$OpenBSD: patch-source3_winbindd_winbindd_msrpc_c,v 1.1 2014/02/06 04:33:25 brad Exp $

DCE-RPC fragment length field is incorrectly checked.
CVE-2013-4408

--- source3/winbindd/winbindd_msrpc.c.orig	Wed May  8 04:16:26 2013
+++ source3/winbindd/winbindd_msrpc.c	Tue Jan 28 02:16:43 2014
@@ -744,13 +744,19 @@ static NTSTATUS msrpc_lookup_groupmem(struct winbindd_
 		/* Copy result into array.  The talloc system will take
 		   care of freeing the temporary arrays later on. */
 
-		if (tmp_names.count != tmp_types.count) {
-			return NT_STATUS_UNSUCCESSFUL;
+		if (tmp_names.count != num_lookup_rids) {
+			return NT_STATUS_INVALID_NETWORK_RESPONSE;
 		}
+		if (tmp_types.count != num_lookup_rids) {
+			return NT_STATUS_INVALID_NETWORK_RESPONSE;
+		}
 
 		for (r=0; r<tmp_names.count; r++) {
 			if (tmp_types.ids[r] == SID_NAME_UNKNOWN) {
 				continue;
+			}
+			if (total_names >= *num_names) {
+				break;
 			}
 			(*names)[total_names] = fill_domain_username_talloc(
 				mem_ctx, domain->name,
