From f1e2d2d9c46142e2e7d2948092385b201affafaa Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Oct 2013 16:26:58 +0200
Subject: [PATCH] CVE-2013-4408:s3:ctdb_conn: add some length verification to
 ctdb_packet_more()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 source3/lib/ctdb_conn.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/source3/lib/ctdb_conn.c b/source3/lib/ctdb_conn.c
index a96615fb6ca..313bd7917a7 100644
--- a/source3/lib/ctdb_conn.c
+++ b/source3/lib/ctdb_conn.c
@@ -220,6 +220,11 @@ static ssize_t ctdb_packet_more(uint8_t *buf, size_t buflen, void *p)
 		return 0;
 	}
 	memcpy(&len, buf, sizeof(len));
+
+	if (len < sizeof(uint32_t)) {
+		return -1;
+	}
+
 	return (len - sizeof(uint32_t));
 }
 
-- 
2.11.4.GIT