CVE-2015-5370: s4:rpc_server: no authentication is indicated by pkt->auth_length...

pkt->u.*.auth_info.length is not the correct thing to check.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/selftest/knownfail b/selftest/knownfail
index 803439df7fe052394b4e3092123a5b25b6edcdf7..f8a52cf91e36a5989ff7cca0b62d749374359250 100644 (file)
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -1,7 +1,3 @@
-# These are temporary failures until the next commits fix it again
-#
-^samba4.rpc.altercontext.*seal # tmp
-^samba4.rpc.altercontext.*ncalrpc # tmp
 # This file contains a list of regular expressions matching the names of
 # tests that are expected to fail.
 #

diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index 52fe26fb9d22202a302896b25f414ca861856860..beccc78e3ec94ea51500c56b6fd186ed7d4d9cb1 100644 (file)
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -46,7 +46,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
        NTSTATUS status;
        uint32_t auth_length;
 
-       if (pkt->u.bind.auth_info.length == 0) {
+       if (pkt->auth_length == 0) {
                dce_conn->auth_state.auth_info = NULL;
                return true;
        }
@@ -119,10 +119,15 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
        NTSTATUS status;
        bool want_header_signing = false;
 
-       if (!call->conn->auth_state.gensec_security) {
+       if (call->pkt.auth_length == 0) {
                return NT_STATUS_OK;
        }
 
+       /* We can't work without an existing gensec state */
+       if (!call->conn->auth_state.gensec_security) {
+               return NT_STATUS_INTERNAL_ERROR;
+       }
+
        if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
                dce_conn->auth_state.client_hdr_signing = true;
                want_header_signing = true;
@@ -198,10 +203,16 @@ bool dcesrv_auth_auth3(struct dcesrv_call_state *call)
        NTSTATUS status;
        uint32_t auth_length;
 
-       /* We can't work without an existing gensec state, and an new blob to feed it */
-       if (!dce_conn->auth_state.auth_info ||
-           !dce_conn->auth_state.gensec_security ||
-           pkt->u.auth3.auth_info.length == 0) {
+       if (pkt->auth_length == 0) {
+               return false;
+       }
+
+       if (!dce_conn->auth_state.auth_info) {
+               return false;
+       }
+
+       /* We can't work without an existing gensec state */
+       if (!dce_conn->auth_state.gensec_security) {
                return false;
        }
 
@@ -247,7 +258,7 @@ bool dcesrv_auth_alter(struct dcesrv_call_state *call)
        uint32_t auth_length;
 
        /* on a pure interface change there is no auth blob */
-       if (pkt->u.alter.auth_info.length == 0) {
+       if (pkt->auth_length == 0) {
                return true;
        }
 
@@ -282,8 +293,7 @@ NTSTATUS dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_pack
 
        /* on a pure interface change there is no auth_info structure
           setup */
-       if (!call->conn->auth_state.auth_info ||
-           dce_conn->auth_state.auth_info->credentials.length == 0) {
+       if (call->pkt.auth_length == 0) {
                return NT_STATUS_OK;
        }