CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() auth_{type,level} against the...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
index bb1da467ccc55766b47c52c25563363b557c4fdb..054647c3f58ddd19e682ce21ccb0f1abed2b779c 100644 (file)
--- a/source3/librpc/rpc/dcerpc_helpers.c
+++ b/source3/librpc/rpc/dcerpc_helpers.c
@@ -548,6 +548,14 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
                return status;
        }
 
+       if (auth_info.auth_type != auth->auth_type) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
+       if (auth_info.auth_level != auth->auth_level) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
        pkt_trailer->length -= auth_length;
        data = data_blob_const(raw_pkt->data + header_size,
                               pkt_trailer->length);