CVE-2013-4408:s4:dcerpc_smb: check for invalid frag_len in send_read_request_continue()

author Stefan Metzmacher <metze@samba.org>

Wed, 25 Sep 2013 21:25:12 +0000 (23:25 +0200)

committer Karolin Seeger <kseeger@samba.org>

Mon, 9 Dec 2013 06:05:45 +0000 (07:05 +0100)
author Stefan Metzmacher <metze@samba.org>
Wed, 25 Sep 2013 21:25:12 +0000 (23:25 +0200)
committer Karolin Seeger <kseeger@samba.org>
Mon, 9 Dec 2013 06:05:45 +0000 (07:05 +0100)
diff --git a/source4/librpc/rpc/dcerpc_smb.c b/source4/librpc/rpc/dcerpc_smb.c

index a9903e5f9207caa7acb157faf7ee8a8b31d1ce80..036aa89bff30322f5322fbee65c73b9deeb71c68 100644 (file)
--- a/source4/librpc/rpc/dcerpc_smb.c
+++ b/source4/librpc/rpc/dcerpc_smb.c
@@ -163,6 +163,12 @@ static NTSTATUS send_read_request_continue(struct dcecli_connection *c, DATA_BLO
         } else {
                 uint32_t frag_length = blob->length>=16?
                         dcerpc_get_frag_length(blob):0x2000;
+
+               if (frag_length < state->data.length) {
+                       talloc_free(state);
+                       return NT_STATUS_RPC_PROTOCOL_ERROR;
+               }
+
                 state->received = blob->length;
                 state->data = data_blob_talloc(state, NULL, frag_length);
                 if (!state->data.data) {
author	Stefan Metzmacher <metze@samba.org>
	Wed, 25 Sep 2013 21:25:12 +0000 (23:25 +0200)
committer	Karolin Seeger <kseeger@samba.org>
	Mon, 9 Dec 2013 06:05:45 +0000 (07:05 +0100)