CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1

In future we want to verify that the auth_context_id from the server
is what we expect.

As Samba (<= 4.2.3) use a hardcoded value of 1 in responses, we
need to use that.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
index aec72ca9943b0f84f23b218cc3bcb290d39a16ed..443c7587e72500d991e2af138908aba71683ad8c 100644 (file)
--- a/source4/librpc/rpc/dcerpc_auth.c
+++ b/source4/librpc/rpc/dcerpc_auth.c
@@ -355,7 +355,12 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
 
        sec->auth_type = auth_type;
        sec->auth_level = auth_level,
-       sec->auth_context_id = random();
+       /*
+        * We use auth_context_id = 1 as some older
+        * Samba versions (<= 4.2.3) use that value hardcoded
+        * in a response.
+        */
+       sec->auth_context_id = 1;
 
        sec->auth_info = talloc(p, struct dcerpc_auth);
        if (composite_nomem(sec->auth_info, c)) return c;