CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in dcerpc_pull_auth_trai...

All callers should have already checked that.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
index 2f81447964fbc2b5462745c5bc1e80956775f885..43e1b7f426fa0d4543f85aab21044eeb169af880 100644 (file)
--- a/librpc/rpc/dcerpc_util.c
+++ b/librpc/rpc/dcerpc_util.c
@@ -101,6 +101,11 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
                *_auth_length = 0;
        }
 
+       /* Paranoia checks for auth_length. The caller should check this... */
+       if (pkt->auth_length == 0) {
+               return NT_STATUS_INTERNAL_ERROR;
+       }
+
        /* Paranoia checks for auth_length. The caller should check this... */
        if (pkt->auth_length > pkt->frag_length) {
                return NT_STATUS_INTERNAL_ERROR;