CVE-2015-5370: s3:rpc_server: don't allow auth3 if the authentication was already finished

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
author: Stefan Metzmacher <metze@samba.org> 2015-07-07 13:05:01 +0200
committer: Stefan Metzmacher <metze@samba.org> 2016-03-30 04:10:14 +0200
commit: 69280e6acef7c3941407d4308b659c5e90ed702d (patch)
tree: ba1e9e440a340709b185da55ef0eab4c3d96bd36
parent: 25bf597124f217c55b5ca71a5ea9cb0ea83943e5 (diff)
download: samba-69280e6acef7c3941407d4308b659c5e90ed702d.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index ea9d50d8a57..2926f06d5f8 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -860,8 +860,15 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
 
 	DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
 
+	/* We can only finish if the pipe is unbound for now */
+	if (p->pipe_bound) {
+		DEBUG(0, (__location__ ": Pipe already bound, "
+			  "AUTH3 not supported!\n"));
+		goto err;
+	}
+
 	if (pkt->auth_length == 0) {
-		DEBUG(1, ("No auth field sent for bind request!\n"));
+		DEBUG(1, ("No auth field sent for auth3 request!\n"));
 		goto err;
 	}
author	Stefan Metzmacher <metze@samba.org>	2015-07-07 13:05:01 +0200
committer	Stefan Metzmacher <metze@samba.org>	2016-03-30 04:10:14 +0200
commit	69280e6acef7c3941407d4308b659c5e90ed702d (patch)
tree	ba1e9e440a340709b185da55ef0eab4c3d96bd36
parent	25bf597124f217c55b5ca71a5ea9cb0ea83943e5 (diff)
download	samba-69280e6acef7c3941407d4308b659c5e90ed702d.tar.gz