CVE-2013-4408:librpc: check for invalid frag_len within dcerpc_read_ncacn_packet_next...

We should do this explicit instead of relying on
tstream_readv_pdu_ask_for_next_vector() to catch the overflow.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
index c963da84ce38d265e199fec143e466fe7ca82c1d..4046f327e2f624fed4242999732d75dc325ef34b 100644 (file)
--- a/librpc/rpc/dcerpc_util.c
+++ b/librpc/rpc/dcerpc_util.c
@@ -223,6 +223,15 @@ static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
 
                ofs = state->buffer.length;
 
+               if (frag_len < ofs) {
+                       /*
+                        * something is wrong, let the caller deal with it
+                        */
+                       *_vector = NULL;
+                       *_count = 0;
+                       return 0;
+               }
+
                state->buffer.data = talloc_realloc(state,
                                                    state->buffer.data,
                                                    uint8_t, frag_len);