diff options
author | Günther Deschner <gd@samba.org> | 2009-09-12 23:25:00 +0200 |
---|---|---|
committer | Günther Deschner <gd@samba.org> | 2009-09-13 06:46:55 +0200 |
commit | f900e61cf81524f432eea9d349523cba140b160f (patch) | |
tree | 0294fd413e9aad014333097a52518cf525db23ce /source3/rpc_server | |
parent | fac9c35f99299497cfaad907c84830e7c57c013b (diff) | |
download | samba-f900e61cf81524f432eea9d349523cba140b160f.tar.gz samba-f900e61cf81524f432eea9d349523cba140b160f.tar.bz2 samba-f900e61cf81524f432eea9d349523cba140b160f.zip |
s3-schannel: fix api_pipe_schannel_process(), was using incorrect buffer length.
Found by RPC-SCHANNEL torture test.
Guenther
Diffstat (limited to 'source3/rpc_server')
-rw-r--r-- | source3/rpc_server/srv_pipe.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 7be0a0d2d2..ce7df63972 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -2199,11 +2199,13 @@ bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss return False; } - blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), data_len); + blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len); ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &schannel_chk, (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_SIGNATURE); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DEBUG(0,("failed to pull NL_AUTH_SIGNATURE\n")); + dump_data(2, blob.data, blob.length); return false; } |