CVE-2013-4408:libcli/util: add some size verification to tstream_read_pdu_blob_done()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

1 files changed, 5 insertions, 0 deletions

diff --git a/libcli/util/tstream.c b/libcli/util/tstream.c
index 12cef9b6dd..dd830e2aa4 100644
--- a/libcli/util/tstream.c
+++ b/libcli/util/tstream.c
@@ -129,6 +129,11 @@ static void tstream_read_pdu_blob_done(struct tevent_req *subreq)
 		return;
 	}
 
+	if (new_buf_size <= old_buf_size) {
+		tevent_req_nterror(req, NT_STATUS_INVALID_BUFFER_SIZE);
+		return;
+	}
+
 	buf = talloc_realloc(state, state->pdu_blob.data, uint8_t, new_buf_size);
 	if (tevent_req_nomem(buf, req)) {
 		return;