From 5f2cca6b2a7b8b7bad4a47a2bd31174c45fa2611 Mon Sep 17 00:00:00 2001
From: Simo Sorce <idra@samba.org>
Date: Mon, 19 Jul 2010 19:42:12 -0400
Subject: s3-dcerpc: Add the same paranoia checks we have in the client code

---
 source3/rpc_server/srv_pipe.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'source3/rpc_server')

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 3b015f9e0f..8bb7a231d5 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -1765,6 +1765,18 @@ static NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
+	/* Paranioa checks for auth_length. */
+	if (pkt->auth_length > pkt->frag_length) {
+		return NT_STATUS_INFO_LENGTH_MISMATCH;
+	}
+	if ((pkt->auth_length
+	     + DCERPC_AUTH_TRAILER_LENGTH < pkt->auth_length) ||
+	    (pkt->auth_length
+	     + DCERPC_AUTH_TRAILER_LENGTH < DCERPC_AUTH_TRAILER_LENGTH)) {
+		/* Integer wrap attempt. */
+		return NT_STATUS_INFO_LENGTH_MISMATCH;
+	}
+
 	status = dcerpc_pull_auth_trailer(pkt, pkt, pkt_trailer,
 					  &auth_info, &auth_length, false);
 	if (!NT_STATUS_IS_OK(status)) {
-- 
cgit