CVE-2015-5370: s3:rpc_client: verify auth_{type,level} in rpc_pipe_bind_step_one_done()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 63ab5072edba68dd599f4407313c1e6bcf9cce15..bd29074cc7d9f9a0eb8adff95e8cdedf4000d9ca 100644 (file)
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1908,6 +1908,21 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
                        tevent_req_nterror(req, status);
                        return;
                }
+
+               if (auth.auth_type != pauth->auth_type) {
+                       DEBUG(0, (__location__ " Auth type %u mismatch expected %u.\n",
+                                 auth.auth_type, pauth->auth_type));
+                       tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
+                       return;
+               }
+
+               if (auth.auth_level != pauth->auth_level) {
+                       DEBUG(0, (__location__ " Auth level %u mismatch expected %u.\n",
+                                 auth.auth_level, pauth->auth_level));
+                       tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
+                       return;
+               }
+
                break;
        }