CVE-2015-5370: s4:rpc_server: fill context_id in dcesrv_fault()

This depends on the type of the incoming pdu.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source4/rpc_server/common/reply.c b/source4/rpc_server/common/reply.c
index e4150e62d315c5d7f75c791fd4206de77e2369b6..77d8d7996ecc01c852e8d98647c7ef0121351315 100644 (file)
--- a/source4/rpc_server/common/reply.c
+++ b/source4/rpc_server/common/reply.c
@@ -111,7 +111,20 @@ NTSTATUS dcesrv_fault(struct dcesrv_call_state *call, uint32_t fault_code)
        pkt.ptype = DCERPC_PKT_FAULT;
        pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
        pkt.u.fault.alloc_hint = 24;
-       pkt.u.fault.context_id = 0;
+       switch (call->pkt.ptype) {
+       case DCERPC_PKT_REQUEST:
+               pkt.u.fault.context_id = call->pkt.u.request.context_id;
+               break;
+       default:
+               pkt.u.fault.context_id = 0;
+               break;
+       }
+       if (fault_code == DCERPC_NCA_S_PROTO_ERROR) {
+               /*
+                * context_id = 0 is forced on protocol errors.
+                */
+               pkt.u.fault.context_id = 0;
+       }
        pkt.u.fault.cancel_count = 0;
        pkt.u.fault.status = fault_code;
        pkt.u.fault._pad = data_blob_const(zeros, sizeof(zeros));