CVE-2015-5370: s4:rpc_server: return the correct secondary_address in dcesrv_bind()

For now we still force \\PIPE\\ in upper case, we may be able to remove
this and change it in our idl files later. But for now we better
behave like a windows server without changing too much.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index 8a0df18fe3e4a199a443b9ff5d8a361933fd2ee9..57b76bf7f8efc8f01560c9e177e451ccc731d280 100644 (file)
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -638,6 +638,8 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
        uint32_t extra_flags = 0;
        uint16_t max_req = 0;
        uint16_t max_rep = 0;
+       const char *ep_prefix = "";
+       const char *endpoint = NULL;
 
        /* max_recv_frag and max_xmit_frag result always in the same value! */
        max_req = MIN(call->pkt.u.bind.max_xmit_frag,
@@ -782,10 +784,31 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
        }
 
        if (iface) {
-               /* FIXME: Use pipe name as specified by endpoint instead of interface name */
-               pkt.u.bind_ack.secondary_address = talloc_asprintf(call, "\\PIPE\\%s", iface->name);
-       } else {
-               pkt.u.bind_ack.secondary_address = "";
+               endpoint = dcerpc_binding_get_string_option(
+                               call->conn->endpoint->ep_description,
+                               "endpoint");
+       }
+
+       if (endpoint == NULL) {
+               endpoint = "";
+       }
+
+       if (strncasecmp(endpoint, "\\pipe\\", 6) == 0) {
+               /*
+                * TODO: check if this is really needed
+                *
+                * Or if we should fix this in our idl files.
+                */
+               ep_prefix = "\\PIPE\\";
+               endpoint += 6;
+       }
+
+       pkt.u.bind_ack.secondary_address = talloc_asprintf(call, "%s%s",
+                                                          ep_prefix,
+                                                          endpoint);
+       if (pkt.u.bind_ack.secondary_address == NULL) {
+               TALLOC_FREE(call->context);
+               return NT_STATUS_NO_MEMORY;
        }
        pkt.u.bind_ack.num_results = 1;
        pkt.u.bind_ack.ctx_list = talloc_zero(call, struct dcerpc_ack_ctx);