CVE-2015-5370: s4:rpc_server: fill context_id in dcesrv_fault()

This depends on the type of the incoming pdu. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
author: Stefan Metzmacher <metze@samba.org> 2015-06-26 08:10:46 +0200
committer: Stefan Metzmacher <metze@samba.org> 2016-04-12 19:25:29 +0200
commit: 5c76e84663b8084a1e24f564325853eed7e80e26 (patch)
tree: fab8d0d313166ad6743c9b58a13625edc8c7d86a /source4/rpc_server/common
parent: c58dbe45a22dbee7c186aa09deedf436cd467a2b (diff)
download: samba-5c76e84663b8084a1e24f564325853eed7e80e26.tar.gz
1 files changed, 14 insertions, 1 deletions
diff --git a/source4/rpc_server/common/reply.c b/source4/rpc_server/common/reply.c
index e4150e62d31..77d8d7996ec 100644
--- a/source4/rpc_server/common/reply.c
+++ b/source4/rpc_server/common/reply.c
@@ -111,7 +111,20 @@ NTSTATUS dcesrv_fault(struct dcesrv_call_state *call, uint32_t fault_code)
 	pkt.ptype = DCERPC_PKT_FAULT;
 	pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
 	pkt.u.fault.alloc_hint = 24;
-	pkt.u.fault.context_id = 0;
+	switch (call->pkt.ptype) {
+	case DCERPC_PKT_REQUEST:
+		pkt.u.fault.context_id = call->pkt.u.request.context_id;
+		break;
+	default:
+		pkt.u.fault.context_id = 0;
+		break;
+	}
+	if (fault_code == DCERPC_NCA_S_PROTO_ERROR) {
+		/*
+		 * context_id = 0 is forced on protocol errors.
+		 */
+		pkt.u.fault.context_id = 0;
+	}
 	pkt.u.fault.cancel_count = 0;
 	pkt.u.fault.status = fault_code;
 	pkt.u.fault._pad = data_blob_const(zeros, sizeof(zeros));
author	Stefan Metzmacher <metze@samba.org>	2015-06-26 08:10:46 +0200
committer	Stefan Metzmacher <metze@samba.org>	2016-04-12 19:25:29 +0200
commit	5c76e84663b8084a1e24f564325853eed7e80e26 (patch)
tree	fab8d0d313166ad6743c9b58a13625edc8c7d86a /source4/rpc_server/common
parent	c58dbe45a22dbee7c186aa09deedf436cd467a2b (diff)
download	samba-5c76e84663b8084a1e24f564325853eed7e80e26.tar.gz