From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 15 Jul 2015 15:21:05 +0000 (+0200)
Subject: CVE-2015-5370: s4:rpc_server: check frag_length for requests
X-Git-Tag: samba-4.2.10~44
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dd8c942360eca5cae4720af415e30ffeee5a6877;p=thirdparty%2Fsamba.git

CVE-2015-5370: s4:rpc_server: check frag_length for requests

Note this is not the negotiated fragment size, but a hardcoded maximum.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index 50b32c935bb..f896606318a 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -1483,6 +1483,21 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn,
 					DCERPC_NCA_S_PROTO_ERROR);
 		}
 
+		if (call->pkt.frag_length > DCERPC_FRAG_MAX_SIZE) {
+			/*
+			 * We don't use dcesrv_fault_disconnect()
+			 * here, because we don't want to set
+			 * DCERPC_PFC_FLAG_DID_NOT_EXECUTE
+			 *
+			 * Note that we don't check against the negotiated
+			 * max_recv_frag, but a hard coded value.
+			 */
+			dcesrv_call_disconnect_after(call,
+				"dcesrv_auth_request - frag_length too large");
+			return dcesrv_fault(call,
+					DCERPC_NCA_S_PROTO_ERROR);
+		}
+
 		if (!dcesrv_auth_request(call, &blob)) {
 			/*
 			 * We don't use dcesrv_fault_disconnect()