CVE-2013-4408:s4:dcerpc_smb2: check for invalid frag_len in send_read_request_continue()

author Stefan Metzmacher <metze@samba.org>

Wed, 25 Sep 2013 21:25:12 +0000 (23:25 +0200)

committer Karolin Seeger <kseeger@samba.org>

Thu, 5 Dec 2013 10:11:51 +0000 (11:11 +0100)
author Stefan Metzmacher <metze@samba.org>
Wed, 25 Sep 2013 21:25:12 +0000 (23:25 +0200)
committer Karolin Seeger <kseeger@samba.org>
Thu, 5 Dec 2013 10:11:51 +0000 (11:11 +0100)
diff --git a/source4/librpc/rpc/dcerpc_smb2.c b/source4/librpc/rpc/dcerpc_smb2.c

index 50aed8cfd871ceb7f05a318ad091702f604f7cbc..4539ead4da789beea159d551fe9418c7f8a535ed 100644 (file)
--- a/source4/librpc/rpc/dcerpc_smb2.c
+++ b/source4/librpc/rpc/dcerpc_smb2.c
@@ -170,6 +170,12 @@ static NTSTATUS send_read_request_continue(struct dcecli_connection *c, DATA_BLO
  
         if (state->data.length >= 16) {
                 uint16_t frag_length = dcerpc_get_frag_length(&state->data);
+
+               if (frag_length < state->data.length) {
+                       talloc_free(state);
+                       return NT_STATUS_RPC_PROTOCOL_ERROR;
+               }
+
                 io.in.length = frag_length - state->data.length;
         } else {
                 io.in.length = 0x2000;
author	Stefan Metzmacher <metze@samba.org>
	Wed, 25 Sep 2013 21:25:12 +0000 (23:25 +0200)
committer	Karolin Seeger <kseeger@samba.org>
	Thu, 5 Dec 2013 10:11:51 +0000 (11:11 +0100)