$OpenBSD: patch-source3_librpc_rpc_dcerpc_helpers_c,v 1.1 2014/02/06 04:33:24 brad Exp $

DCE-RPC fragment length field is incorrectly checked.
CVE-2013-4408

--- source3/librpc/rpc/dcerpc_helpers.c.orig	Wed May  8 04:16:26 2013
+++ source3/librpc/rpc/dcerpc_helpers.c	Tue Jan 28 02:16:43 2014
@@ -129,6 +129,10 @@ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
 		NDR_PRINT_DEBUG(ncacn_packet, r);
 	}
 
+	if (r->frag_length != blob->length) {
+		return NT_STATUS_RPC_PROTOCOL_ERROR;
+	}
+
 	return NT_STATUS_OK;
 }
 
