CVE-2015-5370: s3:rpc_server: don't allow an existing context to be changed in check_...

An alter context can't change the syntax of an existing context,
a new context_id will be used for that.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 27fd83cab69a8cf945951b6deb51694b4246b7c0..bb3c3e8691c3a478758cdacdae2666dd26d8e77e 100644 (file)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -365,6 +365,30 @@ static bool check_bind_req(struct pipes_struct *p,
                return false;
        }
 
+       for (context_fns = p->contexts;
+            context_fns != NULL;
+            context_fns = context_fns->next)
+       {
+               if (context_fns->context_id != context_id) {
+                       continue;
+               }
+
+               ok = ndr_syntax_id_equal(&context_fns->syntax,
+                                        abstract);
+               if (ok) {
+                       return true;
+               }
+
+               DEBUG(1,("check_bind_req: changing abstract syntax for "
+                        "%s context_id=%u into %s not supported\n",
+                        ndr_interface_name(&context_fns->syntax.uuid,
+                                           context_fns->syntax.if_version),
+                        (unsigned)context_id,
+                        ndr_interface_name(&abstract->uuid,
+                                           abstract->if_version)));
+               return false;
+       }
+
        /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
        if (!rpc_srv_pipe_exists_by_id(abstract)) {
                return false;