From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 7 Jul 2015 14:06:59 +0000 (+0200)
Subject: CVE-2015-5370: s3:rpc_server: verify presentation context arrays
X-Git-Tag: samba-4.2.10~23
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1e6b4abac14840e4cee1afc5d4811b0f0277eade;p=thirdparty%2Fsamba.git

CVE-2015-5370: s3:rpc_server: verify presentation context arrays

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 3b746cf515b..a1304d3753b 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -646,7 +646,12 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
 	p->allow_bind = false;
 
 	if (pkt->u.bind.num_contexts == 0) {
-		DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
+		DEBUG(1, ("api_pipe_bind_req: no rpc contexts around\n"));
+		goto err_exit;
+	}
+
+	if (pkt->u.bind.ctx_list[0].num_transfer_syntaxes == 0) {
+		DEBUG(1, ("api_pipe_bind_req: no transfer syntaxes around\n"));
 		goto err_exit;
 	}
 
@@ -988,6 +993,16 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
 		goto err_exit;
 	}
 
+	if (pkt->u.alter.num_contexts == 0) {
+		DEBUG(1, ("api_pipe_alter_context: no rpc contexts around\n"));
+		goto err_exit;
+	}
+
+	if (pkt->u.alter.ctx_list[0].num_transfer_syntaxes == 0) {
+		DEBUG(1, ("api_pipe_alter_context: no transfer syntaxes around\n"));
+		goto err_exit;
+	}
+
 	if (pkt->u.alter.assoc_group_id != 0) {
 		assoc_gid = pkt->u.alter.assoc_group_id;
 	} else {