diff options
author | Stefan Metzmacher <metze@samba.org> | 2015-07-07 13:05:01 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2016-04-12 19:25:31 +0200 |
commit | 302d927ac2f7d132d3db068de9b12bb666c4cfaf (patch) | |
tree | 87fcc2cc7d635bbb3e326bb11a03e68d206390fd | |
parent | 46436d01da9cfb5e2b08a57e02cfa482d7847137 (diff) | |
download | samba-302d927ac2f7d132d3db068de9b12bb666c4cfaf.tar.gz |
CVE-2015-5370: s3:rpc_server: make sure auth_level isn't changed by alter_context or auth3
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
-rw-r--r-- | source3/rpc_server/srv_pipe.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index a37cb3f6918..96bf212b705 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -896,6 +896,13 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt) goto err; } + if (auth_info.auth_level != p->auth.auth_level) { + DEBUG(1, ("Auth level mismatch! Client sent %d, " + "but auth was started as level %d!\n", + auth_info.auth_level, p->auth.auth_level)); + goto err; + } + gensec_security = p->auth.auth_ctx; status = auth_generic_server_step(gensec_security, @@ -1008,6 +1015,13 @@ static bool api_pipe_alter_context(struct pipes_struct *p, goto err_exit; } + if (auth_info.auth_level != p->auth.auth_level) { + DEBUG(0, ("Auth level mismatch! Client sent %d, " + "but auth was started as level %d!\n", + auth_info.auth_level, p->auth.auth_level)); + goto err_exit; + } + gensec_security = p->auth.auth_ctx; status = auth_generic_server_step(gensec_security, pkt, |