$OpenBSD: patch-source3_lib_netapi_user_c,v 1.2 2014/04/10 00:50:58 brad Exp $

DCE-RPC fragment length field is incorrectly checked.
CVE-2013-4408

--- source3/lib/netapi/user.c.orig	Wed May  8 04:16:26 2013
+++ source3/lib/netapi/user.c	Wed Apr  9 17:25:42 2014
@@ -3081,6 +3081,14 @@ WERROR NetUserGetGroups_r(struct libnetapi_ctx *ctx,
 		werr = ntstatus_to_werror(result);
 		goto done;
 	}
+	if (names.count != rid_array->count) {
+		werr = WERR_BAD_NET_RESP;
+		goto done;
+	}
+	if (types.count != rid_array->count) {
+		werr = WERR_BAD_NET_RESP;
+		goto done;
+	}
 
 	for (i=0; i < names.count; i++) {
 		status = add_GROUP_USERS_INFO_X_buffer(ctx,
@@ -3658,6 +3666,14 @@ WERROR NetUserGetLocalGroups_r(struct libnetapi_ctx *c
 	}
 	if (!NT_STATUS_IS_OK(result)) {
 		werr = ntstatus_to_werror(result);
+		goto done;
+	}
+	if (names.count != num_rids) {
+		werr = WERR_BAD_NET_RESP;
+		goto done;
+	}
+	if (types.count != num_rids) {
+		werr = WERR_BAD_NET_RESP;
 		goto done;
 	}
 
