The branch, master has been updated
       via  4e74d811aa9f85a4cb7896c0fcc21552d1910cf5 (commit)
      from  66c0f3690a6c9248adfe5da7c1abd15a8704fd6c (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 4e74d811aa9f85a4cb7896c0fcc21552d1910cf5
Author: Jeremy Allison <[email protected]>
Date:   Thu Mar 5 21:06:48 2009 -0800

    Now we're allowing a lower bound for auth_len, ensure we
    also check for an upper one (integer wrap).
    Jeremy.

-----------------------------------------------------------------------

Summary of changes:
 source3/rpc_server/srv_pipe.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index ac491b9..6becfa4 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -2113,7 +2113,11 @@ bool api_pipe_schannel_process(pipes_struct *p, 
prs_struct *rpc_in, uint32 *p_ss
 
        auth_len = p->hdr.auth_len;
 
-       if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
+       if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
+                       auth_len < RPC_HEADER_LEN +
+                                       RPC_HDR_REQ_LEN +
+                                       RPC_HDR_AUTH_LEN +
+                                       auth_len) {
                DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
                return False;
        }


-- 
Samba Shared Repository

Reply via email to