CVE-2015-5370: s4:rpc_server: don't derefence an empty ctx_list array in dcesrv_alter()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index 7721bc1f68183220e4d12e910f61f11280f76af6..750a28d36d215e2b8828291ded0e15c13fa3297a 100644 (file)
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -1105,7 +1105,7 @@ static NTSTATUS dcesrv_alter_resp(struct dcesrv_call_state *call,
 static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
 {
        NTSTATUS status;
-       uint32_t context_id;
+       const struct dcerpc_ctx_list *ctx = NULL;
 
        if (!call->conn->allow_alter) {
                return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
@@ -1135,12 +1135,18 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
                                DCERPC_BIND_REASON_ASYNTAX);
        }
 
-       context_id = call->pkt.u.alter.ctx_list[0].context_id;
+       if (call->pkt.u.alter.num_contexts < 1) {
+               return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
+       }
+       ctx = &call->pkt.u.alter.ctx_list[0];
+       if (ctx->num_transfer_syntaxes < 1) {
+               return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
+       }
 
        /* see if they are asking for a new interface */
-       call->context = dcesrv_find_context(call->conn, context_id);
+       call->context = dcesrv_find_context(call->conn, ctx->context_id);
        if (!call->context) {
-               status = dcesrv_alter_new_context(call, context_id);
+               status = dcesrv_alter_new_context(call, ctx->context_id);
                if (!NT_STATUS_IS_OK(status)) {
                        return dcesrv_alter_resp(call,
                                DCERPC_BIND_PROVIDER_REJECT,