diff options
| author | Jeremy Allison <jra@samba.org> | 2015-06-18 09:57:42 -0700 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2015-06-18 19:25:27 +0200 |
| commit | 5deb8169fecef108b4f8010446398475ba8b46de (patch) | |
| tree | 162d65bc7dd23b8fac8bd46dede1ee76591fc28c /auth | |
| parent | a680d605a72716f20d5cae3635b681de9c71abda (diff) | |
| download | samba-5deb8169fecef108b4f8010446398475ba8b46de.tar.gz | |
dcerpc: NULL pointer deref crash in handling rpc request.
source4/rpc_server/dcerpc_server.c:dcesrv_request() calls gensec_have_feature().
Codenomicon found a code path that allows the client to send a
request that calls into this function without ever having set
up security. So call->conn->auth_state.gensec_security exists
(gensec has been initialized when the RPC pipe is set up)
but call->conn->auth_state.gensec_security->ops has not been
initialized. We dereference the NULL pointer and crash.
An alternate way to fix this would be to create a new
public bool gensec_initialized(() function and call that
inside dcesrv_request() instead of doing a null
check on call->conn->auth_state.gensec_security,
but that's a more invasive fix we can add later.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11341
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Diffstat (limited to 'auth')
| -rw-r--r-- | auth/gensec/gensec.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c index 8b5c02d111c..d9504f773c4 100644 --- a/auth/gensec/gensec.c +++ b/auth/gensec/gensec.c @@ -533,7 +533,7 @@ _PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security, _PUBLIC_ bool gensec_have_feature(struct gensec_security *gensec_security, uint32_t feature) { - if (!gensec_security->ops->have_feature) { + if (!gensec_security->ops || !gensec_security->ops->have_feature) { return false; } |