CVE-2015-5370: s4:rpc_server: return the correct secondary_address in dcesrv_bind()

For now we still force \\PIPE\\ in upper case, we may be able to remove
this and change it in our idl files later. But for now we better
behave like a windows server without changing too much.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index c0b770e6d78208de0dd22cc6301f24c7a5aaf43a..c66b193c1de2f68809bb6b62278dc1786ec23c20 100644 (file)
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -638,6 +638,8 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
        uint32_t extra_flags = 0;
        uint16_t max_req = 0;
        uint16_t max_rep = 0;
+       const char *ep_prefix = "";
+       const char *endpoint = NULL;
 
        /* max_recv_frag and max_xmit_frag result always in the same value! */
        max_req = MIN(call->pkt.u.bind.max_xmit_frag,
@@ -782,10 +784,31 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
        }
 
        if (iface) {
-               /* FIXME: Use pipe name as specified by endpoint instead of interface name */
-               pkt.u.bind_ack.secondary_address = talloc_asprintf(call, "\\PIPE\\%s", iface->name);
-       } else {
-               pkt.u.bind_ack.secondary_address = "";
+               endpoint = dcerpc_binding_get_string_option(
+                               call->conn->endpoint->ep_description,
+                               "endpoint");
+       }
+
+       if (endpoint == NULL) {
+               endpoint = "";
+       }
+
+       if (strncasecmp(endpoint, "\\pipe\\", 6) == 0) {
+               /*
+                * TODO: check if this is really needed
+                *
+                * Or if we should fix this in our idl files.
+                */
+               ep_prefix = "\\PIPE\\";
+               endpoint += 6;
+       }
+
+       pkt.u.bind_ack.secondary_address = talloc_asprintf(call, "%s%s",
+                                                          ep_prefix,
+                                                          endpoint);
+       if (pkt.u.bind_ack.secondary_address == NULL) {
+               TALLOC_FREE(call->context);
+               return NT_STATUS_NO_MEMORY;
        }
        pkt.u.bind_ack.num_results = 1;
        pkt.u.bind_ack.ctx_list = talloc_zero(call, struct dcerpc_ack_ctx);