summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2013-09-24 05:03:40 +0200
committerKarolin Seeger <kseeger@samba.org>2013-12-09 07:05:45 +0100
commitdfd4fc1591f17998bf7b6a867900ed6f1b35ca7c (patch)
tree4c4fc4efb2c68ecdafd592d3872265bac4c37092
parent2fb570abec6d07cee61332cf518703060514d3a0 (diff)
downloadsamba-dfd4fc1591f17998bf7b6a867900ed6f1b35ca7c.tar.gz
samba-dfd4fc1591f17998bf7b6a867900ed6f1b35ca7c.tar.xz
samba-dfd4fc1591f17998bf7b6a867900ed6f1b35ca7c.zip
CVE-2013-4408:librpc: check for invalid frag_len within dcerpc_read_ncacn_packet_next_vector()
We should do this explicit instead of relying on tstream_readv_pdu_ask_for_next_vector() to catch the overflow. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
-rw-r--r--librpc/rpc/dcerpc_util.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
index c963da84ce3..4046f327e2f 100644
--- a/librpc/rpc/dcerpc_util.c
+++ b/librpc/rpc/dcerpc_util.c
@@ -223,6 +223,15 @@ static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
ofs = state->buffer.length;
+ if (frag_len < ofs) {
+ /*
+ * something is wrong, let the caller deal with it
+ */
+ *_vector = NULL;
+ *_count = 0;
+ return 0;
+ }
+
state->buffer.data = talloc_realloc(state,
state->buffer.data,
uint8_t, frag_len);