From 821a49b7d05e87fdb12a1e6f9b020e41476ba41a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Oct 2013 14:17:49 +0200 Subject: [PATCH] CVE-2013-4408:libcli/util: add some size verification to tstream_read_pdu_blob_done() Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison --- libcli/util/tstream.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libcli/util/tstream.c b/libcli/util/tstream.c index 12cef9b6ddd..dd830e2aa44 100644 --- a/libcli/util/tstream.c +++ b/libcli/util/tstream.c @@ -129,6 +129,11 @@ static void tstream_read_pdu_blob_done(struct tevent_req *subreq) return; } + if (new_buf_size <= old_buf_size) { + tevent_req_nterror(req, NT_STATUS_INVALID_BUFFER_SIZE); + return; + } + buf = talloc_realloc(state, state->pdu_blob.data, uint8_t, new_buf_size); if (tevent_req_nomem(buf, req)) { return;