git.samba.org / metze / samba / wip.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ace2364)
CVE-2015-5370: s4:librpc/rpc: finally verify the server uses the expected auth_{type...
authorStefan Metzmacher <metze@samba.org>
Sat, 27 Jun 2015 08:31:48 +0000 (10:31 +0200)
committerStefan Metzmacher <metze@samba.org>
Tue, 12 Apr 2016 17:25:29 +0000 (19:25 +0200)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
source4/librpc/rpc/dcerpc.c patch | blob | history
source4/librpc/rpc/dcerpc_auth.c patch | blob | history

diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index 908fed20113decbe1571471b073626266cd790f9..964924901c3aa88d95e75e067d3b784a630d95c4 100644 (file)
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -778,6 +778,18 @@ static NTSTATUS ncacn_pull_request_auth(struct dcecli_connection *c, TALLOC_CTX
 
        pkt->u.response.stub_and_verifier.length -= auth_length;
 
+       if (auth.auth_type != c->security_state.auth_type) {
+               return NT_STATUS_RPC_PROTOCOL_ERROR;
+       }
+
+       if (auth.auth_level != c->security_state.auth_level) {
+               return NT_STATUS_RPC_PROTOCOL_ERROR;
+       }
+
+       if (auth.auth_context_id != c->security_state.auth_context_id) {
+               return NT_STATUS_RPC_PROTOCOL_ERROR;
+       }
+
        /* check signature or unseal the packet */
        switch (c->security_state.auth_level) {
        case DCERPC_AUTH_LEVEL_PRIVACY:
diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
index 15a843b4ef5a9c86159643b1a90096d6218e3422..d617b07e07c810e8b9b27568df308ef703e008c5 100644 (file)
--- a/source4/librpc/rpc/dcerpc_auth.c
+++ b/source4/librpc/rpc/dcerpc_auth.c
@@ -142,6 +142,21 @@ static void bind_auth_next_step(struct composite_context *c)
        state = talloc_get_type(c->private_data, struct bind_auth_state);
        sec = &state->pipe->conn->security_state;
 
+       if (state->in_auth_info.auth_type != sec->auth_type) {
+               composite_error(c, NT_STATUS_RPC_PROTOCOL_ERROR);
+               return;
+       }
+
+       if (state->in_auth_info.auth_level != sec->auth_level) {
+               composite_error(c, NT_STATUS_RPC_PROTOCOL_ERROR);
+               return;
+       }
+
+       if (state->in_auth_info.auth_context_id != sec->auth_context_id) {
+               composite_error(c, NT_STATUS_RPC_PROTOCOL_ERROR);
+               return;
+       }
+
        state->out_auth_info = (struct dcerpc_auth) {
                .auth_type = sec->auth_type,
                .auth_level = sec->auth_level,
Work in progress branches