CVE-2015-5370: s3:rpc_server: don't allow an existing context to be changed in check_bind_req()

An alter context can't change the syntax of an existing context,
a new context_id will be used for that.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

1 files changed, 24 insertions, 0 deletions

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 27fd83cab69..bb3c3e8691c 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -365,6 +365,30 @@ static bool check_bind_req(struct pipes_struct *p,
 		return false;
 	}
 
+	for (context_fns = p->contexts;
+	     context_fns != NULL;
+	     context_fns = context_fns->next)
+	{
+		if (context_fns->context_id != context_id) {
+			continue;
+		}
+
+		ok = ndr_syntax_id_equal(&context_fns->syntax,
+					 abstract);
+		if (ok) {
+			return true;
+		}
+
+		DEBUG(1,("check_bind_req: changing abstract syntax for "
+			 "%s context_id=%u into %s not supported\n",
+			 ndr_interface_name(&context_fns->syntax.uuid,
+					    context_fns->syntax.if_version),
+			 (unsigned)context_id,
+			 ndr_interface_name(&abstract->uuid,
+					    abstract->if_version)));
+		return false;
+	}
+
 	/* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
 	if (!rpc_srv_pipe_exists_by_id(abstract)) {
 		return false;