dcerpc: NULL pointer deref crash in handling rpc request.

source4/rpc_server/dcerpc_server.c:dcesrv_request() calls gensec_have_feature().

Codenomicon found a code path that allows the client to send a
request that calls into this function without ever having set
up security. So call->conn->auth_state.gensec_security exists
(gensec has been initialized when the RPC pipe is set up)
but call->conn->auth_state.gensec_security->ops has not been
initialized. We dereference the NULL pointer and crash.

An alternate way to fix this would be to create a new
public bool gensec_initialized(() function and call that
inside dcesrv_request() instead of doing a null
check on call->conn->auth_state.gensec_security,
but that's a more invasive fix we can add later.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11341

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index 8b5c02d111cef7a8d36bd9b50051de680f88c35f..d9504f773c48b6f74885bf9f56786ebc21ac399c 100644 (file)
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -533,7 +533,7 @@ _PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security,
 _PUBLIC_ bool gensec_have_feature(struct gensec_security *gensec_security,
                         uint32_t feature)
 {
-       if (!gensec_security->ops->have_feature) {
+       if (!gensec_security->ops || !gensec_security->ops->have_feature) {
                return false;
        }