diff options
author | Jeremy Allison <jra@samba.org> | 2009-03-05 21:06:48 -0800 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2009-03-05 21:06:48 -0800 |
commit | 4e74d811aa9f85a4cb7896c0fcc21552d1910cf5 (patch) | |
tree | 042f8ef243d24722829dd154adb8d445fa5f7d3f | |
parent | 66c0f3690a6c9248adfe5da7c1abd15a8704fd6c (diff) | |
download | samba-4e74d811aa9f85a4cb7896c0fcc21552d1910cf5.tar.gz samba-4e74d811aa9f85a4cb7896c0fcc21552d1910cf5.tar.bz2 samba-4e74d811aa9f85a4cb7896c0fcc21552d1910cf5.zip |
Now we're allowing a lower bound for auth_len, ensure we
also check for an upper one (integer wrap).
Jeremy.
-rw-r--r-- | source3/rpc_server/srv_pipe.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index ac491b9e53..6becfa42e8 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -2113,7 +2113,11 @@ bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss auth_len = p->hdr.auth_len; - if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) { + if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN || + auth_len < RPC_HEADER_LEN + + RPC_HDR_REQ_LEN + + RPC_HDR_AUTH_LEN + + auth_len) { DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len )); return False; } |