1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00

CVE-2013-4408:s4:dcerpc_smb2: check for invalid frag_len in send_read_request_continue()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
Stefan Metzmacher 2013-09-25 23:25:12 +02:00 committed by Karolin Seeger
parent 3be7907fd9
commit 77c3518152

View File

@ -173,6 +173,12 @@ static NTSTATUS send_read_request_continue(struct dcecli_connection *c, DATA_BLO
if (state->data.length >= 16) {
uint16_t frag_length = dcerpc_get_frag_length(&state->data);
if (frag_length < state->data.length) {
talloc_free(state);
return NT_STATUS_RPC_PROTOCOL_ERROR;
}
io.in.length = frag_length - state->data.length;
} else {
io.in.length = 0x2000;