From 821a49b7d05e87fdb12a1e6f9b020e41476ba41a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Oct 2013 14:17:49 +0200
Subject: CVE-2013-4408:libcli/util: add some size verification to
 tstream_read_pdu_blob_done()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 libcli/util/tstream.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'libcli/util')

diff --git a/libcli/util/tstream.c b/libcli/util/tstream.c
index 12cef9b6ddd..dd830e2aa44 100644
--- a/libcli/util/tstream.c
+++ b/libcli/util/tstream.c
@@ -129,6 +129,11 @@ static void tstream_read_pdu_blob_done(struct tevent_req *subreq)
 		return;
 	}
 
+	if (new_buf_size <= old_buf_size) {
+		tevent_req_nterror(req, NT_STATUS_INVALID_BUFFER_SIZE);
+		return;
+	}
+
 	buf = talloc_realloc(state, state->pdu_blob.data, uint8_t, new_buf_size);
 	if (tevent_req_nomem(buf, req)) {
 		return;
-- 
cgit