Changeset 860 for vendor/current/source4/librpc

Timestamp:

May 12, 2014, 8:58:38 PM (11 years ago)

Author:

Silvan Scherrer

Message:

Samba 3.6: updated vendor to latest version

Location:

vendor/current/source4/librpc/rpc

Files:

• dcerpc.c (modified) (1 diff)
• dcerpc_smb.c (modified) (1 diff)
• dcerpc_smb2.c (modified) (1 diff)
• dcerpc_sock.c (modified) (1 diff)

vendor/current/source4/librpc/rpc/dcerpc.c

@@ -657 +657 @@
         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
                 return ndr_map_error2ntstatus(ndr_err);
+        }
+
+        if (pkt->frag_length != blob->length) {
+                return NT_STATUS_RPC_PROTOCOL_ERROR;
         }
 

vendor/current/source4/librpc/rpc/dcerpc_smb.c

@@ -161 +161 @@
                 uint32_t frag_length = blob->length>=16?
                         dcerpc_get_frag_length(blob):0x2000;
+
+                if (frag_length < state->data.length) {
+                        talloc_free(state);
+                        return NT_STATUS_RPC_PROTOCOL_ERROR;
+                }
+
                 state->received = blob->length;
                 state->data = data_blob_talloc(state, NULL, frag_length);

vendor/current/source4/librpc/rpc/dcerpc_smb2.c

@@ -171 +171 @@
         if (state->data.length >= 16) {
                 uint16_t frag_length = dcerpc_get_frag_length(&state->data);
+
+                if (frag_length < state->data.length) {
+                        talloc_free(state);
+                        return NT_STATUS_RPC_PROTOCOL_ERROR;
+                }
+
                 io.in.length = frag_length - state->data.length;
         } else {

vendor/current/source4/librpc/rpc/dcerpc_sock.c

@@ -103 +103 @@
         }
         *size = dcerpc_get_frag_length(&blob);
+        if (*size < blob.length) {
+                /*
+                 * something is wrong, let the caller deal with it
+                 */
+                *size = blob.length;
+        }
         if (*size > blob.length) {
                 return STATUS_MORE_ENTRIES;