r10873: check the complete payload header

metze

1 files changed, 11 insertions, 3 deletions

diff --git a/source/librpc/ndr/ndr_compression.c b/source/librpc/ndr/ndr_compression.c
index fc16faca80d..fb04a1799a4 100644
--- a/source/librpc/ndr/ndr_compression.c
+++ b/source/librpc/ndr/ndr_compression.c
@@ -116,14 +116,22 @@ static NTSTATUS ndr_pull_compression_mszip(struct ndr_pull *subndr,
 	NDR_CHECK(ndr_pull_uint32(comndr, NDR_SCALARS, &payload_header[2]));
 	NDR_CHECK(ndr_pull_uint32(comndr, NDR_SCALARS, &payload_header[3]));
 
-	payload_size = payload_header[2];
-
-	/* TODO: check the first 4 bytes of the header */
+	if (payload_header[0] != 0x00081001) {
+		return ndr_pull_error(subndr, NDR_ERR_COMPRESSION, "Bad MSZIP payload_header[0] [0x%08X] != [0x00081001] (PULL)",
+				      payload_header[0]);
+	}
 	if (payload_header[1] != 0xCCCCCCCC) {
 		return ndr_pull_error(subndr, NDR_ERR_COMPRESSION, "Bad MSZIP payload_header[1] [0x%08X] != [0xCCCCCCCC] (PULL)",
 				      payload_header[1]);
 	}
 
+	payload_size = payload_header[2];
+
+	if (payload_header[3] != 0x00000000) {
+		return ndr_pull_error(subndr, NDR_ERR_COMPRESSION, "Bad MSZIP payload_header[3] [0x%08X] != [0x00000000] (PULL)",
+				      payload_header[3]);
+	}
+
 	payload_offset = comndr->offset;
 	NDR_CHECK(ndr_pull_advance(comndr, payload_size));
 	payload = comndr->data + payload_offset;