sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code

CVE-2015-5370: s4:rpc_server: check frag_length for requests

Browse Source 
Note this is not the negotiated fragment size, but a hardcoded maximum.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This commit is contained in:
Stefan Metzmacher 2015-07-15 17:21:05 +02:00
parent aef225aaca
commit 6b5144c204
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
source4/rpc_server/dcerpc_server.c
View File

@ -1483,6 +1483,21 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn,
DCERPC_NCA_S_PROTO_ERROR);
}
if (call->pkt.frag_length > DCERPC_FRAG_MAX_SIZE) {
/*
* We don't use dcesrv_fault_disconnect()
* here, because we don't want to set
* DCERPC_PFC_FLAG_DID_NOT_EXECUTE
*
* Note that we don't check against the negotiated
* max_recv_frag, but a hard coded value.
*/
dcesrv_call_disconnect_after(call,
"dcesrv_auth_request - frag_length too large");
return dcesrv_fault(call,
DCERPC_NCA_S_PROTO_ERROR);
}
if (!dcesrv_auth_request(call, &blob)) {
/*
* We don't use dcesrv_fault_disconnect()