]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
projects / thirdparty / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4765c0a)
CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
authorVolker Lendecke <vl@samba.org>
Sat, 5 Nov 2016 20:22:46 +0000 (21:22 +0100)
committerKarolin Seeger <kseeger@samba.org>
Fri, 9 Dec 2016 11:04:59 +0000 (12:04 +0100)
Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding
this vulnerability with a PoC and a good analysis.

Signed-off-by: Volker Lendecke <vl@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409

librpc/ndr/ndr_dnsp.c patch | blob | blame | history

diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c
index 3cb96f94a1bada6625f04431dde2d990fdaff628..0541261b95fbb8fc78aec8478633e11cc5125707 100644 (file)
--- a/librpc/ndr/ndr_dnsp.c
+++ b/librpc/ndr/ndr_dnsp.c
@@ -56,7 +56,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dnsp_name(struct ndr_pull *ndr, int ndr_flag
                uint8_t sublen, newlen;
                NDR_CHECK(ndr_pull_uint8(ndr, ndr_flags, &sublen));
                newlen = total_len + sublen;
+               if (newlen < total_len) {
+                       return ndr_pull_error(ndr, NDR_ERR_RANGE,
+                                             "Failed to pull dnsp_name");
+               }
                if (i != count-1) {
+                       if (newlen == UINT8_MAX) {
+                               return ndr_pull_error(
+                                       ndr, NDR_ERR_RANGE,
+                                       "Failed to pull dnsp_name");
+                       }
                        newlen++; /* for the '.' */
                }
                ret = talloc_realloc(ndr->current_mem_ctx, ret, char, newlen);
Mirror of https://github.com/samba-team/samba.git