From: Jeremy Allison <jra@samba.org>
Date: Fri, 6 Mar 2009 04:59:48 +0000 (-0800)
Subject: Now we're allowing a lower bound for auth_len, ensure we
X-Git-Tag: samba-3.0.36~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=803aa8da6d2a7f32359a090062ab468cf8d6ce32;p=thirdparty%2Fsamba.git

Now we're allowing a lower bound for auth_len, ensure we
also check for an upper one (integer wrap).
Jeremy.
(cherry picked from commit f03bacbf695f877d27186a39755ae726a22a61c8)
---

diff --git a/source/rpc_server/srv_pipe.c b/source/rpc_server/srv_pipe.c
index d491bc22450..868f4d03585 100644
--- a/source/rpc_server/srv_pipe.c
+++ b/source/rpc_server/srv_pipe.c
@@ -2062,7 +2062,11 @@ BOOL api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss
 
 	auth_len = p->hdr.auth_len;
 
-	if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
+	if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
+			auth_len < RPC_HEADER_LEN +
+					RPC_HDR_REQ_LEN +
+					RPC_HDR_AUTH_LEN +
+					auth_len) {
 		DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
 		return False;
 	}