CVE-2015-5370: s4:librpc/rpc: handle DCERPC_PKT_FAULT before anything else in dcerpc_...

author Stefan Metzmacher <metze@samba.org>

Sat, 27 Jun 2015 08:31:48 +0000 (10:31 +0200)

committer Stefan Metzmacher <metze@samba.org>

Wed, 30 Mar 2016 02:10:06 +0000 (04:10 +0200)
author Stefan Metzmacher <metze@samba.org>
Sat, 27 Jun 2015 08:31:48 +0000 (10:31 +0200)
committer Stefan Metzmacher <metze@samba.org>
Wed, 30 Mar 2016 02:10:06 +0000 (04:10 +0200)
diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c

index c799eabcf7ad59e7b381f004853cf4b494b43c2e..f81d558e0a1cf781e82bd132ed099aa1f787cc9a 100644 (file)
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -2348,17 +2348,6 @@ static void dcerpc_alter_context_recv_handler(struct rpc_request *subreq,
          */
         tevent_req_defer_callback(req, state->ev);
  
-       if (pkt->ptype == DCERPC_PKT_ALTER_RESP &&
-           pkt->u.alter_resp.num_results == 1 &&
-           pkt->u.alter_resp.ctx_list[0].result != 0) {
-               status = dcerpc_map_ack_reason(&pkt->u.alter_resp.ctx_list[0]);
-               DEBUG(2,("dcerpc: alter_resp failed - reason %d - %s\n",
-                        pkt->u.alter_resp.ctx_list[0].reason.value,
-                        nt_errstr(status)));
-               tevent_req_nterror(req, status);
-               return;
-       }
-
         if (pkt->ptype == DCERPC_PKT_FAULT) {
                 DEBUG(5,("dcerpc: alter_resp - rpc fault: %s\n",
                          dcerpc_errstr(state, pkt->u.fault.status)));
@@ -2376,6 +2365,17 @@ static void dcerpc_alter_context_recv_handler(struct rpc_request *subreq,
                 return;
         }
  
+       if (pkt->ptype == DCERPC_PKT_ALTER_RESP &&
+           pkt->u.alter_resp.num_results == 1 &&
+           pkt->u.alter_resp.ctx_list[0].result != 0) {
+               status = dcerpc_map_ack_reason(&pkt->u.alter_resp.ctx_list[0]);
+               DEBUG(2,("dcerpc: alter_resp failed - reason %d - %s\n",
+                        pkt->u.alter_resp.ctx_list[0].reason.value,
+                        nt_errstr(status)));
+               tevent_req_nterror(req, status);
+               return;
+       }
+
         if (pkt->ptype != DCERPC_PKT_ALTER_RESP ||
             pkt->u.alter_resp.num_results == 0 ||
             pkt->u.alter_resp.ctx_list[0].result != 0) {
author	Stefan Metzmacher <metze@samba.org>
	Sat, 27 Jun 2015 08:31:48 +0000 (10:31 +0200)
committer	Stefan Metzmacher <metze@samba.org>
	Wed, 30 Mar 2016 02:10:06 +0000 (04:10 +0200)