CVE-2013-4408:s4:dcerpc_sock: check for invalid frag_len within sock_complete_packet()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/source4/librpc/rpc/dcerpc_sock.c b/source4/librpc/rpc/dcerpc_sock.c
index f0451ac6745bb57c222b6ca2e321bfb5e02c8201..9a596da47da628d7e98abf094ef1cf2b35d64290 100644 (file)
--- a/source4/librpc/rpc/dcerpc_sock.c
+++ b/source4/librpc/rpc/dcerpc_sock.c
@@ -102,6 +102,12 @@ static NTSTATUS sock_complete_packet(void *private_data, DATA_BLOB blob, size_t
                return STATUS_MORE_ENTRIES;
        }
        *size = dcerpc_get_frag_length(&blob);
+       if (*size < blob.length) {
+               /*
+                * something is wrong, let the caller deal with it
+                */
+               *size = blob.length;
+       }
        if (*size > blob.length) {
                return STATUS_MORE_ENTRIES;
        }