CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel...

It doesn't make any sense to allow other auth levels.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index ee23e77ace417745b2b7ba336818b6ac45f781f6..c2cfd3bc9ded5924c1cc663864f4a7f7f6351c31 100644 (file)
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -467,6 +467,16 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
 
        *out = data_blob(NULL, 0);
 
+       if (gensec_security->dcerpc_auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
+               switch (gensec_security->gensec_role) {
+               case GENSEC_CLIENT:
+                       return NT_STATUS_INVALID_PARAMETER_MIX;
+               case GENSEC_SERVER:
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
+               return NT_STATUS_INTERNAL_ERROR;
+       }
+
        switch (gensec_security->gensec_role) {
        case GENSEC_CLIENT:
                if (state != NULL) {