CVE-2013-4408:s3:rpc_client: verify frag_len at least contains the header size

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 4e5fd71e890369d0c855a6f8e38e8f550def8ba2..57dcddc66d80238bde05e17fb1ee59962695bae0 100644 (file)
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -281,6 +281,10 @@ static struct tevent_req *get_complete_frag_send(TALLOC_CTX *mem_ctx,
        }
 
        state->frag_len = dcerpc_get_frag_length(pdu);
+       if (state->frag_len < RPC_HEADER_LEN) {
+               tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
+               return tevent_req_post(req, ev);
+       }
 
        /*
         * Ensure we have frag_len bytes of data.
@@ -329,6 +333,10 @@ static void get_complete_frag_got_header(struct tevent_req *subreq)
        }
 
        state->frag_len = dcerpc_get_frag_length(state->pdu);
+       if (state->frag_len < RPC_HEADER_LEN) {
+               tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
+               return;
+       }
 
        if (!data_blob_realloc(NULL, state->pdu, state->frag_len)) {
                tevent_req_nterror(req, NT_STATUS_NO_MEMORY);