[SCM] Samba Shared Repository - branch v3-3-test updated - release-3-2-0pre2-5043-gacf2223

Jeremy Allison jra at samba.org
Fri Mar 6 05:04:11 GMT 2009


The branch, v3-3-test has been updated
       via  acf2223f803c14c64a38f5218d823b8f8171e47f (commit)
      from  a9e6c91cd18b8b7b805f4b69f3867ea4bd6bc3ba (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test


- Log -----------------------------------------------------------------
commit acf2223f803c14c64a38f5218d823b8f8171e47f
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Mar 5 21:04:52 2009 -0800

    Now we're allowing a lower bound for auth_len, ensure we
    also check for an upper one (integer wrap).
    Jeremy.

-----------------------------------------------------------------------

Summary of changes:
 source/rpc_server/srv_pipe.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/rpc_server/srv_pipe.c b/source/rpc_server/srv_pipe.c
index dbee760..b5766cd 100644
--- a/source/rpc_server/srv_pipe.c
+++ b/source/rpc_server/srv_pipe.c
@@ -2150,7 +2150,11 @@ bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss
 
 	auth_len = p->hdr.auth_len;
 
-	if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
+	if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
+			auth_len < RPC_HEADER_LEN +
+					RPC_HDR_REQ_LEN +
+					RPC_HDR_AUTH_LEN +
+					auth_len) {
 		DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
 		return False;
 	}


-- 
Samba Shared Repository


More information about the samba-cvs mailing list