s4-rpc: paranoid check for auth_length

This is not strictly needed as the ndr_pull_advance() checks it a few
lines further down, but I want to save Jeremy getting more grey hairs :-)

diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c
index aafa283fc61736aff4e4f078562ef26d636c8dce..9dabb54ca5046c15dc604b9bb48583262e22af11 100644 (file)
--- a/source4/librpc/rpc/dcerpc_util.c
+++ b/source4/librpc/rpc/dcerpc_util.c
@@ -781,6 +781,17 @@ NTSTATUS dcerpc_pull_auth_trailer(struct ncacn_packet *pkt,
        uint32_t pad;
 
        pad = pkt_auth_blob->length - (DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length);
+
+       /* paranoia check for pad size. This would be caught anyway by
+          the ndr_pull_advance() a few lines down, but it scared
+          Jeremy enough for him to call me, so we might as well check
+          it now, just to prevent someone posting a bogus YouTube
+          video in the future.
+       */
+       if (pad > pkt_auth_blob->length) {
+               return NT_STATUS_INFO_LENGTH_MISMATCH;
+       }
+
        *auth_length = pkt_auth_blob->length - pad;
 
        ndr = ndr_pull_init_blob(pkt_auth_blob, mem_ctx, NULL);