summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2009-09-12 23:25:00 +0200
committerGünther Deschner <gd@samba.org>2009-09-13 06:46:55 +0200
commitf900e61cf81524f432eea9d349523cba140b160f (patch)
tree0294fd413e9aad014333097a52518cf525db23ce
parentfac9c35f99299497cfaad907c84830e7c57c013b (diff)
downloadsamba-f900e61cf81524f432eea9d349523cba140b160f.tar.gz
samba-f900e61cf81524f432eea9d349523cba140b160f.tar.bz2
samba-f900e61cf81524f432eea9d349523cba140b160f.zip
s3-schannel: fix api_pipe_schannel_process(), was using incorrect buffer length.
Found by RPC-SCHANNEL torture test. Guenther
-rw-r--r--source3/rpc_server/srv_pipe.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 7be0a0d2d2..ce7df63972 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -2199,11 +2199,13 @@ bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss
return False;
}
- blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), data_len);
+ blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len);
ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &schannel_chk,
(ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_SIGNATURE);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ DEBUG(0,("failed to pull NL_AUTH_SIGNATURE\n"));
+ dump_data(2, blob.data, blob.length);
return false;
}