diff options
author | Stefan Metzmacher <metze@samba.org> | 2013-09-25 23:25:12 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2013-12-05 10:18:09 +0100 |
commit | db102cdd7d94bde35673b751d0a80e5baf560305 (patch) | |
tree | b2b468879d78ca3c360ffb6648544bfd7df343bc /source4 | |
parent | e5954aabebc3313443da1d2ac12ef84d96e61a1c (diff) | |
download | samba-db102cdd7d94bde35673b751d0a80e5baf560305.tar.gz |
CVE-2013-4408:s4:dcerpc_smb2: check for invalid frag_len in send_read_request_continue()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source4')
-rw-r--r-- | source4/librpc/rpc/dcerpc_smb2.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/source4/librpc/rpc/dcerpc_smb2.c b/source4/librpc/rpc/dcerpc_smb2.c index 473ca78ad1..2b1c66e232 100644 --- a/source4/librpc/rpc/dcerpc_smb2.c +++ b/source4/librpc/rpc/dcerpc_smb2.c @@ -173,6 +173,12 @@ static NTSTATUS send_read_request_continue(struct dcecli_connection *c, DATA_BLO if (state->data.length >= 16) { uint16_t frag_length = dcerpc_get_frag_length(&state->data); + + if (frag_length < state->data.length) { + talloc_free(state); + return NT_STATUS_RPC_PROTOCOL_ERROR; + } + io.in.length = frag_length - state->data.length; } else { io.in.length = 0x2000; |