CVE-2015-5370: s4:rpc_server: maintain dcesrv_auth->auth_{type,level,context_id}

This will simplify checks in the following commits and avoids
derefencing dcesrv_auth->auth_info which is not always arround.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source4/rpc_server/dcerpc_server.h b/source4/rpc_server/dcerpc_server.h
index 894b2c947ff65f50c537a9368bb4d44a769fba13..bc1b8a9745f42993999b561fb316247c6d52b24c 100644 (file)
--- a/source4/rpc_server/dcerpc_server.h
+++ b/source4/rpc_server/dcerpc_server.h
@@ -146,6 +146,9 @@ struct dcesrv_handle {
 
 /* hold the authentication state information */
 struct dcesrv_auth {
+       enum dcerpc_AuthType auth_type;
+       enum dcerpc_AuthLevel auth_level;
+       uint32_t auth_context_id;
        struct dcerpc_auth *auth_info;
        struct gensec_security *gensec_security;
        struct auth_session_info *session_info;
@@ -205,8 +208,15 @@ struct dcesrv_connection {
 
        DATA_BLOB partial_input;
 
-       /* the current authentication state */
-       struct dcesrv_auth auth_state;
+       /* This can be removed in master... */
+       struct  {
+               struct dcerpc_auth *auth_info;
+               struct gensec_security *gensec_security;
+               struct auth_session_info *session_info;
+               NTSTATUS (*session_key)(struct dcesrv_connection *, DATA_BLOB *session_key);
+               bool client_hdr_signing;
+               bool hdr_signing;
+       } _unused_auth_state;
 
        /* the event_context that will be used for this connection */
        struct tevent_context *event_ctx;
@@ -238,6 +248,9 @@ struct dcesrv_connection {
 
        const struct tsocket_address *local_address;
        const struct tsocket_address *remote_address;
+
+       /* the current authentication state */
+       struct dcesrv_auth auth_state;
 };
 
 

diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index c3ba40cac07997e0344e77d45d2a6081ce346317..03231a5cfde6e6fc1dcc767bfca5497b7c68bf5e 100644 (file)
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -47,6 +47,9 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
        uint32_t auth_length;
 
        if (pkt->auth_length == 0) {
+               auth->auth_type = DCERPC_AUTH_TYPE_NONE;
+               auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
+               auth->auth_context_id = 0;
                dce_conn->auth_state.auth_info = NULL;
                return true;
        }
@@ -63,6 +66,10 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
                return false;
        }
 
+       auth->auth_type = dce_conn->auth_state.auth_info->auth_type;
+       auth->auth_level = dce_conn->auth_state.auth_info->auth_level;
+       auth->auth_context_id = dce_conn->auth_state.auth_info->auth_context_id;
+
        server_credentials 
                = cli_credentials_init(call);
        if (!server_credentials) {
@@ -100,12 +107,12 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
                }
        }
 
-       status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_info->auth_type, 
-                                              auth->auth_info->auth_level);
+       status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_type,
+                                              auth->auth_level);
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(3, ("Failed to start GENSEC mechanism for DCERPC server: auth_type=%d, auth_level=%d: %s\n",
-                         (int)auth->auth_info->auth_type,
-                         (int)auth->auth_info->auth_level,
+                         (int)auth->auth_type,
+                         (int)auth->auth_level,
                          nt_errstr(status)));
                return false;
        }