From da5dfc7617794e8ca1faaef73f5d78ea73dcfb90 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Oct 2013 16:26:58 +0200
Subject: CVE-2013-4408:s3:ctdb_conn: add some length verification to
 ctdb_packet_more()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 source3/lib/ctdb_conn.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'source3/lib')

diff --git a/source3/lib/ctdb_conn.c b/source3/lib/ctdb_conn.c
index 90930eb86b..40071d4e5c 100644
--- a/source3/lib/ctdb_conn.c
+++ b/source3/lib/ctdb_conn.c
@@ -233,6 +233,11 @@ static ssize_t ctdb_packet_more(uint8_t *buf, size_t buflen, void *p)
 		return 0;
 	}
 	memcpy(&len, buf, sizeof(len));
+
+	if (len < sizeof(uint32_t)) {
+		return -1;
+	}
+
 	return (len - sizeof(uint32_t));
 }
 
-- 
cgit v1.2.3