CVE-2015-5370: s3:rpc_server: don't allow auth3 if the authentication was already...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index ea9d50d8a57f1da8c6de05c09f25a2fa65e49655..2926f06d5f89861bacd7c4684fb77f6f9f3817e2 100644 (file)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -860,8 +860,15 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
 
        DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
 
+       /* We can only finish if the pipe is unbound for now */
+       if (p->pipe_bound) {
+               DEBUG(0, (__location__ ": Pipe already bound, "
+                         "AUTH3 not supported!\n"));
+               goto err;
+       }
+
        if (pkt->auth_length == 0) {
-               DEBUG(1, ("No auth field sent for bind request!\n"));
+               DEBUG(1, ("No auth field sent for auth3 request!\n"));
                goto err;
        }