: check for invalid frag_len within dcerpc_read_ncacn_packet_done()
authorStefan Metzmacher <metze@samba.org>
Tue, 24 Sep 2013 03:03:40 +0000 (05:03 +0200)
committerKarolin Seeger <kseeger@samba.org>
Mon, 9 Dec 2013 06:05:45 +0000 (07:05 +0100)
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
librpc/rpc/dcerpc_util.c patch | blob | history

diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
index 980b0709dbaed2ceaa87f7823b85162d35aae9ed..c963da84ce38d265e199fec143e466fe7ca82c1d 100644 (file)
--- a/librpc/rpc/dcerpc_util.c
+++ b/librpc/rpc/dcerpc_util.c
@@ -292,6 +292,11 @@ static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq)
                return;
        }
 
+       if (state->pkt->frag_length != state->buffer.length) {
+               tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
+               return;
+       }
+
        tevent_req_done(req);
 }
 
Unnamed repository; edit this file to name it for gitweb.