From: Volker Lendecke <vl@samba.org>
Date: Sat, 2 May 2020 13:10:14 +0000 (+0200)
Subject: libsmb: Protect cli_RNetServerEnum against rprcnt<6
X-Git-Tag: samba-4.10.16~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c25c2fc665ff9db4c1879f67a0c0d0deec6a40f6;p=thirdparty%2Fsamba.git

libsmb: Protect cli_RNetServerEnum against rprcnt<6

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14366
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ce8b70df7bd63e96723b8e8dc864f1690f5fad7b)
---

diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c
index 9b7f54c503b..16c1a502380 100644
--- a/source3/libsmb/clirap.c
+++ b/source3/libsmb/clirap.c
@@ -372,6 +372,13 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32_t stype,
 		}
 
 		rdata_end = rdata + rdrcnt;
+
+		if (rprcnt < 6) {
+			DBG_ERR("Got invalid result: rprcnt=%u\n", rprcnt);
+			res = -1;
+			break;
+		}
+
 		res = rparam ? SVAL(rparam,0) : -1;
 
 		if (res == 0 || res == ERRmoredata ||