CVE-2013-4408:s3:rpc_client: check for invalid frag_len in dcerpc_pull_ncacn_packet()

author Stefan Metzmacher <metze@samba.org>

Wed, 25 Sep 2013 21:25:12 +0000 (23:25 +0200)

committer Karolin Seeger <kseeger@samba.org>

Thu, 5 Dec 2013 09:54:15 +0000 (10:54 +0100)
author Stefan Metzmacher <metze@samba.org>
Wed, 25 Sep 2013 21:25:12 +0000 (23:25 +0200)
committer Karolin Seeger <kseeger@samba.org>
Thu, 5 Dec 2013 09:54:15 +0000 (10:54 +0100)
diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c

index d36c2da3838fa931498c3aa3b00af58c5f099da0..a55e419fc136c06045fc95abe79c5c81e02d971c 100644 (file)
--- a/source3/librpc/rpc/dcerpc_helpers.c
+++ b/source3/librpc/rpc/dcerpc_helpers.c
@@ -127,6 +127,10 @@ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
                 NDR_PRINT_DEBUG(ncacn_packet, r);
         }
  
+       if (r->frag_length != blob->length) {
+               return NT_STATUS_RPC_PROTOCOL_ERROR;
+       }
+
         return NT_STATUS_OK;
  }
author	Stefan Metzmacher <metze@samba.org>
	Wed, 25 Sep 2013 21:25:12 +0000 (23:25 +0200)
committer	Karolin Seeger <kseeger@samba.org>
	Thu, 5 Dec 2013 09:54:15 +0000 (10:54 +0100)