git.samba.org / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 335b3ce)
CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id}
authorStefan Metzmacher <metze@samba.org>
Sat, 27 Jun 2015 08:31:48 +0000 (10:31 +0200)
committerStefan Metzmacher <metze@samba.org>
Tue, 12 Apr 2016 17:25:28 +0000 (19:25 +0200)
This will simplify the following commits and avoids dereferencing
dcecli_security->auth_info.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
source4/librpc/rpc/dcerpc.c patch | blob | history
source4/librpc/rpc/dcerpc.h patch | blob | history
source4/librpc/rpc/dcerpc_auth.c patch | blob | history

diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index 5900c063bba7ddafb6430d629e05e893efab9040..1cfc2ca178df13df99b3571b91e803adf8a01ff3 100644 (file)
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -141,6 +141,9 @@ static struct dcecli_connection *dcerpc_connection_init(TALLOC_CTX *mem_ctx,
        }
 
        c->call_id = 1;
+       c->security_state.auth_type = DCERPC_AUTH_TYPE_NONE;
+       c->security_state.auth_level = DCERPC_AUTH_LEVEL_NONE;
+       c->security_state.auth_context_id = 0;
        c->security_state.auth_info = NULL;
        c->security_state.session_key = dcerpc_generic_session_key;
        c->security_state.generic_state = NULL;
diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h
index 707e4ccfd092a2d560294a4346c462e4704558fc..c7299fec5e6be8da0fa2ddc17cd6530a602a784f 100644 (file)
--- a/source4/librpc/rpc/dcerpc.h
+++ b/source4/librpc/rpc/dcerpc.h
@@ -46,6 +46,9 @@ struct dcecli_connection;
 struct gensec_settings;
 struct cli_credentials;
 struct dcecli_security {
+       enum dcerpc_AuthType auth_type;
+       enum dcerpc_AuthLevel auth_level;
+       uint32_t auth_context_id;
        struct dcerpc_auth *auth_info;
        struct gensec_security *generic_state;
 
diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
index 2d60d38732bdd86432a6d0bb9cd23d180de483f7..aec72ca9943b0f84f23b218cc3bcb290d39a16ed 100644 (file)
--- a/source4/librpc/rpc/dcerpc_auth.c
+++ b/source4/librpc/rpc/dcerpc_auth.c
@@ -353,14 +353,18 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
                return c;
        }
 
+       sec->auth_type = auth_type;
+       sec->auth_level = auth_level,
+       sec->auth_context_id = random();
+
        sec->auth_info = talloc(p, struct dcerpc_auth);
        if (composite_nomem(sec->auth_info, c)) return c;
 
-       sec->auth_info->auth_type = auth_type;
-       sec->auth_info->auth_level = auth_level,
+       sec->auth_info->auth_type = sec->auth_type;
+       sec->auth_info->auth_level = sec->auth_level,
        sec->auth_info->auth_pad_length = 0;
        sec->auth_info->auth_reserved = 0;
-       sec->auth_info->auth_context_id = random();
+       sec->auth_info->auth_context_id = sec->auth_context_id;
        sec->auth_info->credentials = data_blob(NULL, 0);
 
        /* The status value here, from GENSEC is vital to the security
Samba Shared Repository