CVE-2015-5370: s3:librpc/rpc: don't call dcerpc_pull_auth_trailer() if auth_length...

All other paranoia checks are done within dcerpc_pull_auth_trailer()
now.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
index 1193baa798398e0c4f031882fd7cfc2b635b07ba..96074a4705c9b13ca7cbb76b193fb3ec955c2ede 100644 (file)
--- a/source3/librpc/rpc/dcerpc_helpers.c
+++ b/source3/librpc/rpc/dcerpc_helpers.c
@@ -533,16 +533,8 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
                return NT_STATUS_INVALID_PARAMETER;
        }
 
-       /* Paranioa checks for auth_length. */
-       if (pkt->auth_length > pkt->frag_length) {
-               return NT_STATUS_INFO_LENGTH_MISMATCH;
-       }
-       if (((unsigned int)pkt->auth_length
-            + DCERPC_AUTH_TRAILER_LENGTH < (unsigned int)pkt->auth_length) ||
-           ((unsigned int)pkt->auth_length
-            + DCERPC_AUTH_TRAILER_LENGTH < DCERPC_AUTH_TRAILER_LENGTH)) {
-               /* Integer wrap attempt. */
-               return NT_STATUS_INFO_LENGTH_MISMATCH;
+       if (pkt->auth_length == 0) {
+               return NT_STATUS_INVALID_PARAMETER;
        }
 
        status = dcerpc_pull_auth_trailer(pkt, pkt, pkt_trailer,