From ea6e3de5ae7c79b3badf9cfa8fcbaebf76ec5bae Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Tue, 24 Sep 2013 05:03:40 +0200

Subject: [PATCH 01/16] CVE-2013-4408:librpc: check for invalid frag_len

 within dcerpc_read_ncacn_packet_done()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Jeremy Allison <jra@samba.org>

---

 librpc/rpc/dcerpc_util.c |    5 +++++

 1 file changed, 5 insertions(+)

diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c

index de292c8..458ecc5 100644

--- a/librpc/rpc/dcerpc_util.c

+++ b/librpc/rpc/dcerpc_util.c

@@ -292,6 +292,11 @@ static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq)

 		return;

 	}

+	if (state->pkt->frag_length != state->buffer.length) {

+		tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);

+		return;

+	}

+

 	tevent_req_done(req);

 }

-- 

1.7.9.5

From d405a5afc175c5a936511f861a35cffd3be43fd9 Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Tue, 24 Sep 2013 05:03:40 +0200

Subject: [PATCH 02/16] CVE-2013-4408:librpc: check for invalid frag_len

 within dcerpc_read_ncacn_packet_next_vector()

We should do this explicit instead of relying on

tstream_readv_pdu_ask_for_next_vector() to catch the overflow.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Jeremy Allison <jra@samba.org>

---

 librpc/rpc/dcerpc_util.c |    9 +++++++++

 1 file changed, 9 insertions(+)

diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c

index 458ecc5..0b9cca3 100644

--- a/librpc/rpc/dcerpc_util.c

+++ b/librpc/rpc/dcerpc_util.c

@@ -223,6 +223,15 @@ static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,

 		ofs = state->buffer.length;

+		if (frag_len < ofs) {

+			/*

+			 * something is wrong, let the caller deal with it

+			 */

+			*_vector = NULL;

+			*_count = 0;

+			return 0;

+		}

+

 		state->buffer.data = talloc_realloc(state,

 						    state->buffer.data,

 						    uint8_t, frag_len);

-- 

1.7.9.5

From db3a2292a096d95ce672950e738c35e902077604 Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Wed, 25 Sep 2013 23:25:12 +0200

Subject: [PATCH 03/16] CVE-2013-4408:s3:rpc_client: check for invalid

 frag_len in dcerpc_pull_ncacn_packet()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Jeremy Allison <jra@samba.org>

---

 source3/librpc/rpc/dcerpc_helpers.c |    4 ++++

 1 file changed, 4 insertions(+)

diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c

index d36c2da..a55e419 100644

--- a/source3/librpc/rpc/dcerpc_helpers.c

+++ b/source3/librpc/rpc/dcerpc_helpers.c

@@ -127,6 +127,10 @@ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,

 		NDR_PRINT_DEBUG(ncacn_packet, r);

 	}

+	if (r->frag_length != blob->length) {

+		return NT_STATUS_RPC_PROTOCOL_ERROR;

+	}

+

 	return NT_STATUS_OK;

 }

-- 

1.7.9.5

From 1e1b1d587a056d898f0f5bb99235e488a06079f1 Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Wed, 25 Sep 2013 23:25:12 +0200

Subject: [PATCH 04/16] CVE-2013-4408:s3:rpc_client: verify frag_len at least

 contains the header size

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Jeremy Allison <jra@samba.org>

---

 source3/rpc_client/cli_pipe.c |    8 ++++++++

 1 file changed, 8 insertions(+)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c

index 2e978ef..fd854c4 100644

--- a/source3/rpc_client/cli_pipe.c

+++ b/source3/rpc_client/cli_pipe.c

@@ -284,6 +284,10 @@ static struct tevent_req *get_complete_frag_send(TALLOC_CTX *mem_ctx,

 	}

 	state->frag_len = dcerpc_get_frag_length(pdu);

+	if (state->frag_len < RPC_HEADER_LEN) {

+		tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);

+		return tevent_req_post(req, ev);

+	}

 	/*

 	 * Ensure we have frag_len bytes of data.

@@ -332,6 +336,10 @@ static void get_complete_frag_got_header(struct tevent_req *subreq)

 	}

 	state->frag_len = dcerpc_get_frag_length(state->pdu);

+	if (state->frag_len < RPC_HEADER_LEN) {

+		tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);

+		return;

+	}

 	if (!data_blob_realloc(NULL, state->pdu, state->frag_len)) {

 		tevent_req_nterror(req, NT_STATUS_NO_MEMORY);

-- 

1.7.9.5

From 33d4dc2f0512d845cc6e00174b870833dd055862 Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Wed, 25 Sep 2013 23:25:12 +0200

Subject: [PATCH 05/16] CVE-2013-4408:s4:dcerpc: check for invalid frag_len in

 ncacn_pull()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Jeremy Allison <jra@samba.org>

---

 source4/librpc/rpc/dcerpc.c |    4 ++++

 1 file changed, 4 insertions(+)

diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c

index e653cba..2826160 100644

--- a/source4/librpc/rpc/dcerpc.c

+++ b/source4/librpc/rpc/dcerpc.c

@@ -693,6 +693,10 @@ static NTSTATUS ncacn_pull(struct dcecli_connection *c, DATA_BLOB *blob, TALLOC_

 		return ndr_map_error2ntstatus(ndr_err);

 	}

+	if (pkt->frag_length != blob->length) {

+		return NT_STATUS_RPC_PROTOCOL_ERROR;

+	}

+

 	return NT_STATUS_OK;

 }

-- 

1.7.9.5

From 7ff27a03ddcb2aaa6b130266a9262dca79a324c5 Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Wed, 25 Sep 2013 23:25:12 +0200

Subject: [PATCH 06/16] CVE-2013-4408:s4:dcerpc_smb: check for invalid

 frag_len in send_read_request_continue()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Jeremy Allison <jra@samba.org>

---

 source4/librpc/rpc/dcerpc_smb.c |    6 ++++++

 1 file changed, 6 insertions(+)

diff --git a/source4/librpc/rpc/dcerpc_smb.c b/source4/librpc/rpc/dcerpc_smb.c

index e02631e..efb76cf 100644

--- a/source4/librpc/rpc/dcerpc_smb.c

+++ b/source4/librpc/rpc/dcerpc_smb.c

@@ -163,6 +163,12 @@ static NTSTATUS send_read_request_continue(struct dcecli_connection *c, DATA_BLO

 	} else {

 		uint32_t frag_length = blob->length>=16?

 			dcerpc_get_frag_length(blob):0x2000;

+

+		if (frag_length < state->data.length) {

+			talloc_free(state);

+			return NT_STATUS_RPC_PROTOCOL_ERROR;

+		}

+

 		state->received = blob->length;

 		state->data = data_blob_talloc(state, NULL, frag_length);

 		if (!state->data.data) {

-- 

1.7.9.5

From 2e01567db620407a9bfdee28efa61ddccc1357f8 Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Wed, 25 Sep 2013 23:25:12 +0200

Subject: [PATCH 07/16] CVE-2013-4408:s4:dcerpc_smb2: check for invalid

 frag_len in send_read_request_continue()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Jeremy Allison <jra@samba.org>

---

 source4/librpc/rpc/dcerpc_smb2.c |    6 ++++++

 1 file changed, 6 insertions(+)

diff --git a/source4/librpc/rpc/dcerpc_smb2.c b/source4/librpc/rpc/dcerpc_smb2.c

index 473ca78..2b1c66e 100644

--- a/source4/librpc/rpc/dcerpc_smb2.c

+++ b/source4/librpc/rpc/dcerpc_smb2.c

@@ -173,6 +173,12 @@ static NTSTATUS send_read_request_continue(struct dcecli_connection *c, DATA_BLO

 	if (state->data.length >= 16) {

 		uint16_t frag_length = dcerpc_get_frag_length(&state->data);

+

+		if (frag_length < state->data.length) {

+			talloc_free(state);

+			return NT_STATUS_RPC_PROTOCOL_ERROR;

+		}

+

 		io.in.length = frag_length - state->data.length;

 	} else {

 		io.in.length = 0x2000;

-- 

1.7.9.5

From 2a94a9db0086582119bbcb7b4c82e86e8a3f8137 Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Tue, 24 Sep 2013 05:03:40 +0200

Subject: [PATCH 08/16] CVE-2013-4408:s4:dcerpc_sock: check for invalid

 frag_len within sock_complete_packet()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Jeremy Allison <jra@samba.org>

---

 source4/librpc/rpc/dcerpc_sock.c |    6 ++++++

 1 file changed, 6 insertions(+)

diff --git a/source4/librpc/rpc/dcerpc_sock.c b/source4/librpc/rpc/dcerpc_sock.c

index 58fca4c..d36af11 100644

--- a/source4/librpc/rpc/dcerpc_sock.c

+++ b/source4/librpc/rpc/dcerpc_sock.c

@@ -102,6 +102,12 @@ static NTSTATUS sock_complete_packet(void *private_data, DATA_BLOB blob, size_t

 		return STATUS_MORE_ENTRIES;

 	}

 	*size = dcerpc_get_frag_length(&blob;;

+	if (*size < blob.length) {

+		/*

+		 * something is wrong, let the caller deal with it

+		 */

+		*size = blob.length;

+	}

 	if (*size > blob.length) {

 		return STATUS_MORE_ENTRIES;

 	}

-- 

1.7.9.5

From 79c3d6df2fc63e188ae6091d6f0bd0a55f3fe548 Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Wed, 16 Oct 2013 14:17:49 +0200

Subject: [PATCH 09/16] CVE-2013-4408:async_sock: add some overflow detection

 to read_packet_handler()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Jeremy Allison <jra@samba.org>

---

 lib/async_req/async_sock.c |    5 +++++

 1 file changed, 5 insertions(+)

diff --git a/lib/async_req/async_sock.c b/lib/async_req/async_sock.c

index 59dde88..74b2cb7 100644

--- a/lib/async_req/async_sock.c

+++ b/lib/async_req/async_sock.c

@@ -667,6 +667,11 @@ static void read_packet_handler(struct tevent_context *ev,

 		return;

 	}

+	if (total + more < total) {

+		tevent_req_error(req, EMSGSIZE);

+		return;

+	}

+

 	tmp = talloc_realloc(state, state->buf, uint8_t, total+more);

 	if (tevent_req_nomem(tmp, req)) {

 		return;

-- 

1.7.9.5

From ebfad1eadb3fc492f31c35a9d2585fe27ed00ad5 Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Wed, 16 Oct 2013 14:17:49 +0200

Subject: [PATCH 10/16] CVE-2013-4408:s3:util_tsock: add some overflow

 detection to tstream_read_packet_done()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Jeremy Allison <jra@samba.org>

---

 source3/lib/util_tsock.c |    5 +++++

 1 file changed, 5 insertions(+)

diff --git a/source3/lib/util_tsock.c b/source3/lib/util_tsock.c

index 35a97f5..03380ef 100644

--- a/source3/lib/util_tsock.c

+++ b/source3/lib/util_tsock.c

@@ -110,6 +110,11 @@ static void tstream_read_packet_done(struct tevent_req *subreq)

 		return;

 	}

+	if (total + more < total) {

+		tevent_req_error(req, EMSGSIZE);

+		return;

+	}

+

 	tmp = talloc_realloc(state, state->buf, uint8_t, total+more);

 	if (tevent_req_nomem(tmp, req)) {

 		return;

-- 

1.7.9.5

From 1108ce2b996cde47a653cdfca27e059e3986da5f Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Wed, 16 Oct 2013 14:17:49 +0200

Subject: [PATCH 11/16] CVE-2013-4408:libcli/util: add some size verification

 to tstream_read_pdu_blob_done()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Jeremy Allison <jra@samba.org>

---

 libcli/util/tstream.c |    5 +++++

 1 file changed, 5 insertions(+)

diff --git a/libcli/util/tstream.c b/libcli/util/tstream.c

index 12cef9b..dd830e2 100644

--- a/libcli/util/tstream.c

+++ b/libcli/util/tstream.c

@@ -129,6 +129,11 @@ static void tstream_read_pdu_blob_done(struct tevent_req *subreq)

 		return;

 	}

+	if (new_buf_size <= old_buf_size) {

+		tevent_req_nterror(req, NT_STATUS_INVALID_BUFFER_SIZE);

+		return;

+	}

+

 	buf = talloc_realloc(state, state->pdu_blob.data, uint8_t, new_buf_size);

 	if (tevent_req_nomem(buf, req)) {

 		return;

-- 

1.7.9.5

From 72d5d302c5ed46f3ca465653f6c595ea500b3063 Mon Sep 17 00:00:00 2001

From: Stefan Metzmacher <metze@samba.org>

Date: Wed, 16 Oct 2013 16:26:58 +0200

Subject: [PATCH 12/16] CVE-2013-4408:s3:ctdb_conn: add some length

 verification to ctdb_packet_more()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Jeremy Allison <jra@samba.org>

---

 source3/lib/ctdb_conn.c |    5 +++++

 1 file changed, 5 insertions(+)

diff --git a/source3/lib/ctdb_conn.c b/source3/lib/ctdb_conn.c

index 90930eb..40071d4 100644

--- a/source3/lib/ctdb_conn.c

+++ b/source3/lib/ctdb_conn.c

@@ -233,6 +233,11 @@ static ssize_t ctdb_packet_more(uint8_t *buf, size_t buflen, void *p)

 		return 0;

 	}

 	memcpy(&len, buf, sizeof(len));

+

+	if (len < sizeof(uint32_t)) {

+		return -1;

+	}

+

 	return (len - sizeof(uint32_t));

 }

-- 

1.7.9.5

From 5335358922eb2d86f00c73bb9e11940cc0cec7ce Mon Sep 17 00:00:00 2001

From: Jeremy Allison <jra@samba.org>

Date: Thu, 17 Oct 2013 14:44:35 -0700

Subject: [PATCH 13/16] CVE-2013-4408:s3:Ensure we always check call_id when

 validating an RPC reply.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Jeremy Allison <jra@samba.org>

Reviewed-by: Stefan Metzmacher <metze@samba.org>

---

 source3/rpc_client/cli_pipe.c |   33 +++++++++++++++++++++++++--------

 1 file changed, 25 insertions(+), 8 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c

index fd854c4..385ae25 100644

--- a/source3/rpc_client/cli_pipe.c

+++ b/source3/rpc_client/cli_pipe.c

@@ -389,6 +389,7 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,

 						struct ncacn_packet *pkt,

 						DATA_BLOB *pdu,

 						uint8_t expected_pkt_type,

+						uint32_t call_id,

 						DATA_BLOB *rdata,

 						DATA_BLOB *reply_pdu)

 {

@@ -487,7 +488,7 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,

 			  "from %s!\n",

 			  (unsigned int)pkt->ptype,

 			  rpccli_pipe_txt(talloc_tos(), cli)));

-		return NT_STATUS_INVALID_INFO_CLASS;

+		return NT_STATUS_RPC_PROTOCOL_ERROR;

 	}

 	if (pkt->ptype != expected_pkt_type) {

@@ -495,7 +496,15 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,

 			  "RPC packet type - %u, not %u\n",

 			  rpccli_pipe_txt(talloc_tos(), cli),

 			  pkt->ptype, expected_pkt_type));

-		return NT_STATUS_INVALID_INFO_CLASS;

+		return NT_STATUS_RPC_PROTOCOL_ERROR;

+	}

+

+	if (pkt->call_id != call_id) {

+		DEBUG(3, (__location__ ": Connection to %s got an unexpected "

+			  "RPC call_id - %u, not %u\n",

+			  rpccli_pipe_txt(talloc_tos(), cli),

+			  pkt->call_id, call_id));

+		return NT_STATUS_RPC_PROTOCOL_ERROR;

 	}

 	/* Do this just before return - we don't want to modify any rpc header

@@ -701,6 +710,7 @@ struct rpc_api_pipe_state {

 	struct tevent_context *ev;

 	struct rpc_pipe_client *cli;

 	uint8_t expected_pkt_type;

+	uint32_t call_id;

 	DATA_BLOB incoming_frag;

 	struct ncacn_packet *pkt;

@@ -719,7 +729,8 @@ static struct tevent_req *rpc_api_pipe_send(TALLOC_CTX *mem_ctx,

 					    struct tevent_context *ev,

 					    struct rpc_pipe_client *cli,

 					    DATA_BLOB *data, /* Outgoing PDU */

-					    uint8_t expected_pkt_type)

+					    uint8_t expected_pkt_type,

+					    uint32_t call_id)

 {

 	struct tevent_req *req, *subreq;

 	struct rpc_api_pipe_state *state;

@@ -733,6 +744,7 @@ static struct tevent_req *rpc_api_pipe_send(TALLOC_CTX *mem_ctx,

 	state->ev = ev;

 	state->cli = cli;

 	state->expected_pkt_type = expected_pkt_type;

+	state->call_id = call_id;

 	state->incoming_frag = data_blob_null;

 	state->reply_pdu = data_blob_null;

 	state->reply_pdu_offset = 0;

@@ -884,6 +896,7 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)

 						state->cli, state->pkt,

 						&state->incoming_frag,

 						state->expected_pkt_type,

+						state->call_id,

 						&rdata,

 						&state->reply_pdu);

@@ -1226,7 +1239,8 @@ struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,

 	if (is_last_frag) {

 		subreq = rpc_api_pipe_send(state, ev, state->cli,

 					   &state->rpc_out,

-					   DCERPC_PKT_RESPONSE);

+					   DCERPC_PKT_RESPONSE,

+					   state->call_id);

 		if (subreq == NULL) {

 			goto fail;

 		}

@@ -1362,7 +1376,8 @@ static void rpc_api_pipe_req_write_done(struct tevent_req *subreq)

 	if (is_last_frag) {

 		subreq = rpc_api_pipe_send(state, state->ev, state->cli,

 					   &state->rpc_out,

-					   DCERPC_PKT_RESPONSE);

+					   DCERPC_PKT_RESPONSE,

+					   state->call_id);

 		if (tevent_req_nomem(subreq, req)) {

 			return;

 		}

@@ -1608,7 +1623,7 @@ struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx,

 	}

 	subreq = rpc_api_pipe_send(state, ev, cli, &state->rpc_out,

-				   DCERPC_PKT_BIND_ACK);

+				   DCERPC_PKT_BIND_ACK, state->rpc_call_id);

 	if (subreq == NULL) {

 		goto fail;

 	}

@@ -1916,7 +1931,8 @@ static NTSTATUS rpc_bind_next_send(struct tevent_req *req,

 	}

 	subreq = rpc_api_pipe_send(state, state->ev, state->cli,

-				   &state->rpc_out, DCERPC_PKT_ALTER_RESP);

+				   &state->rpc_out, DCERPC_PKT_ALTER_RESP,

+				   state->rpc_call_id);

 	if (subreq == NULL) {

 		return NT_STATUS_NO_MEMORY;

 	}

@@ -1948,7 +1964,8 @@ static NTSTATUS rpc_bind_finish_send(struct tevent_req *req,

 	}

 	subreq = rpc_api_pipe_send(state, state->ev, state->cli,

-				   &state->rpc_out, DCERPC_PKT_AUTH3);

+				   &state->rpc_out, DCERPC_PKT_AUTH3,

+				   state->rpc_call_id);

 	if (subreq == NULL) {

 		return NT_STATUS_NO_MEMORY;

 	}

-- 

1.7.9.5

From 7d60c72841e8b2e4315e506fb1033508b43425f6 Mon Sep 17 00:00:00 2001

From: Jeremy Allison <jra@samba.org>

Date: Thu, 7 Nov 2013 20:38:01 -0800

Subject: [PATCH 14/16] CVE-2013-4408:s3:Ensure LookupSids replies arrays are

 range checked.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Jeremy Allison <jra@samba.org>

---

 nsswitch/libwbclient/wbc_sid.c     |    7 +++++++

 nsswitch/wbinfo.c                  |   23 ++++++++++++++++++++---

 source3/rpc_client/cli_lsarpc.c    |   17 ++++++++++++++++-

 source3/rpcclient/cmd_lsarpc.c     |    7 +++++--

 source3/winbindd/wb_lookupsids.c   |    3 +++

 source3/winbindd/winbindd_rpc.c    |   32 ++++++++++++++++++++++++++++++++

 source4/libcli/util/clilsa.c       |   16 +++++++++++++++-

 source4/winbind/wb_async_helpers.c |   13 ++++++++++++-

 8 files changed, 110 insertions(+), 8 deletions(-)

diff --git a/nsswitch/libwbclient/wbc_sid.c b/nsswitch/libwbclient/wbc_sid.c

index bab6933..82ac339 100644

--- a/nsswitch/libwbclient/wbc_sid.c

+++ b/nsswitch/libwbclient/wbc_sid.c

@@ -421,6 +421,13 @@ wbcErr wbcLookupSids(const struct wbcDomainSid *sids, int num_sids,

 	for (i=0; i

 		names[i].domain_index = strtoul(p, &q, 10);

+		if (names[i].domain_index < 0) {

+			goto wbc_err_invalid;

+		}

+		if (names[i].domain_index >= num_domains) {

+			goto wbc_err_invalid;

+		}

+

 		if (*q != ' ') {

 			goto wbc_err_invalid;

 		}

diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c

index 17977ed..3f0310a 100644

--- a/nsswitch/wbinfo.c

+++ b/nsswitch/wbinfo.c

@@ -1391,11 +1391,28 @@ static bool wbinfo_lookup_sids(const char *arg)

 	}

 	for (i=0; i

+		const char *domain = NULL;

+

 		wbcSidToStringBuf(&sids[i], sidstr, sizeof(sidstr));

-		d_printf("%s -> %s\\%s %d\n", sidstr,

-			 domains[names[i].domain_index].short_name,

-			 names[i].name, names[i].type);

+		if (names[i].domain_index >= num_domains) {

+			domain = "<none>";

+		} else if (names[i].domain_index < 0) {

+			domain = "<none>";

+		} else {

+			domain = domains[names[i].domain_index].short_name;

+		}

+

+		if (names[i].type == WBC_SID_NAME_DOMAIN) {

+			d_printf("%s -> %s %d\n", sidstr,

+				domain,

+				names[i].type);

+		} else {

+			d_printf("%s -> %s%c%s %d\n", sidstr,

+				domain,

+				winbind_separator(),

+				names[i].name, names[i].type);

+		}

 	}

 	wbcFreeMemory(names);

 	wbcFreeMemory(domains);

diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c

index 126f370..7cadd6e 100644

--- a/source3/rpc_client/cli_lsarpc.c

+++ b/source3/rpc_client/cli_lsarpc.c

@@ -279,11 +279,26 @@ static NTSTATUS dcerpc_lsa_lookup_sids_noalloc(struct dcerpc_binding_handle *h,

 	for (i = 0; i < num_sids; i++) {

 		const char *name, *dom_name;

-		uint32_t dom_idx = lsa_names.names[i].sid_index;

+		uint32_t dom_idx;

+

+		if (i >= lsa_names.count) {

+			*presult = NT_STATUS_INVALID_NETWORK_RESPONSE;

+			return status;

+		}

+

+		dom_idx = lsa_names.names[i].sid_index;

 		/* Translate optimised name through domain index array */

 		if (dom_idx != 0xffffffff) {

+			if (ref_domains == NULL) {

+				*presult = NT_STATUS_INVALID_NETWORK_RESPONSE;

+				return status;

+			}

+			if (dom_idx >= ref_domains->count) {

+				*presult = NT_STATUS_INVALID_NETWORK_RESPONSE;

+				return status;

+			}

 			dom_name = ref_domains->domains[dom_idx].name.string;

 			name = lsa_names.names[i].name.string;

diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c

index cbc089f..a7ee4e4 100644

--- a/source3/rpcclient/cmd_lsarpc.c

+++ b/source3/rpcclient/cmd_lsarpc.c

@@ -450,7 +450,7 @@ static NTSTATUS cmd_lsa_lookup_sids3(struct rpc_pipe_client *cli,

 	NTSTATUS status = NT_STATUS_UNSUCCESSFUL, result;

 	int i;

 	struct lsa_SidArray sids;

-	struct lsa_RefDomainList *domains;

+	struct lsa_RefDomainList *domains = NULL;

 	struct lsa_TransNameArray2 names;

 	uint32_t count = 0;

 	struct dcerpc_binding_handle *b = cli->binding_handle;

@@ -506,9 +506,12 @@ static NTSTATUS cmd_lsa_lookup_sids3(struct rpc_pipe_client *cli,

 	/* Print results */

-	for (i = 0; i < count; i++) {

+	for (i = 0; i < names.count; i++) {

 		fstring sid_str;

+		if (i >= sids.num_sids) {

+			break;

+		}

 		sid_to_fstring(sid_str, sids.sids[i].sid);

 		printf("%s %s (%d)\n", sid_str,

 		       names.names[i].name.string,

diff --git a/source3/winbindd/wb_lookupsids.c b/source3/winbindd/wb_lookupsids.c

index 2c4ebda..e10d511 100644

--- a/source3/winbindd/wb_lookupsids.c

+++ b/source3/winbindd/wb_lookupsids.c

@@ -402,6 +402,9 @@ static bool wb_lookupsids_move_name(struct lsa_RefDomainList *src_domains,

 	uint32_t src_domain_index, dst_domain_index;

 	src_domain_index = src_name->sid_index;

+	if (src_domain_index >= src_domains->count) {

+		return false;

+	}

 	src_domain = &src_domains->domains[src_domain_index];

 	if (!wb_lookupsids_find_dom_idx(

diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c

index 44deeb0..7345ea7 100644

--- a/source3/winbindd/winbindd_rpc.c

+++ b/source3/winbindd/winbindd_rpc.c