CVE-2015-5370: s4:rpc_server: check frag_length for requests

Note this is not the negotiated fragment size, but a hardcoded maximum.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index 87aae45ad1a39134a321ac4874abb700b095bb2f..80d4ee8312bbe2e45b295b8735363591cd1a67d4 100644 (file)
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -1483,6 +1483,21 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn,
                                        DCERPC_NCA_S_PROTO_ERROR);
                }
 
+               if (call->pkt.frag_length > DCERPC_FRAG_MAX_SIZE) {
+                       /*
+                        * We don't use dcesrv_fault_disconnect()
+                        * here, because we don't want to set
+                        * DCERPC_PFC_FLAG_DID_NOT_EXECUTE
+                        *
+                        * Note that we don't check against the negotiated
+                        * max_recv_frag, but a hard coded value.
+                        */
+                       dcesrv_call_disconnect_after(call,
+                               "dcesrv_auth_request - frag_length too large");
+                       return dcesrv_fault(call,
+                                       DCERPC_NCA_S_PROTO_ERROR);
+               }
+
                if (!dcesrv_auth_request(call, &blob)) {
                        /*
                         * We don't use dcesrv_fault_disconnect()