[SCM] Samba Shared Repository - branch master updated
Karolin Seeger
kseeger at samba.org
Mon Dec 9 01:01:03 MST 2013
The branch, master has been updated
via f799f63 CVE-2013-4408:s3:Ensure LookupRids() replies arrays are range checked.
via 0dc6181 CVE-2013-4408:s3:Ensure LookupNames replies arrays are range checked.
via b0ba4a5 CVE-2013-4408:s3:Ensure LookupSids replies arrays are range checked.
via a516ae6 CVE-2013-4408:s3:Ensure we always check call_id when validating an RPC reply.
via 068dafc CVE-2013-4408:s3:ctdb_conn: add some length verification to ctdb_packet_more()
via 821a49b CVE-2013-4408:libcli/util: add some size verification to tstream_read_pdu_blob_done()
via 6e29389 CVE-2013-4408:s3:util_tsock: add some overflow detection to tstream_read_packet_done()
via 94b2641 CVE-2013-4408:async_sock: add some overflow detection to read_packet_handler()
via 127de4f CVE-2013-4408:s4:dcerpc_sock: check for invalid frag_len within sock_complete_packet()
via 77c3518 CVE-2013-4408:s4:dcerpc_smb2: check for invalid frag_len in send_read_request_continue()
via 3be7907 CVE-2013-4408:s4:dcerpc_smb: check for invalid frag_len in send_read_request_continue()
via db5fff3 CVE-2013-4408:s4:dcerpc: check for invalid frag_len in ncacn_pull()
via 8b7c862 CVE-2013-4408:s3:rpc_client: verify frag_len at least contains the header size
via ecdac51 CVE-2013-4408:s3:rpc_client: check for invalid frag_len in dcerpc_pull_ncacn_packet()
via dfd4fc1 CVE-2013-4408:librpc: check for invalid frag_len within dcerpc_read_ncacn_packet_next_vector()
via 2fb570a CVE-2013-4408:librpc: check for invalid frag_len within dcerpc_read_ncacn_packet_done()
from c65ad56 ctdb:packaging:RPM: don't run autogen.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit f799f63e4312b25d3c671e7a4072607fdba0c768
Author: Jeremy Allison <jra at samba.org>
Date: Thu Nov 7 22:41:22 2013 -0800
CVE-2013-4408:s3:Ensure LookupRids() replies arrays are range checked.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Jeremy Allison <jra at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(master): Mon Dec 9 09:00:41 CET 2013 on sn-devel-104
commit 0dc618189469bf389a583eb346ddc6acaad1c644
Author: Jeremy Allison <jra at samba.org>
Date: Thu Nov 7 21:40:55 2013 -0800
CVE-2013-4408:s3:Ensure LookupNames replies arrays are range checked.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Jeremy Allison <jra at samba.org>
commit b0ba4a562112fc707f540e1ff7c8e55ea02479c9
Author: Jeremy Allison <jra at samba.org>
Date: Thu Nov 7 20:38:01 2013 -0800
CVE-2013-4408:s3:Ensure LookupSids replies arrays are range checked.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Jeremy Allison <jra at samba.org>
commit a516ae6868386aa23f2beb52a576b0cf68042b1d
Author: Jeremy Allison <jra at samba.org>
Date: Thu Oct 17 14:44:35 2013 -0700
CVE-2013-4408:s3:Ensure we always check call_id when validating an RPC reply.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 068dafc4d8f0c82a16ca5c092eb5f5144dd5f199
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 16 16:26:58 2013 +0200
CVE-2013-4408:s3:ctdb_conn: add some length verification to ctdb_packet_more()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 821a49b7d05e87fdb12a1e6f9b020e41476ba41a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 16 14:17:49 2013 +0200
CVE-2013-4408:libcli/util: add some size verification to tstream_read_pdu_blob_done()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 6e293891ca8048424e7a95a43b62035733c716c2
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 16 14:17:49 2013 +0200
CVE-2013-4408:s3:util_tsock: add some overflow detection to tstream_read_packet_done()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 94b2641a530b3bd6bb67017c2a3c571f0ff41921
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Oct 16 14:17:49 2013 +0200
CVE-2013-4408:async_sock: add some overflow detection to read_packet_handler()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 127de4f4ac06cd8d5226187bc0a5be34bedc5bf8
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 24 05:03:40 2013 +0200
CVE-2013-4408:s4:dcerpc_sock: check for invalid frag_len within sock_complete_packet()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 77c3518152eca9abcc04c1c446eeec0f442a4b89
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 25 23:25:12 2013 +0200
CVE-2013-4408:s4:dcerpc_smb2: check for invalid frag_len in send_read_request_continue()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 3be7907fd91749f228bf5f104ab0c673be3fef05
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 25 23:25:12 2013 +0200
CVE-2013-4408:s4:dcerpc_smb: check for invalid frag_len in send_read_request_continue()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit db5fff3bc91535a9dab8c622e5e98c098956bb65
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 25 23:25:12 2013 +0200
CVE-2013-4408:s4:dcerpc: check for invalid frag_len in ncacn_pull()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 8b7c862babeb2bccfe5041495706f2aac6f73f6f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 25 23:25:12 2013 +0200
CVE-2013-4408:s3:rpc_client: verify frag_len at least contains the header size
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit ecdac51e85ccc3503b9f732838475bf97092c6ba
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 25 23:25:12 2013 +0200
CVE-2013-4408:s3:rpc_client: check for invalid frag_len in dcerpc_pull_ncacn_packet()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit dfd4fc1591f17998bf7b6a867900ed6f1b35ca7c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 24 05:03:40 2013 +0200
CVE-2013-4408:librpc: check for invalid frag_len within dcerpc_read_ncacn_packet_next_vector()
We should do this explicit instead of relying on
tstream_readv_pdu_ask_for_next_vector() to catch the overflow.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 2fb570abec6d07cee61332cf518703060514d3a0
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 24 05:03:40 2013 +0200
CVE-2013-4408:librpc: check for invalid frag_len within dcerpc_read_ncacn_packet_done()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/async_req/async_sock.c | 5 ++
libcli/util/tstream.c | 5 ++
librpc/rpc/dcerpc_util.c | 14 ++++
nsswitch/libwbclient/wbc_sid.c | 7 ++
nsswitch/wbinfo.c | 14 +++-
source3/lib/ctdb_conn.c | 5 ++
source3/lib/netapi/group.c | 98 +++++++++++++++++++++++++++
source3/lib/netapi/localgroup.c | 8 ++-
source3/lib/netapi/user.c | 72 ++++++++++++++++++++
source3/lib/util_tsock.c | 5 ++
source3/libnet/libnet_join.c | 16 +++++
source3/librpc/rpc/dcerpc_helpers.c | 4 +
source3/rpc_client/cli_lsarpc.c | 35 +++++++++-
source3/rpc_client/cli_pipe.c | 41 +++++++++--
source3/rpc_server/netlogon/srv_netlog_nt.c | 2 +-
source3/rpcclient/cmd_lsarpc.c | 13 +++-
source3/rpcclient/cmd_samr.c | 66 ++++++++++++++++++-
source3/smbd/lanman.c | 8 ++
source3/utils/net_rpc.c | 47 ++++++++++++-
source3/winbindd/wb_lookupsids.c | 3 +
source3/winbindd/winbindd_msrpc.c | 10 ++-
source3/winbindd/winbindd_rpc.c | 54 +++++++++++----
source4/libcli/util/clilsa.c | 22 ++++++-
source4/libnet/groupinfo.c | 9 ++-
source4/libnet/groupman.c | 10 ++--
source4/libnet/libnet_join.c | 12 +++-
source4/libnet/libnet_lookup.c | 5 ++
source4/libnet/libnet_passwd.c | 10 +++-
source4/libnet/userinfo.c | 8 ++-
source4/libnet/userman.c | 24 +++----
source4/librpc/rpc/dcerpc.c | 4 +
source4/librpc/rpc/dcerpc_smb.c | 6 ++
source4/librpc/rpc/dcerpc_smb2.c | 6 ++
source4/librpc/rpc/dcerpc_sock.c | 6 ++
source4/winbind/wb_async_helpers.c | 26 +++++++-
35 files changed, 615 insertions(+), 65 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/async_req/async_sock.c b/lib/async_req/async_sock.c
index 59dde88..74b2cb7 100644
--- a/lib/async_req/async_sock.c
+++ b/lib/async_req/async_sock.c
@@ -667,6 +667,11 @@ static void read_packet_handler(struct tevent_context *ev,
return;
}
+ if (total + more < total) {
+ tevent_req_error(req, EMSGSIZE);
+ return;
+ }
+
tmp = talloc_realloc(state, state->buf, uint8_t, total+more);
if (tevent_req_nomem(tmp, req)) {
return;
diff --git a/libcli/util/tstream.c b/libcli/util/tstream.c
index 12cef9b..dd830e2 100644
--- a/libcli/util/tstream.c
+++ b/libcli/util/tstream.c
@@ -129,6 +129,11 @@ static void tstream_read_pdu_blob_done(struct tevent_req *subreq)
return;
}
+ if (new_buf_size <= old_buf_size) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_BUFFER_SIZE);
+ return;
+ }
+
buf = talloc_realloc(state, state->pdu_blob.data, uint8_t, new_buf_size);
if (tevent_req_nomem(buf, req)) {
return;
diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
index 980b070..4046f32 100644
--- a/librpc/rpc/dcerpc_util.c
+++ b/librpc/rpc/dcerpc_util.c
@@ -223,6 +223,15 @@ static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
ofs = state->buffer.length;
+ if (frag_len < ofs) {
+ /*
+ * something is wrong, let the caller deal with it
+ */
+ *_vector = NULL;
+ *_count = 0;
+ return 0;
+ }
+
state->buffer.data = talloc_realloc(state,
state->buffer.data,
uint8_t, frag_len);
@@ -292,6 +301,11 @@ static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq)
return;
}
+ if (state->pkt->frag_length != state->buffer.length) {
+ tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
+ return;
+ }
+
tevent_req_done(req);
}
diff --git a/nsswitch/libwbclient/wbc_sid.c b/nsswitch/libwbclient/wbc_sid.c
index 471f71b..0877ed0 100644
--- a/nsswitch/libwbclient/wbc_sid.c
+++ b/nsswitch/libwbclient/wbc_sid.c
@@ -427,6 +427,13 @@ wbcErr wbcLookupSids(const struct wbcDomainSid *sids, int num_sids,
for (i=0; i<num_names; i++) {
names[i].domain_index = strtoul(p, &q, 10);
+ if (names[i].domain_index < 0) {
+ goto wbc_err_invalid;
+ }
+ if (names[i].domain_index >= num_domains) {
+ goto wbc_err_invalid;
+ }
+
if (*q != ' ') {
goto wbc_err_invalid;
}
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 61acd1a..cc75fc3 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -1395,15 +1395,25 @@ static bool wbinfo_lookup_sids(const char *arg)
}
for (i=0; i<num_sids; i++) {
+ const char *domain = NULL;
+
wbcSidToStringBuf(&sids[i], sidstr, sizeof(sidstr));
+ if (names[i].domain_index >= num_domains) {
+ domain = "<none>";
+ } else if (names[i].domain_index < 0) {
+ domain = "<none>";
+ } else {
+ domain = domains[names[i].domain_index].short_name;
+ }
+
if (names[i].type == WBC_SID_NAME_DOMAIN) {
d_printf("%s -> %s %d\n", sidstr,
- domains[names[i].domain_index].short_name,
+ domain,
names[i].type);
} else {
d_printf("%s -> %s%c%s %d\n", sidstr,
- domains[names[i].domain_index].short_name,
+ domain,
winbind_separator(),
names[i].name, names[i].type);
}
diff --git a/source3/lib/ctdb_conn.c b/source3/lib/ctdb_conn.c
index 90930eb..40071d4 100644
--- a/source3/lib/ctdb_conn.c
+++ b/source3/lib/ctdb_conn.c
@@ -233,6 +233,11 @@ static ssize_t ctdb_packet_more(uint8_t *buf, size_t buflen, void *p)
return 0;
}
memcpy(&len, buf, sizeof(len));
+
+ if (len < sizeof(uint32_t)) {
+ return -1;
+ }
+
return (len - sizeof(uint32_t));
}
diff --git a/source3/lib/netapi/group.c b/source3/lib/netapi/group.c
index 38ed6df..6d9b248 100644
--- a/source3/lib/netapi/group.c
+++ b/source3/lib/netapi/group.c
@@ -309,6 +309,15 @@ WERROR NetGroupDel_r(struct libnetapi_ctx *ctx,
goto done;
}
+ if (rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+
if (types.ids[0] != SID_NAME_DOM_GRP) {
werr = WERR_INVALID_DATATYPE;
goto done;
@@ -386,6 +395,14 @@ WERROR NetGroupDel_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (names.count != rid_array->count) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (member_types.count != rid_array->count) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
}
for (i=0; i < rid_array->count; i++) {
@@ -511,6 +528,14 @@ WERROR NetGroupSetInfo_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
if (types.ids[0] != SID_NAME_DOM_GRP) {
werr = WERR_INVALID_DATATYPE;
@@ -781,6 +806,14 @@ WERROR NetGroupGetInfo_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
if (types.ids[0] != SID_NAME_DOM_GRP) {
werr = WERR_INVALID_DATATYPE;
@@ -921,6 +954,14 @@ WERROR NetGroupAddUser_r(struct libnetapi_ctx *ctx,
werr = WERR_GROUPNOTFOUND;
goto done;
}
+ if (rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
if (types.ids[0] != SID_NAME_DOM_GRP) {
werr = WERR_GROUPNOTFOUND;
@@ -959,6 +1000,14 @@ WERROR NetGroupAddUser_r(struct libnetapi_ctx *ctx,
werr = WERR_USER_NOT_FOUND;
goto done;
}
+ if (rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
if (types.ids[0] != SID_NAME_USER) {
werr = WERR_USER_NOT_FOUND;
@@ -1065,6 +1114,14 @@ WERROR NetGroupDelUser_r(struct libnetapi_ctx *ctx,
werr = WERR_GROUPNOTFOUND;
goto done;
}
+ if (rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
if (types.ids[0] != SID_NAME_DOM_GRP) {
werr = WERR_GROUPNOTFOUND;
@@ -1104,6 +1161,14 @@ WERROR NetGroupDelUser_r(struct libnetapi_ctx *ctx,
werr = WERR_USER_NOT_FOUND;
goto done;
}
+ if (rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
if (types.ids[0] != SID_NAME_USER) {
werr = WERR_USER_NOT_FOUND;
@@ -1515,6 +1580,14 @@ WERROR NetGroupGetUsers_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (group_rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (name_types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
status = dcerpc_samr_OpenGroup(b, talloc_tos(),
&domain_handle,
@@ -1559,6 +1632,14 @@ WERROR NetGroupGetUsers_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (names.count != rid_array->count) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (member_types.count != rid_array->count) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
for (i=0; i < names.count; i++) {
@@ -1691,6 +1772,14 @@ WERROR NetGroupSetUsers_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (group_rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (group_types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
status = dcerpc_samr_OpenGroup(b, talloc_tos(),
&domain_handle,
@@ -1769,6 +1858,15 @@ WERROR NetGroupSetUsers_r(struct libnetapi_ctx *ctx,
goto done;
}
+ if (r->in.num_entries != user_rids.count) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (r->in.num_entries != name_types.count) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+
member_rids = user_rids.ids;
status = dcerpc_samr_QueryGroupMember(b, talloc_tos(),
diff --git a/source3/lib/netapi/localgroup.c b/source3/lib/netapi/localgroup.c
index 6501edd..241970d 100644
--- a/source3/lib/netapi/localgroup.c
+++ b/source3/lib/netapi/localgroup.c
@@ -58,6 +58,12 @@ static NTSTATUS libnetapi_samr_lookup_and_open_alias(TALLOC_CTX *mem_ctx,
if (!NT_STATUS_IS_OK(result)) {
return result;
}
+ if (user_rids.count != 1) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+ if (name_types.count != 1) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
switch (name_types.ids[0]) {
case SID_NAME_ALIAS:
@@ -1041,7 +1047,7 @@ static NTSTATUS libnetapi_lsa_lookup_names3(TALLOC_CTX *mem_ctx,
NT_STATUS_NOT_OK_RETURN(result);
if (count != 1 || sids.count != 1) {
- return NT_STATUS_NONE_MAPPED;
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
}
sid_copy(sid, sids.sids[0].sid);
diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
index a2d6c79..4a39f69 100644
--- a/source3/lib/netapi/user.c
+++ b/source3/lib/netapi/user.c
@@ -604,6 +604,14 @@ WERROR NetUserDel_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (user_rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (name_types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
status = dcerpc_samr_OpenUser(b, talloc_tos(),
&domain_handle,
@@ -1803,6 +1811,14 @@ WERROR NetUserGetInfo_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (user_rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (name_types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
status = libnetapi_samr_lookup_user_map_USER_INFO(ctx, pipe_cli,
domain_sid,
@@ -1968,6 +1984,14 @@ WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (user_rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (name_types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
status = dcerpc_samr_OpenUser(b, talloc_tos(),
&domain_handle,
@@ -3027,6 +3051,14 @@ WERROR NetUserGetGroups_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (user_rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (name_types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
status = dcerpc_samr_OpenUser(b, talloc_tos(),
&domain_handle,
@@ -3082,6 +3114,14 @@ WERROR NetUserGetGroups_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (names.count != rid_array->count) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (types.count != rid_array->count) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
for (i=0; i < names.count; i++) {
status = add_GROUP_USERS_INFO_X_buffer(ctx,
@@ -3202,6 +3242,14 @@ WERROR NetUserSetGroups_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (user_rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (name_types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
status = dcerpc_samr_OpenUser(b, talloc_tos(),
&domain_handle,
@@ -3262,6 +3310,14 @@ WERROR NetUserSetGroups_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (group_rids.count != r->in.num_entries) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (name_types.count != r->in.num_entries) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
member_rids = group_rids.ids;
@@ -3539,6 +3595,14 @@ WERROR NetUserGetLocalGroups_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (user_rids.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (name_types.count != 1) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
status = dcerpc_samr_OpenUser(b, talloc_tos(),
&domain_handle,
@@ -3660,6 +3724,14 @@ WERROR NetUserGetLocalGroups_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (names.count != num_rids) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (types.count != num_rids) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
for (i=0; i < names.count; i++) {
status = add_LOCALGROUP_USERS_INFO_X_buffer(ctx,
diff --git a/source3/lib/util_tsock.c b/source3/lib/util_tsock.c
index 35a97f5..03380ef 100644
--- a/source3/lib/util_tsock.c
+++ b/source3/lib/util_tsock.c
@@ -110,6 +110,11 @@ static void tstream_read_packet_done(struct tevent_req *subreq)
return;
}
+ if (total + more < total) {
+ tevent_req_error(req, EMSGSIZE);
+ return;
+ }
+
tmp = talloc_realloc(state, state->buf, uint8_t, total+more);
if (tevent_req_nomem(tmp, req)) {
return;
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 4200c2d..c1eccda 100644
--- a/source3/libnet/libnet_join.c
--
Samba Shared Repository
More information about the samba-cvs
mailing list