CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() auth_{type,level} against the expected values.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
author: Stefan Metzmacher <metze@samba.org> 2015-07-09 07:59:24 +0200
committer: Stefan Metzmacher <metze@samba.org> 2016-04-12 19:25:31 +0200
commit: 8a6240872c405169176ad7314da9594afb4f8fa1 (patch)
tree: 0385294363f45399eea72689232678b333a49600 /source3/librpc
parent: 642fe0aa16b6485a9ec83f2eef917272fa2d0997 (diff)
download: samba-8a6240872c405169176ad7314da9594afb4f8fa1.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
index bb1da467ccc..054647c3f58 100644
--- a/source3/librpc/rpc/dcerpc_helpers.c
+++ b/source3/librpc/rpc/dcerpc_helpers.c
@@ -548,6 +548,14 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
 		return status;
 	}
 
+	if (auth_info.auth_type != auth->auth_type) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	if (auth_info.auth_level != auth->auth_level) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	pkt_trailer->length -= auth_length;
 	data = data_blob_const(raw_pkt->data + header_size,
 			       pkt_trailer->length);
author	Stefan Metzmacher <metze@samba.org>	2015-07-09 07:59:24 +0200
committer	Stefan Metzmacher <metze@samba.org>	2016-04-12 19:25:31 +0200
commit	8a6240872c405169176ad7314da9594afb4f8fa1 (patch)
tree	0385294363f45399eea72689232678b333a49600 /source3/librpc
parent	642fe0aa16b6485a9ec83f2eef917272fa2d0997 (diff)
download	samba-8a6240872c405169176ad7314da9594afb4f8fa1.tar.gz