From dfd4fc1591f17998bf7b6a867900ed6f1b35ca7c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 24 Sep 2013 05:03:40 +0200
Subject: CVE-2013-4408:librpc: check for invalid frag_len within
 dcerpc_read_ncacn_packet_next_vector()

We should do this explicit instead of relying on
tstream_readv_pdu_ask_for_next_vector() to catch the overflow.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 librpc/rpc/dcerpc_util.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
index c963da84ce..4046f327e2 100644
--- a/librpc/rpc/dcerpc_util.c
+++ b/librpc/rpc/dcerpc_util.c
@@ -223,6 +223,15 @@ static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
 
 		ofs = state->buffer.length;
 
+		if (frag_len < ofs) {
+			/*
+			 * something is wrong, let the caller deal with it
+			 */
+			*_vector = NULL;
+			*_count = 0;
+			return 0;
+		}
+
 		state->buffer.data = talloc_realloc(state,
 						    state->buffer.data,
 						    uint8_t, frag_len);
-- 
cgit