Now we're allowing a lower bound for auth_len, ensure we

also check for an upper one (integer wrap). Jeremy.
author: Jeremy Allison <jra@samba.org> 2009-03-05 21:06:48 -0800
committer: Jeremy Allison <jra@samba.org> 2009-03-05 21:06:48 -0800
commit: 4e74d811aa9f85a4cb7896c0fcc21552d1910cf5 (patch)
tree: 042f8ef243d24722829dd154adb8d445fa5f7d3f /source3/rpc_server/srv_pipe.c
parent: 66c0f3690a6c9248adfe5da7c1abd15a8704fd6c (diff)
download: samba-4e74d811aa9f85a4cb7896c0fcc21552d1910cf5.tar.gz
samba-4e74d811aa9f85a4cb7896c0fcc21552d1910cf5.tar.bz2
samba-4e74d811aa9f85a4cb7896c0fcc21552d1910cf5.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index ac491b9e53..6becfa42e8 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -2113,7 +2113,11 @@ bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss
 
 	auth_len = p->hdr.auth_len;
 
-	if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
+	if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
+			auth_len < RPC_HEADER_LEN +
+					RPC_HDR_REQ_LEN +
+					RPC_HDR_AUTH_LEN +
+					auth_len) {
 		DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
 		return False;
 	}
author	Jeremy Allison <jra@samba.org>	2009-03-05 21:06:48 -0800
committer	Jeremy Allison <jra@samba.org>	2009-03-05 21:06:48 -0800
commit	4e74d811aa9f85a4cb7896c0fcc21552d1910cf5 (patch)
tree	042f8ef243d24722829dd154adb8d445fa5f7d3f /source3/rpc_server/srv_pipe.c
parent	66c0f3690a6c9248adfe5da7c1abd15a8704fd6c (diff)
download	samba-4e74d811aa9f85a4cb7896c0fcc21552d1910cf5.tar.gz samba-4e74d811aa9f85a4cb7896c0fcc21552d1910cf5.tar.bz2 samba-4e74d811aa9f85a4cb7896c0fcc21552d1910cf5.zip