diff options
| author | Stefan Metzmacher <metze@samba.org> | 2013-10-16 14:17:49 +0200 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2013-12-09 07:05:46 +0100 |
| commit | 821a49b7d05e87fdb12a1e6f9b020e41476ba41a (patch) | |
| tree | 8cf992688b4c5aebcae2222a412cf6e81104466b /libcli/util | |
| parent | 6e293891ca8048424e7a95a43b62035733c716c2 (diff) | |
| download | samba-821a49b7d05e87fdb12a1e6f9b020e41476ba41a.tar.gz samba-821a49b7d05e87fdb12a1e6f9b020e41476ba41a.tar.xz samba-821a49b7d05e87fdb12a1e6f9b020e41476ba41a.zip | |
CVE-2013-4408:libcli/util: add some size verification to tstream_read_pdu_blob_done()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'libcli/util')
| -rw-r--r-- | libcli/util/tstream.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/libcli/util/tstream.c b/libcli/util/tstream.c index 12cef9b6ddd..dd830e2aa44 100644 --- a/libcli/util/tstream.c +++ b/libcli/util/tstream.c @@ -129,6 +129,11 @@ static void tstream_read_pdu_blob_done(struct tevent_req *subreq) return; } + if (new_buf_size <= old_buf_size) { + tevent_req_nterror(req, NT_STATUS_INVALID_BUFFER_SIZE); + return; + } + buf = talloc_realloc(state, state->pdu_blob.data, uint8_t, new_buf_size); if (tevent_req_nomem(buf, req)) { return; |