From 8b7c862babeb2bccfe5041495706f2aac6f73f6f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 25 Sep 2013 23:25:12 +0200
Subject: [PATCH] CVE-2013-4408:s3:rpc_client: verify frag_len at least
 contains the header size

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 source3/rpc_client/cli_pipe.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 13423540ecf..0769d6dbe6b 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -281,6 +281,10 @@ static struct tevent_req *get_complete_frag_send(TALLOC_CTX *mem_ctx,
 	}
 
 	state->frag_len = dcerpc_get_frag_length(pdu);
+	if (state->frag_len < RPC_HEADER_LEN) {
+		tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
+		return tevent_req_post(req, ev);
+	}
 
 	/*
 	 * Ensure we have frag_len bytes of data.
@@ -329,6 +333,10 @@ static void get_complete_frag_got_header(struct tevent_req *subreq)
 	}
 
 	state->frag_len = dcerpc_get_frag_length(state->pdu);
+	if (state->frag_len < RPC_HEADER_LEN) {
+		tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
+		return;
+	}
 
 	if (!data_blob_realloc(NULL, state->pdu, state->frag_len)) {
 		tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
-- 
2.34.1