[Pkg-samba-maint] [samba] 05/26: CVE-2013-4408:s3:rpc_client: verify frag_len at least contains the header size

[Ivo De Decker]

This is an automated email from the git hooks/post-receive script.

idd-guest pushed a commit to branch samba_4.1
in repository samba.

commit f557bfe1b9af84bb74936d6794fb4e8a0ef08ebd
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Sep 25 23:25:12 2013 +0200

    CVE-2013-4408:s3:rpc_client: verify frag_len at least contains the header size
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
---
 source3/rpc_client/cli_pipe.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 2e978ef..fd854c4 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -284,6 +284,10 @@ static struct tevent_req *get_complete_frag_send(TALLOC_CTX *mem_ctx,
 	}
 
 	state->frag_len = dcerpc_get_frag_length(pdu);
+	if (state->frag_len < RPC_HEADER_LEN) {
+		tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
+		return tevent_req_post(req, ev);
+	}
 
 	/*
 	 * Ensure we have frag_len bytes of data.
@@ -332,6 +336,10 @@ static void get_complete_frag_got_header(struct tevent_req *subreq)
 	}
 
 	state->frag_len = dcerpc_get_frag_length(state->pdu);
+	if (state->frag_len < RPC_HEADER_LEN) {
+		tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
+		return;
+	}
 
 	if (!data_blob_realloc(NULL, state->pdu, state->frag_len)) {
 		tevent_req_nterror(req, NT_STATUS_NO_MEMORY);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git