From eb8800e6118c2f77cef5a27f1c1b6118dd52d4ca Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 17 Feb 2010 10:23:14 +1100 Subject: s4-rpc: paranoid check for auth_length This is not strictly needed as the ndr_pull_advance() checks it a few lines further down, but I want to save Jeremy getting more grey hairs :-) --- source4/librpc/rpc/dcerpc_util.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'source4') diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c index aafa283fc6..9dabb54ca5 100644 --- a/source4/librpc/rpc/dcerpc_util.c +++ b/source4/librpc/rpc/dcerpc_util.c @@ -781,6 +781,17 @@ NTSTATUS dcerpc_pull_auth_trailer(struct ncacn_packet *pkt, uint32_t pad; pad = pkt_auth_blob->length - (DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length); + + /* paranoia check for pad size. This would be caught anyway by + the ndr_pull_advance() a few lines down, but it scared + Jeremy enough for him to call me, so we might as well check + it now, just to prevent someone posting a bogus YouTube + video in the future. + */ + if (pad > pkt_auth_blob->length) { + return NT_STATUS_INFO_LENGTH_MISMATCH; + } + *auth_length = pkt_auth_blob->length - pad; ndr = ndr_pull_init_blob(pkt_auth_blob, mem_ctx, NULL); -- cgit