From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 10 Jul 2015 12:08:46 +0000 (+0200)
Subject: CVE-2015-5370: s4:librpc/rpc: protect dcerpc_request_recv_data() against too large... 
X-Git-Tag: samba-4.2.10~75
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=69c77760deed8c8055ecb8b9531464f73c8fab80;p=thirdparty%2Fsamba.git

CVE-2015-5370: s4:librpc/rpc: protect dcerpc_request_recv_data() against too large payloads

We should only allow a combined payload of a response of at max 4 MBytes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index 3a6dc571e19..7b9777f267a 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -1567,6 +1567,15 @@ static void dcerpc_request_recv_data(struct dcecli_connection *c,
 
 	length = pkt->u.response.stub_and_verifier.length;
 
+	if (req->payload.length + length > DCERPC_NCACN_PAYLOAD_MAX_SIZE) {
+		DEBUG(2,("Unexpected total payload 0x%X > 0x%X dcerpc response\n",
+			 (unsigned)req->payload.length + length,
+			 DCERPC_NCACN_PAYLOAD_MAX_SIZE));
+		req->fault_code = DCERPC_FAULT_OTHER;
+		req->status = NT_STATUS_NET_WRITE_FAULT;
+		goto req_done;
+	}
+
 	if (length > 0) {
 		req->payload.data = talloc_realloc(req, 
 						   req->payload.data,