s3-dcerpc: Add the same paranoia checks we have in the client code

author Simo Sorce <idra@samba.org>

Mon, 19 Jul 2010 23:42:12 +0000 (19:42 -0400)

committer Simo Sorce <idra@samba.org>

Wed, 28 Jul 2010 16:17:18 +0000 (12:17 -0400)
author Simo Sorce <idra@samba.org>
Mon, 19 Jul 2010 23:42:12 +0000 (19:42 -0400)
committer Simo Sorce <idra@samba.org>
Wed, 28 Jul 2010 16:17:18 +0000 (12:17 -0400)
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c

index 3b015f9e0faa7d9d0f517f059feec11c8b3fc41e..8bb7a231d5f5fca360344fddb8732b629d1ef339 100644 (file)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -1765,6 +1765,18 @@ static NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
                 return NT_STATUS_INVALID_PARAMETER;
         }
  
+       /* Paranioa checks for auth_length. */
+       if (pkt->auth_length > pkt->frag_length) {
+               return NT_STATUS_INFO_LENGTH_MISMATCH;
+       }
+       if ((pkt->auth_length
+            + DCERPC_AUTH_TRAILER_LENGTH < pkt->auth_length) ||
+           (pkt->auth_length
+            + DCERPC_AUTH_TRAILER_LENGTH < DCERPC_AUTH_TRAILER_LENGTH)) {
+               /* Integer wrap attempt. */
+               return NT_STATUS_INFO_LENGTH_MISMATCH;
+       }
+
         status = dcerpc_pull_auth_trailer(pkt, pkt, pkt_trailer,
                                           &auth_info, &auth_length, false);
         if (!NT_STATUS_IS_OK(status)) {
author	Simo Sorce <idra@samba.org>
	Mon, 19 Jul 2010 23:42:12 +0000 (19:42 -0400)
committer	Simo Sorce <idra@samba.org>
	Wed, 28 Jul 2010 16:17:18 +0000 (12:17 -0400)