sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-03 04:22:09 +03:00
Code Activity

CVE-2013-4408:s3:Ensure LookupNames replies arrays are range checked.

Browse Source 
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
Jeremy Allison
2013-11-07 21:40:55 -08:00
committed by Karolin Seeger
parent b0ba4a5621
commit 0dc6181894
20 changed files with 359 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
source3/rpc_client/cli_lsarpc.c
View File

@ -662,9 +662,19 @@ NTSTATUS dcerpc_lsa_lookup_names_generic(struct dcerpc_binding_handle *h,
struct dom_sid *sid = &(*sids)[i];
if (use_lookupnames4) {
if (i >= sid_array3.count) {
*presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
goto done;
}
dom_idx = sid_array3.sids[i].sid_index;
(*types)[i] = sid_array3.sids[i].sid_type;
} else {
if (i >= sid_array.count) {
*presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
goto done;
}
dom_idx = sid_array.sids[i].sid_index;
(*types)[i] = sid_array.sids[i].sid_type;
}
@ -677,6 +687,14 @@ NTSTATUS dcerpc_lsa_lookup_names_generic(struct dcerpc_binding_handle *h,
(*types)[i] = SID_NAME_UNKNOWN;
continue;
}
if (domains == NULL) {
*presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
goto done;
}
if (dom_idx >= domains->count) {
*presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
goto done;
}
if (use_lookupnames4) {
sid_copy(sid, sid_array3.sids[i].sid);