CVE-2015-5370: s3:rpc_client: protect rpc_api_pipe_got_pdu() against too large payloads

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 02d9442b28293be61639cb0a7909ee0f31a7312b..63ab5072edba68dd599f4407313c1e6bcf9cce15 100644 (file)
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -990,6 +990,11 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
                return;
        }
 
+       if (state->reply_pdu_offset + rdata.length > MAX_RPC_DATA_SIZE) {
+               tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+               return;
+       }
+
        /* Now copy the data portion out of the pdu into rbuf. */
        if (state->reply_pdu.length < state->reply_pdu_offset + rdata.length) {
                if (!data_blob_realloc(NULL, &state->reply_pdu,