CVE-2015-5370: s3:rpc_server: verify presentation context arrays

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 3b746cf515b76d7535d2b5821faca3bb985b85c6..a1304d3753b68a1fe2e8c8dbcb55f7f024c6ba80 100644 (file)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -646,7 +646,12 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
        p->allow_bind = false;
 
        if (pkt->u.bind.num_contexts == 0) {
-               DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
+               DEBUG(1, ("api_pipe_bind_req: no rpc contexts around\n"));
+               goto err_exit;
+       }
+
+       if (pkt->u.bind.ctx_list[0].num_transfer_syntaxes == 0) {
+               DEBUG(1, ("api_pipe_bind_req: no transfer syntaxes around\n"));
                goto err_exit;
        }
 
@@ -988,6 +993,16 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
                goto err_exit;
        }
 
+       if (pkt->u.alter.num_contexts == 0) {
+               DEBUG(1, ("api_pipe_alter_context: no rpc contexts around\n"));
+               goto err_exit;
+       }
+
+       if (pkt->u.alter.ctx_list[0].num_transfer_syntaxes == 0) {
+               DEBUG(1, ("api_pipe_alter_context: no transfer syntaxes around\n"));
+               goto err_exit;
+       }
+
        if (pkt->u.alter.assoc_group_id != 0) {
                assoc_gid = pkt->u.alter.assoc_group_id;
        } else {