From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 26 Jun 2015 06:10:46 +0000 (+0200)
Subject: CVE-2015-5370: s4:rpc_server: add some padding to dcesrv_bind_nak() responses
X-Git-Tag: samba-4.2.10~61
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f4a3c332d813eb6296811f86a83e782f1a2e1ba;p=thirdparty%2Fsamba.git

CVE-2015-5370: s4:rpc_server: add some padding to dcesrv_bind_nak() responses

This matches Windows 2012R2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index 6df9f77bb11..c0b770e6d78 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -462,6 +462,7 @@ static NTSTATUS dcesrv_bind_nak(struct dcesrv_call_state *call, uint32_t reason)
 	struct dcerpc_bind_nak_version version;
 	struct data_blob_list_item *rep;
 	NTSTATUS status;
+	static const uint8_t _pad[3] = { 0, };
 
 	/* setup a bind_nak */
 	dcesrv_init_hdr(&pkt, lpcfg_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
@@ -474,7 +475,7 @@ static NTSTATUS dcesrv_bind_nak(struct dcesrv_call_state *call, uint32_t reason)
 	version.rpc_vers_minor = 0;
 	pkt.u.bind_nak.num_versions = 1;
 	pkt.u.bind_nak.versions = &version;
-	pkt.u.bind_nak._pad = data_blob_null;
+	pkt.u.bind_nak._pad = data_blob_const(_pad, sizeof(_pad));
 
 	rep = talloc_zero(call, struct data_blob_list_item);
 	if (!rep) {