diff options
author | Simo Sorce <idra@samba.org> | 2010-07-19 19:42:12 -0400 |
---|---|---|
committer | Simo Sorce <idra@samba.org> | 2010-07-28 12:17:18 -0400 |
commit | 5f2cca6b2a7b8b7bad4a47a2bd31174c45fa2611 (patch) | |
tree | a31aec62d6a9795aef5e093d9cb6fa2225a28a74 /source3 | |
parent | 49a8c2965d2982e6510609fa9772a56597494641 (diff) | |
download | samba-5f2cca6b2a7b8b7bad4a47a2bd31174c45fa2611.tar.gz samba-5f2cca6b2a7b8b7bad4a47a2bd31174c45fa2611.tar.bz2 samba-5f2cca6b2a7b8b7bad4a47a2bd31174c45fa2611.zip |
s3-dcerpc: Add the same paranoia checks we have in the client code
Diffstat (limited to 'source3')
-rw-r--r-- | source3/rpc_server/srv_pipe.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 3b015f9e0f..8bb7a231d5 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -1765,6 +1765,18 @@ static NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth, return NT_STATUS_INVALID_PARAMETER; } + /* Paranioa checks for auth_length. */ + if (pkt->auth_length > pkt->frag_length) { + return NT_STATUS_INFO_LENGTH_MISMATCH; + } + if ((pkt->auth_length + + DCERPC_AUTH_TRAILER_LENGTH < pkt->auth_length) || + (pkt->auth_length + + DCERPC_AUTH_TRAILER_LENGTH < DCERPC_AUTH_TRAILER_LENGTH)) { + /* Integer wrap attempt. */ + return NT_STATUS_INFO_LENGTH_MISMATCH; + } + status = dcerpc_pull_auth_trailer(pkt, pkt, pkt_trailer, &auth_info, &auth_length, false); if (!NT_STATUS_IS_OK(status)) { |