CVE-2015-5370: s4:rpc_server: reject DCERPC_PFC_FLAG_PENDING_CANCEL with DCERPC_FAULT...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index b79fded06eefcc8b00fcbe588f134b4c808d457c..278e1af3eaafdb1178cef922c987bfb351776983 100644 (file)
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -1468,6 +1468,10 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn,
                                return dcesrv_fault(call,
                                                DCERPC_NCA_S_PROTO_ERROR);
                        }
+                       if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_PENDING_CANCEL) {
+                               return dcesrv_fault_disconnect(call,
+                                               DCERPC_FAULT_NO_CALL_ACTIVE);
+                       }
                } else {
                        const struct dcerpc_request *nr = &call->pkt.u.request;
                        const struct dcerpc_request *er = NULL;