CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't change auth_...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index 565c3733727b656fc8ee8e99819f90c4c18dfeb8..afa584b164bc9328eb3d78cce7440de73f098b5c 100644 (file)
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -238,6 +238,18 @@ bool dcesrv_auth_auth3(struct dcesrv_call_state *call)
                return false;
        }
 
+       if (call->in_auth_info.auth_type != dce_conn->auth_state.auth_type) {
+               return false;
+       }
+
+       if (call->in_auth_info.auth_level != dce_conn->auth_state.auth_level) {
+               return false;
+       }
+
+       if (call->in_auth_info.auth_context_id != dce_conn->auth_state.auth_context_id) {
+               return false;
+       }
+
        call->_out_auth_info = (struct dcerpc_auth) {
                .auth_type = dce_conn->auth_state.auth_type,
                .auth_level = dce_conn->auth_state.auth_level,
@@ -306,6 +318,18 @@ bool dcesrv_auth_alter(struct dcesrv_call_state *call)
                return false;
        }
 
+       if (call->in_auth_info.auth_type != dce_conn->auth_state.auth_type) {
+               return false;
+       }
+
+       if (call->in_auth_info.auth_level != dce_conn->auth_state.auth_level) {
+               return false;
+       }
+
+       if (call->in_auth_info.auth_context_id != dce_conn->auth_state.auth_context_id) {
+               return false;
+       }
+
        return true;
 }