$OpenBSD: patch-source3_rpcclient_cmd_lsarpc_c,v 1.1 2014/02/06 04:33:25 brad Exp $

DCE-RPC fragment length field is incorrectly checked.
CVE-2013-4408

--- source3/rpcclient/cmd_lsarpc.c.orig	Tue Jan 28 02:16:43 2014
+++ source3/rpcclient/cmd_lsarpc.c	Tue Jan 28 02:16:43 2014
@@ -323,7 +323,7 @@ static NTSTATUS cmd_lsa_lookup_names4(struct rpc_pipe_
 
 	uint32_t num_names;
 	struct lsa_String *names;
-	struct lsa_RefDomainList *domains;
+	struct lsa_RefDomainList *domains = NULL;
 	struct lsa_TransSidArray3 sids;
 	uint32_t count = 0;
 	int i;
@@ -359,6 +359,10 @@ static NTSTATUS cmd_lsa_lookup_names4(struct rpc_pipe_
 	}
 	if (!NT_STATUS_IS_OK(result)) {
 		return result;
+	}
+
+	if (sids.count != num_names) {
+		return NT_STATUS_INVALID_NETWORK_RESPONSE;
 	}
 
 	for (i = 0; i < sids.count; i++) {
