r10873: check the complete payload header

metze
(This used to be commit 27f8d82231f2978ff15719e4b23912ae7f910638)

diff --git a/source4/librpc/ndr/ndr_compression.c b/source4/librpc/ndr/ndr_compression.c
index fc16faca80dee622b277fbadf5032c2cef9dde20..fb04a1799a4fa424ae28f3d12a719d75be450cc7 100644 (file)
--- a/source4/librpc/ndr/ndr_compression.c
+++ b/source4/librpc/ndr/ndr_compression.c
@@ -116,14 +116,22 @@ static NTSTATUS ndr_pull_compression_mszip(struct ndr_pull *subndr,
        NDR_CHECK(ndr_pull_uint32(comndr, NDR_SCALARS, &payload_header[2]));
        NDR_CHECK(ndr_pull_uint32(comndr, NDR_SCALARS, &payload_header[3]));
 
-       payload_size = payload_header[2];
-
-       /* TODO: check the first 4 bytes of the header */
+       if (payload_header[0] != 0x00081001) {
+               return ndr_pull_error(subndr, NDR_ERR_COMPRESSION, "Bad MSZIP payload_header[0] [0x%08X] != [0x00081001] (PULL)",
+                                     payload_header[0]);
+       }
        if (payload_header[1] != 0xCCCCCCCC) {
                return ndr_pull_error(subndr, NDR_ERR_COMPRESSION, "Bad MSZIP payload_header[1] [0x%08X] != [0xCCCCCCCC] (PULL)",
                                      payload_header[1]);
        }
 
+       payload_size = payload_header[2];
+
+       if (payload_header[3] != 0x00000000) {
+               return ndr_pull_error(subndr, NDR_ERR_COMPRESSION, "Bad MSZIP payload_header[3] [0x%08X] != [0x00000000] (PULL)",
+                                     payload_header[3]);
+       }
+
        payload_offset = comndr->offset;
        NDR_CHECK(ndr_pull_advance(comndr, payload_size));
        payload = comndr->data + payload_offset;