From f4ef85fd47b6176d6133fb1aa04cff1541314191 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 10 Jul 2015 14:48:38 +0200
Subject: [PATCH] CVE-2015-5370: s3:rpc_client: protect rpc_api_pipe_got_pdu()
 against too large payloads
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---
 source3/rpc_client/cli_pipe.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 56e5d174db7..26f709df2c5 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -990,6 +990,11 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
 		return;
 	}
 
+	if (state->reply_pdu_offset + rdata.length > MAX_RPC_DATA_SIZE) {
+		tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+		return;
+	}
+
 	/* Now copy the data portion out of the pdu into rbuf. */
 	if (state->reply_pdu.length < state->reply_pdu_offset + rdata.length) {
 		if (!data_blob_realloc(NULL, &state->reply_pdu,
-- 
2.11.4.GIT