CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1

In future we want to verify that the auth_context_id from the server is what we expect. As Samba (<= 4.2.3) use a hardcoded value of 1 in responses, we need to use that. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
author: Stefan Metzmacher <metze@samba.org> 2015-06-27 10:31:48 +0200
committer: Stefan Metzmacher <metze@samba.org> 2016-04-12 19:25:28 +0200
commit: 8f6cffcb3c19f55999fc7df7f338a01bf409f70f (patch)
tree: e6fe5ae72f2c05805a7b17fd3d6b69142af856e1 /source4/librpc/rpc/dcerpc_auth.c
parent: 27da35f8dfbdc191f72087e5f139cbe2ac68462b (diff)
download: samba-8f6cffcb3c19f55999fc7df7f338a01bf409f70f.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
index aec72ca9943..443c7587e72 100644
--- a/source4/librpc/rpc/dcerpc_auth.c
+++ b/source4/librpc/rpc/dcerpc_auth.c
@@ -355,7 +355,12 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
 
 	sec->auth_type = auth_type;
 	sec->auth_level = auth_level,
-	sec->auth_context_id = random();
+	/*
+	 * We use auth_context_id = 1 as some older
+	 * Samba versions (<= 4.2.3) use that value hardcoded
+	 * in a response.
+	 */
+	sec->auth_context_id = 1;
 
 	sec->auth_info = talloc(p, struct dcerpc_auth);
 	if (composite_nomem(sec->auth_info, c)) return c;
author	Stefan Metzmacher <metze@samba.org>	2015-06-27 10:31:48 +0200
committer	Stefan Metzmacher <metze@samba.org>	2016-04-12 19:25:28 +0200
commit	8f6cffcb3c19f55999fc7df7f338a01bf409f70f (patch)
tree	e6fe5ae72f2c05805a7b17fd3d6b69142af856e1 /source4/librpc/rpc/dcerpc_auth.c
parent	27da35f8dfbdc191f72087e5f139cbe2ac68462b (diff)
download	samba-8f6cffcb3c19f55999fc7df7f338a01bf409f70f.tar.gz