diff options
author | Jeremy Allison <jra@samba.org> | 2013-11-07 20:38:01 -0800 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2013-12-09 07:05:46 +0100 |
commit | b0ba4a562112fc707f540e1ff7c8e55ea02479c9 (patch) | |
tree | 9c6e8f33f681e88367f0b822b8c9845cb4d1da38 /source3/rpcclient/cmd_lsarpc.c | |
parent | a516ae6868386aa23f2beb52a576b0cf68042b1d (diff) | |
download | samba-b0ba4a562112fc707f540e1ff7c8e55ea02479c9.tar.gz samba-b0ba4a562112fc707f540e1ff7c8e55ea02479c9.tar.xz samba-b0ba4a562112fc707f540e1ff7c8e55ea02479c9.zip |
CVE-2013-4408:s3:Ensure LookupSids replies arrays are range checked.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source3/rpcclient/cmd_lsarpc.c')
-rw-r--r-- | source3/rpcclient/cmd_lsarpc.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c index 503e0fba76..0fb371990c 100644 --- a/source3/rpcclient/cmd_lsarpc.c +++ b/source3/rpcclient/cmd_lsarpc.c @@ -457,7 +457,7 @@ static NTSTATUS cmd_lsa_lookup_sids3(struct rpc_pipe_client *cli, NTSTATUS status = NT_STATUS_UNSUCCESSFUL, result; int i; struct lsa_SidArray sids; - struct lsa_RefDomainList *domains; + struct lsa_RefDomainList *domains = NULL; struct lsa_TransNameArray2 names; uint32_t count = 0; struct dcerpc_binding_handle *b = cli->binding_handle; @@ -513,9 +513,12 @@ static NTSTATUS cmd_lsa_lookup_sids3(struct rpc_pipe_client *cli, /* Print results */ - for (i = 0; i < count; i++) { + for (i = 0; i < names.count; i++) { fstring sid_str; + if (i >= sids.num_sids) { + break; + } sid_to_fstring(sid_str, sids.sids[i].sid); printf("%s %s (%d)\n", sid_str, names.names[i].name.string, |