Now we're allowing a lower bound for auth_len, ensure we

author Jeremy Allison <jra@samba.org>

Fri, 6 Mar 2009 05:04:52 +0000 (21:04 -0800)

committer Jeremy Allison <jra@samba.org>

Fri, 6 Mar 2009 05:04:52 +0000 (21:04 -0800)
author Jeremy Allison <jra@samba.org>
Fri, 6 Mar 2009 05:04:52 +0000 (21:04 -0800)
committer Jeremy Allison <jra@samba.org>
Fri, 6 Mar 2009 05:04:52 +0000 (21:04 -0800)
diff --git a/source/rpc_server/srv_pipe.c b/source/rpc_server/srv_pipe.c

index dbee76044ea48c5d5115544fe449dccdd9644327..b5766cd3ed2f8057a365ea54d02ba5b06d094550 100644 (file)
--- a/source/rpc_server/srv_pipe.c
+++ b/source/rpc_server/srv_pipe.c
@@ -2150,7 +2150,11 @@ bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss
  
         auth_len = p->hdr.auth_len;
  
-       if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
+       if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
+                       auth_len < RPC_HEADER_LEN +
+                                       RPC_HDR_REQ_LEN +
+                                       RPC_HDR_AUTH_LEN +
+                                       auth_len) {
                 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
                 return False;
         }
author	Jeremy Allison <jra@samba.org>
	Fri, 6 Mar 2009 05:04:52 +0000 (21:04 -0800)
committer	Jeremy Allison <jra@samba.org>
	Fri, 6 Mar 2009 05:04:52 +0000 (21:04 -0800)