CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() auth_{type,level} against the expected values.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
author: Stefan Metzmacher <metze@samba.org> 2015-07-09 07:59:24 +0200
committer: Stefan Metzmacher <metze@samba.org> 2016-03-30 04:39:46 +0200
commit: 569781f85853f2fdb8efcbe30048baaaeb23e1f8 (patch)
tree: f06230ccaec07f0b40d93154661c3af2c1001296 /source3/librpc
parent: dd2c27082e620407c6effdaae5b84d94eea68918 (diff)
download: samba-569781f85853f2fdb8efcbe30048baaaeb23e1f8.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
index bb1da467ccc..054647c3f58 100644
--- a/source3/librpc/rpc/dcerpc_helpers.c
+++ b/source3/librpc/rpc/dcerpc_helpers.c
@@ -548,6 +548,14 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
 		return status;
 	}
 
+	if (auth_info.auth_type != auth->auth_type) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	if (auth_info.auth_level != auth->auth_level) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	pkt_trailer->length -= auth_length;
 	data = data_blob_const(raw_pkt->data + header_size,
 			       pkt_trailer->length);
author	Stefan Metzmacher <metze@samba.org>	2015-07-09 07:59:24 +0200
committer	Stefan Metzmacher <metze@samba.org>	2016-03-30 04:39:46 +0200
commit	569781f85853f2fdb8efcbe30048baaaeb23e1f8 (patch)
tree	f06230ccaec07f0b40d93154661c3af2c1001296 /source3/librpc
parent	dd2c27082e620407c6effdaae5b84d94eea68918 (diff)
download	samba-569781f85853f2fdb8efcbe30048baaaeb23e1f8.tar.gz