CVE-2015-5370: s4:rpc_server/netlogon: make use of dce_call->conn->auth_state.auth_...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 377a5986a015531e0d64940094eee3afbcf7f356..e3b4b856126a2ef7694a0ae31f6bdc0a49fab87a 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -536,7 +536,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca
 /*
  * If schannel is required for this call test that it actually is available.
  */
-static NTSTATUS schannel_check_required(struct dcerpc_auth *auth_info,
+static NTSTATUS schannel_check_required(const struct dcesrv_auth *auth_info,
                                        const char *computer_name,
                                        bool integrity, bool privacy)
 {
@@ -572,12 +572,11 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
                                                    struct netlogon_creds_CredentialState **creds_out)
 {
        NTSTATUS nt_status;
-       struct dcerpc_auth *auth_info = dce_call->conn->auth_state.auth_info;
        int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx);
        bool schannel_global_required = (schannel == true);
 
        if (schannel_global_required) {
-               nt_status = schannel_check_required(auth_info,
+               nt_status = schannel_check_required(&dce_call->conn->auth_state,
                                                    computer_name,
                                                    true, false);
                if (!NT_STATUS_IS_OK(nt_status)) {
@@ -1010,13 +1009,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
                break;
 
        case 6:
-               if (dce_call->conn->auth_state.auth_info == NULL) {
-                       return NT_STATUS_INVALID_PARAMETER;
-               }
-
-               if (dce_call->conn->auth_state.auth_info->auth_level !=
-                   DCERPC_AUTH_LEVEL_PRIVACY)
-               {
+               if (dce_call->conn->auth_state.auth_level < DCERPC_AUTH_LEVEL_PRIVACY) {
                        return NT_STATUS_INVALID_PARAMETER;
                }
 
@@ -1077,8 +1070,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call,
                return nt_status;
        }
 
-       if (!dce_call->conn->auth_state.auth_info ||
-           dce_call->conn->auth_state.auth_info->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
+       if (dce_call->conn->auth_state.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
                return NT_STATUS_ACCESS_DENIED;
        }
        return dcesrv_netr_LogonSamLogon_base(dce_call, mem_ctx, r, creds);