mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
CVE-2013-4408:s4:dcerpc_smb2: check for invalid frag_len in send_read_request_continue()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
parent
3be7907fd9
commit
77c3518152
@ -173,6 +173,12 @@ static NTSTATUS send_read_request_continue(struct dcecli_connection *c, DATA_BLO
|
||||
|
||||
if (state->data.length >= 16) {
|
||||
uint16_t frag_length = dcerpc_get_frag_length(&state->data);
|
||||
|
||||
if (frag_length < state->data.length) {
|
||||
talloc_free(state);
|
||||
return NT_STATUS_RPC_PROTOCOL_ERROR;
|
||||
}
|
||||
|
||||
io.in.length = frag_length - state->data.length;
|
||||
} else {
|
||||
io.in.length = 0x2000;
|
||||
|
Loading…
Reference in New Issue
Block a user