From ecdac51e85ccc3503b9f732838475bf97092c6ba Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 25 Sep 2013 23:25:12 +0200
Subject: [PATCH] CVE-2013-4408:s3:rpc_client: check for invalid frag_len in
 dcerpc_pull_ncacn_packet()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 source3/librpc/rpc/dcerpc_helpers.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
index 28222f4820e..2400bfd5669 100644
--- a/source3/librpc/rpc/dcerpc_helpers.c
+++ b/source3/librpc/rpc/dcerpc_helpers.c
@@ -124,6 +124,10 @@ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
 		NDR_PRINT_DEBUG(ncacn_packet, r);
 	}
 
+	if (r->frag_length != blob->length) {
+		return NT_STATUS_RPC_PROTOCOL_ERROR;
+	}
+
 	return NT_STATUS_OK;
 }
 
-- 
2.34.1