git.samba.org / mat / samba.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
CVE-2013-4408:s3:Ensure LookupRids() replies arrays are range checked.
[mat/samba.git] / source3 / lib / netapi / user.c
diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
index 72d4a8bdc396baaf3d75745def394ed9636c98bf..4a39f6976d0870198ff00759a542ef5122daf949 100644 (file)
--- a/source3/lib/netapi/user.c
+++ b/source3/lib/netapi/user.c
@@ -3114,6 +3114,14 @@ WERROR NetUserGetGroups_r(struct libnetapi_ctx *ctx,
                werr = ntstatus_to_werror(result);
                goto done;
        }
+       if (names.count != rid_array->count) {
+               werr = WERR_BAD_NET_RESP;
+               goto done;
+       }
+       if (types.count != rid_array->count) {
+               werr = WERR_BAD_NET_RESP;
+               goto done;
+       }
 
        for (i=0; i < names.count; i++) {
                status = add_GROUP_USERS_INFO_X_buffer(ctx,
@@ -3716,6 +3724,14 @@ WERROR NetUserGetLocalGroups_r(struct libnetapi_ctx *ctx,
                werr = ntstatus_to_werror(result);
                goto done;
        }
+       if (names.count != num_rids) {
+               werr = WERR_BAD_NET_RESP;
+               goto done;
+       }
+       if (types.count != num_rids) {
+               werr = WERR_BAD_NET_RESP;
+               goto done;
+       }
 
        for (i=0; i < names.count; i++) {
                status = add_LOCALGROUP_USERS_INFO_X_buffer(ctx,
Default public repo for matthieu