From f900e61cf81524f432eea9d349523cba140b160f Mon Sep 17 00:00:00 2001
From: =?utf8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Sat, 12 Sep 2009 23:25:00 +0200
Subject: [PATCH] s3-schannel: fix api_pipe_schannel_process(), was using
 incorrect buffer length.

Found by RPC-SCHANNEL torture test.

Guenther
---
 source3/rpc_server/srv_pipe.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 7be0a0d2d2d..ce7df63972a 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -2199,11 +2199,13 @@ bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss
 		return False;
 	}
 
-	blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), data_len);
+	blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len);
 
 	ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &schannel_chk,
 			       (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_SIGNATURE);
 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		DEBUG(0,("failed to pull NL_AUTH_SIGNATURE\n"));
+		dump_data(2, blob.data, blob.length);
 		return false;
 	}
 
-- 
2.11.4.GIT