From bb435cbd0313ec0ec6889181223929578603d73d Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Sat, 28 Oct 2006 04:17:43 +0000
Subject: r19502: fixed the RPC-SECRETS test with kerberos. Andrew, can you
 look at this as well?

The server side change is needed to fix a valgrind error, which was
possibly exploitable if the client sent deliberately bad data
(This used to be commit e3c04cf165fe15739197b2713e78046399aa7653)
---
 source4/rpc_server/dcesrv_auth.c | 23 ++++++-----------------
 1 file changed, 6 insertions(+), 17 deletions(-)

(limited to 'source4/rpc_server/dcesrv_auth.c')

diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index e6e9bb7fc5..b73143ce34 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -470,19 +470,14 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call,
 					    &creds2);
 
 		if (NT_STATUS_IS_OK(status)) {
-			status = data_blob_realloc(call, blob,
-						   blob->length - dce_conn->auth_state.auth_info->credentials.length + 
-						   creds2.length);
-		}
-
-		if (NT_STATUS_IS_OK(status)) {
-			memcpy(blob->data + blob->length - dce_conn->auth_state.auth_info->credentials.length,
-			       creds2.data, creds2.length);
+			blob->length -= dce_conn->auth_state.auth_info->credentials.length;
+			status = data_blob_append(call, blob, creds2.data, creds2.length);
 		}
 
 		/* If we did AEAD signing of the packet headers, then we hope
 		 * this value didn't change... */
 		dcerpc_set_auth_length(blob, creds2.length);
+		dcerpc_set_frag_length(blob, dcerpc_get_frag_length(blob)+creds2.length);
 		data_blob_free(&creds2);
 		break;
 
@@ -495,20 +490,14 @@ BOOL dcesrv_auth_response(struct dcesrv_call_state *call,
 					    blob->length - dce_conn->auth_state.auth_info->credentials.length,
 					    &creds2);
 		if (NT_STATUS_IS_OK(status)) {
-			status = data_blob_realloc(call, blob,
-						   blob->length - dce_conn->auth_state.auth_info->credentials.length + 
-						   creds2.length);
-		}
-
-		if (NT_STATUS_IS_OK(status)) {
-			memcpy(blob->data + blob->length - dce_conn->auth_state.auth_info->credentials.length,
-			       creds2.data, creds2.length);
+			blob->length -= dce_conn->auth_state.auth_info->credentials.length;
+			status = data_blob_append(call, blob, creds2.data, creds2.length);
 		}
 
 		/* If we did AEAD signing of the packet headers, then we hope
 		 * this value didn't change... */
 		dcerpc_set_auth_length(blob, creds2.length);
-
+		dcerpc_set_frag_length(blob, dcerpc_get_frag_length(blob)+creds2.length);
 		data_blob_free(&creds2);
 		break;
 
-- 
cgit