From 1ed83c7657a3b405db1928db06c29f41d2738186 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sun, 28 Jun 2015 01:19:57 +0200
Subject: [PATCH] CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0
 in dcerpc_pull_auth_trailer()
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

All callers should have already checked that.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---
 librpc/rpc/dcerpc_util.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
index 2f81447964f..43e1b7f426f 100644
--- a/librpc/rpc/dcerpc_util.c
+++ b/librpc/rpc/dcerpc_util.c
@@ -101,6 +101,11 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
 		*_auth_length = 0;
 	}
 
+	/* Paranoia checks for auth_length. The caller should check this... */
+	if (pkt->auth_length == 0) {
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
 	/* Paranoia checks for auth_length. The caller should check this... */
 	if (pkt->auth_length > pkt->frag_length) {
 		return NT_STATUS_INTERNAL_ERROR;
-- 
2.47.2