From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 27 Jun 2015 23:19:57 +0000 (+0200)
Subject: CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in dcerpc_pull_auth_trai... 
X-Git-Tag: samba-4.2.10~39
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1ed83c7657a3b405db1928db06c29f41d2738186;p=thirdparty%2Fsamba.git

CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in dcerpc_pull_auth_trailer()

All callers should have already checked that.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
index 2f81447964f..43e1b7f426f 100644
--- a/librpc/rpc/dcerpc_util.c
+++ b/librpc/rpc/dcerpc_util.c
@@ -101,6 +101,11 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
 		*_auth_length = 0;
 	}
 
+	/* Paranoia checks for auth_length. The caller should check this... */
+	if (pkt->auth_length == 0) {
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
 	/* Paranoia checks for auth_length. The caller should check this... */
 	if (pkt->auth_length > pkt->frag_length) {
 		return NT_STATUS_INTERNAL_ERROR;