diff options
| author | Stefan Metzmacher <metze@samba.org> | 2015-07-08 00:01:37 +0200 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2016-04-12 19:25:32 +0200 |
| commit | 1c0f927a4efa753af98fdcf405d81c0567fce139 (patch) | |
| tree | 37d4a6e1dac105285e0c3c0e9c9a3690b2f64241 /source3/rpc_server | |
| parent | f56428760aedca26967a565ce3738a379c50ca5a (diff) | |
| download | samba-1c0f927a4efa753af98fdcf405d81c0567fce139.tar.gz | |
CVE-2015-5370: s3:rpc_server: make use of pipe_auth_data->auth_context_id
This is better than using hardcoded values.
We need to use the value the client used in the BIND request.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Diffstat (limited to 'source3/rpc_server')
| -rw-r--r-- | source3/rpc_server/rpc_ncacn_np.c | 1 | ||||
| -rw-r--r-- | source3/rpc_server/srv_pipe.c | 13 |
2 files changed, 8 insertions, 6 deletions
diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c index 5514956b983..5647596f559 100644 --- a/source3/rpc_server/rpc_ncacn_np.c +++ b/source3/rpc_server/rpc_ncacn_np.c @@ -977,6 +977,7 @@ static NTSTATUS rpc_pipe_open_external(TALLOC_CTX *mem_ctx, } result->auth->auth_type = DCERPC_AUTH_TYPE_NONE; result->auth->auth_level = DCERPC_AUTH_LEVEL_NONE; + result->auth->auth_context_id = 0; status = rpccli_anon_bind_data(result, &auth); if (!NT_STATUS_IS_OK(status)) { diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index bb3c3e8691c..821623c7cd8 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -539,6 +539,7 @@ static bool pipe_auth_generic_bind(struct pipes_struct *p, p->auth.auth_ctx = gensec_security; p->auth.auth_type = auth_info->auth_type; p->auth.auth_level = auth_info->auth_level; + p->auth.auth_context_id = auth_info->auth_context_id; if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) { p->auth.client_hdr_signing = true; @@ -812,6 +813,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p, } else { p->auth.auth_type = DCERPC_AUTH_TYPE_NONE; p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE; + p->auth.auth_context_id = 0; } ZERO_STRUCT(u.bind_ack); @@ -862,12 +864,11 @@ static bool api_pipe_bind_req(struct pipes_struct *p, } if (auth_resp.length) { - status = dcerpc_push_dcerpc_auth(pkt, p->auth.auth_type, p->auth.auth_level, - 0, - 1, /* auth_context_id */ + 0, /* pad_len */ + p->auth.auth_context_id, &auth_resp, &auth_blob); if (!NT_STATUS_IS_OK(status)) { @@ -1222,10 +1223,10 @@ static bool api_pipe_alter_context(struct pipes_struct *p, if (auth_resp.length) { status = dcerpc_push_dcerpc_auth(pkt, - auth_info.auth_type, - auth_info.auth_level, + p->auth.auth_type, + p->auth.auth_level, 0, /* pad_len */ - 1, /* auth_context_id */ + p->auth.auth_context_id, &auth_resp, &auth_blob); if (!NT_STATUS_IS_OK(status)) { |