Now we're allowing a lower bound for auth_len, ensure we

author Jeremy Allison <jra@samba.org>

Fri, 6 Mar 2009 04:59:48 +0000 (20:59 -0800)

committer Jeremy Allison <jra@samba.org>

Fri, 6 Mar 2009 04:59:48 +0000 (20:59 -0800)
author Jeremy Allison <jra@samba.org>
Fri, 6 Mar 2009 04:59:48 +0000 (20:59 -0800)
committer Jeremy Allison <jra@samba.org>
Fri, 6 Mar 2009 04:59:48 +0000 (20:59 -0800)
diff --git a/source/rpc_server/srv_pipe.c b/source/rpc_server/srv_pipe.c

index d491bc22450ab4990c6d1c1deb8a3a4c1d913985..868f4d0358560d771ec5c07228808245c2349475 100644 (file)
--- a/source/rpc_server/srv_pipe.c
+++ b/source/rpc_server/srv_pipe.c
@@ -2062,7 +2062,11 @@ BOOL api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss
  
         auth_len = p->hdr.auth_len;
  
-       if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
+       if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
+                       auth_len < RPC_HEADER_LEN +
+                                       RPC_HDR_REQ_LEN +
+                                       RPC_HDR_AUTH_LEN +
+                                       auth_len) {
                 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
                 return False;
         }
author	Jeremy Allison <jra@samba.org>
	Fri, 6 Mar 2009 04:59:48 +0000 (20:59 -0800)
committer	Jeremy Allison <jra@samba.org>
	Fri, 6 Mar 2009 04:59:48 +0000 (20:59 -0800)