CVE-2015-5370: s3:rpc_server: disconnect the connection after a fatal FAULT pdu

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
index 01a854ccafa207660e494477e8cd239f42365b80..5effe66d9bba23fd0669c5f396c6e6950ac644c3 100644 (file)
--- a/source3/rpc_server/rpc_server.c
+++ b/source3/rpc_server/rpc_server.c
@@ -558,6 +558,12 @@ static void named_pipe_packet_done(struct tevent_req *subreq)
                return;
        }
 
+       if (npc->p->fault_state != 0) {
+               DEBUG(2, ("Disconnect after fault\n"));
+               sys_errno = EINVAL;
+               goto fail;
+       }
+
        /* clear out any data that may have been left around */
        npc->count = 0;
        TALLOC_FREE(npc->iov);
@@ -1292,6 +1298,12 @@ static void dcerpc_ncacn_packet_done(struct tevent_req *subreq)
                goto fail;
        }
 
+       if (ncacn_conn->p->fault_state != 0) {
+               DEBUG(2, ("Disconnect after fault\n"));
+               sys_errno = EINVAL;
+               goto fail;
+       }
+
        /* clear out any data that may have been left around */
        ncacn_conn->count = 0;
        TALLOC_FREE(ncacn_conn->iov);