sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-23 09:57:40 +03:00
Code

s4:rpc_server: check the auth_pad_length overflow before calling gensec_[check,unseal]_packet()

Browse Source 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
Stefan Metzmacher 2016-09-01 10:35:13 +02:00 committed by Andreas Schneider
parent c5dec0e41c
commit 05fd543a78
1 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
source4/rpc_server/dcesrv_auth.c
View File

@ -533,6 +533,13 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
pkt->u.request.stub_and_verifier.length -= auth_length;
/*
* check the indicated amount of padding, used below...
*/
if (pkt->u.request.stub_and_verifier.length < call->in_auth_info.auth_pad_length) {
return false;
}
/* check signature or unseal the packet */
switch (dce_conn->auth_state.auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY:
@ -568,10 +575,10 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
break;
}
/* remove the indicated amount of padding */
if (pkt->u.request.stub_and_verifier.length < call->in_auth_info.auth_pad_length) {
return false;
}
/*
* remove the indicated amount of padding
* overflow is checked about!
*/
pkt->u.request.stub_and_verifier.length -= call->in_auth_info.auth_pad_length;
if (!NT_STATUS_IS_OK(status)) {