CVE-2013-4408:s3:rpc_client: check for invalid frag_len in dcerpc_pull_ncacn_packet()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
index 469e3086c7734029c334d2e59b89e972fc40c11a..24f2f52f79241a94f5d7044f06c681089b8578ca 100644 (file)
--- a/source3/librpc/rpc/dcerpc_helpers.c
+++ b/source3/librpc/rpc/dcerpc_helpers.c
@@ -129,6 +129,10 @@ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
                NDR_PRINT_DEBUG(ncacn_packet, r);
        }
 
+       if (r->frag_length != blob->length) {
+               return NT_STATUS_RPC_PROTOCOL_ERROR;
+       }
+
        return NT_STATUS_OK;
 }