summaryrefslogtreecommitdiff
path: root/source3/rpc_server
diff options
context:
space:
mode:
authorSimo Sorce <idra@samba.org>2010-07-19 19:42:12 -0400
committerSimo Sorce <idra@samba.org>2010-07-28 12:17:18 -0400
commit5f2cca6b2a7b8b7bad4a47a2bd31174c45fa2611 (patch)
treea31aec62d6a9795aef5e093d9cb6fa2225a28a74 /source3/rpc_server
parent49a8c2965d2982e6510609fa9772a56597494641 (diff)
downloadsamba-5f2cca6b2a7b8b7bad4a47a2bd31174c45fa2611.tar.gz
samba-5f2cca6b2a7b8b7bad4a47a2bd31174c45fa2611.tar.bz2
samba-5f2cca6b2a7b8b7bad4a47a2bd31174c45fa2611.zip
s3-dcerpc: Add the same paranoia checks we have in the client code
Diffstat (limited to 'source3/rpc_server')
-rw-r--r--source3/rpc_server/srv_pipe.c12
1 files changed, 12 insertions, 0 deletions
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 3b015f9e0f..8bb7a231d5 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -1765,6 +1765,18 @@ static NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
return NT_STATUS_INVALID_PARAMETER;
}
+ /* Paranioa checks for auth_length. */
+ if (pkt->auth_length > pkt->frag_length) {
+ return NT_STATUS_INFO_LENGTH_MISMATCH;
+ }
+ if ((pkt->auth_length
+ + DCERPC_AUTH_TRAILER_LENGTH < pkt->auth_length) ||
+ (pkt->auth_length
+ + DCERPC_AUTH_TRAILER_LENGTH < DCERPC_AUTH_TRAILER_LENGTH)) {
+ /* Integer wrap attempt. */
+ return NT_STATUS_INFO_LENGTH_MISMATCH;
+ }
+
status = dcerpc_pull_auth_trailer(pkt, pkt, pkt_trailer,
&auth_info, &auth_length, false);
if (!NT_STATUS_IS_OK(status)) {