CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow DCERPC_AUTH_LEVEL_CONNECT by...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 57043231b97886382b43eee39c236102e77f9972..e6e39df3eb33809e1f210e9100c1d626f478e3db 100644 (file)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -48,6 +48,8 @@
 #include "../librpc/gen_ndr/ndr_samr.h"
 #include "../librpc/gen_ndr/ndr_lsa.h"
 #include "../librpc/gen_ndr/ndr_netlogon.h"
+#include "../librpc/gen_ndr/ndr_epmapper.h"
+#include "../librpc/gen_ndr/ndr_echo.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_SRV
@@ -397,6 +399,18 @@ static bool check_bind_req(struct pipes_struct *p,
        if (ok) {
                context_fns->allow_connect = false;
        }
+       /*
+        * for the epmapper and echo interfaces we allow "connect"
+        * auth_level by default.
+        */
+       ok = ndr_syntax_id_equal(abstract, &ndr_table_epmapper.syntax_id);
+       if (ok) {
+               context_fns->allow_connect = true;
+       }
+       ok = ndr_syntax_id_equal(abstract, &ndr_table_rpcecho.syntax_id);
+       if (ok) {
+               context_fns->allow_connect = true;
+       }
        /*
         * every interface can be modified to allow "connect" auth_level by
         * using a parametric option like: