From accac3a3bd3d0b43a737b2e85d316481130045aa Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 29 Jun 2015 11:03:58 +0200 Subject: [PATCH] CVE-2015-5370: s4:rpc_server: maintain dcesrv_auth->auth_{type,level,context_id} MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This will simplify checks in the following commits and avoids derefencing dcesrv_auth->auth_info which is not always arround. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner --- source4/rpc_server/dcerpc_server.h | 17 +++++++++++++++-- source4/rpc_server/dcesrv_auth.c | 15 +++++++++++---- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/source4/rpc_server/dcerpc_server.h b/source4/rpc_server/dcerpc_server.h index e6ddf657331..7784025e8f4 100644 --- a/source4/rpc_server/dcerpc_server.h +++ b/source4/rpc_server/dcerpc_server.h @@ -151,6 +151,9 @@ struct dcesrv_handle { /* hold the authentication state information */ struct dcesrv_auth { + enum dcerpc_AuthType auth_type; + enum dcerpc_AuthLevel auth_level; + uint32_t auth_context_id; struct dcerpc_auth *auth_info; struct gensec_security *gensec_security; struct auth_session_info *session_info; @@ -210,8 +213,15 @@ struct dcesrv_connection { DATA_BLOB partial_input; - /* the current authentication state */ - struct dcesrv_auth auth_state; + /* This can be removed in master... */ + struct { + struct dcerpc_auth *auth_info; + struct gensec_security *gensec_security; + struct auth_session_info *session_info; + NTSTATUS (*session_key)(struct dcesrv_connection *, DATA_BLOB *session_key); + bool client_hdr_signing; + bool hdr_signing; + } _unused_auth_state; /* the event_context that will be used for this connection */ struct tevent_context *event_ctx; @@ -243,6 +253,9 @@ struct dcesrv_connection { const struct tsocket_address *local_address; const struct tsocket_address *remote_address; + + /* the current authentication state */ + struct dcesrv_auth auth_state; }; diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index c3ba40cac07..03231a5cfde 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -47,6 +47,9 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) uint32_t auth_length; if (pkt->auth_length == 0) { + auth->auth_type = DCERPC_AUTH_TYPE_NONE; + auth->auth_level = DCERPC_AUTH_LEVEL_NONE; + auth->auth_context_id = 0; dce_conn->auth_state.auth_info = NULL; return true; } @@ -63,6 +66,10 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) return false; } + auth->auth_type = dce_conn->auth_state.auth_info->auth_type; + auth->auth_level = dce_conn->auth_state.auth_info->auth_level; + auth->auth_context_id = dce_conn->auth_state.auth_info->auth_context_id; + server_credentials = cli_credentials_init(call); if (!server_credentials) { @@ -100,12 +107,12 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) } } - status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_info->auth_type, - auth->auth_info->auth_level); + status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_type, + auth->auth_level); if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("Failed to start GENSEC mechanism for DCERPC server: auth_type=%d, auth_level=%d: %s\n", - (int)auth->auth_info->auth_type, - (int)auth->auth_info->auth_level, + (int)auth->auth_type, + (int)auth->auth_level, nt_errstr(status))); return false; } -- 2.34.1