summaryrefslogtreecommitdiff
path: root/source4/rpc_server
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2015-07-14 16:18:45 +0200
committerStefan Metzmacher <metze@samba.org>2016-04-12 19:25:30 +0200
commita30eee5745af275861aaa64d8c11cf5abc52eee2 (patch)
treeebf1cb36b41b854c6908118dcfbca849c3597dcd /source4/rpc_server
parent04e92459a4ea897e22374df996bf74cfb2d6530c (diff)
downloadsamba-a30eee5745af275861aaa64d8c11cf5abc52eee2.tar.gz
CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid
Following requests will generate a fault with ACCESS_DENIED. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
Diffstat (limited to 'source4/rpc_server')
-rw-r--r--source4/rpc_server/dcerpc_server.c2
-rw-r--r--source4/rpc_server/dcerpc_server.h1
-rw-r--r--source4/rpc_server/dcesrv_auth.c11
3 files changed, 13 insertions, 1 deletions
diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index 5c5aca635f8..bd73061333c 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -940,7 +940,7 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
/* handle the auth3 in the auth code */
if (!dcesrv_auth_auth3(call)) {
- return dcesrv_fault(call, DCERPC_FAULT_OTHER);
+ call->conn->auth_state.auth_invalid = true;
}
talloc_free(call);
diff --git a/source4/rpc_server/dcerpc_server.h b/source4/rpc_server/dcerpc_server.h
index b7ae113c2b2..cb600cd3a81 100644
--- a/source4/rpc_server/dcerpc_server.h
+++ b/source4/rpc_server/dcerpc_server.h
@@ -168,6 +168,7 @@ struct dcesrv_auth {
bool client_hdr_signing;
bool hdr_signing;
bool auth_finished;
+ bool auth_invalid;
};
struct dcesrv_connection_context {
diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index afa584b164b..f3de2c33f96 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -275,6 +275,13 @@ bool dcesrv_auth_auth3(struct dcesrv_call_state *call)
/* Now that we are authenticated, go back to the generic session key... */
dce_conn->auth_state.session_key = dcesrv_generic_session_key;
+
+ if (call->out_auth_info->credentials.length != 0) {
+
+ DEBUG(4, ("GENSEC produced output token (len=%u) at bind_auth3\n",
+ (unsigned)call->out_auth_info->credentials.length));
+ return false;
+ }
return true;
} else {
DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_auth3: %s\n",
@@ -402,6 +409,10 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
return false;
}
+ if (dce_conn->auth_state.auth_invalid) {
+ return false;
+ }
+
if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
hdr_size += 16;
}
View Lorry Controller Status