CVE-2013-4408:s4:dcerpc: check for invalid frag_len in ncacn_pull()

author Stefan Metzmacher <metze@samba.org>

Wed, 25 Sep 2013 21:25:12 +0000 (23:25 +0200)

committer Karolin Seeger <kseeger@samba.org>

Thu, 5 Dec 2013 10:11:51 +0000 (11:11 +0100)
author Stefan Metzmacher <metze@samba.org>
Wed, 25 Sep 2013 21:25:12 +0000 (23:25 +0200)
committer Karolin Seeger <kseeger@samba.org>
Thu, 5 Dec 2013 10:11:51 +0000 (11:11 +0100)
diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c

index cc7286686675c61fa7241cfbcf5c5094479edc81..742d710a8225473c15923a6c815cd24be818c532 100644 (file)
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -658,6 +658,10 @@ static NTSTATUS ncacn_pull(struct dcecli_connection *c, DATA_BLOB *blob, TALLOC_
                 return ndr_map_error2ntstatus(ndr_err);
         }
  
+       if (pkt->frag_length != blob->length) {
+               return NT_STATUS_RPC_PROTOCOL_ERROR;
+       }
+
         return NT_STATUS_OK;
  }
author	Stefan Metzmacher <metze@samba.org>
	Wed, 25 Sep 2013 21:25:12 +0000 (23:25 +0200)
committer	Karolin Seeger <kseeger@samba.org>
	Thu, 5 Dec 2013 10:11:51 +0000 (11:11 +0100)