From: Stefan Metzmacher Date: Fri, 26 Jun 2015 06:10:46 +0000 (+0200) Subject: CVE-2015-5370: s4:rpc_server: let invalid request fragments disconnect the connection... X-Git-Tag: samba-4.2.10~53 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1da3379cc071fc3f7cede42ff45e41898a542241;p=thirdparty%2Fsamba.git CVE-2015-5370: s4:rpc_server: let invalid request fragments disconnect the connection with a protocol error BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner --- diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c index 19bb48fde48..6587318cdad 100644 --- a/source4/rpc_server/dcerpc_server.c +++ b/source4/rpc_server/dcerpc_server.c @@ -1456,33 +1456,34 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn, struct dcesrv_call_state *call2 = call; uint32_t alloc_size; - /* we only allow fragmented requests, no other packet types */ - if (call->pkt.ptype != DCERPC_PKT_REQUEST) { - return dcesrv_fault(call2, DCERPC_FAULT_OTHER); - } - /* this is a continuation of an existing call - find the call then tack it on the end */ call = dcesrv_find_fragmented_call(dce_conn, call2->pkt.call_id); if (!call) { - return dcesrv_fault(call2, DCERPC_FAULT_OTHER); + return dcesrv_fault_disconnect(call2, + DCERPC_NCA_S_PROTO_ERROR); } if (call->pkt.ptype != call2->pkt.ptype) { /* trying to play silly buggers are we? */ - return dcesrv_fault(call2, DCERPC_NCA_S_PROTO_ERROR); + return dcesrv_fault_disconnect(call, + DCERPC_NCA_S_PROTO_ERROR); } if (memcmp(call->pkt.drep, call2->pkt.drep, sizeof(pkt->drep)) != 0) { - return dcesrv_fault(call2, DCERPC_NCA_S_PROTO_ERROR); + return dcesrv_fault_disconnect(call, + DCERPC_NCA_S_PROTO_ERROR); } if (call->pkt.call_id != call2->pkt.call_id) { - return dcesrv_fault(call2, DCERPC_NCA_S_PROTO_ERROR); + return dcesrv_fault_disconnect(call, + DCERPC_NCA_S_PROTO_ERROR); } if (call->pkt.u.request.context_id != call2->pkt.u.request.context_id) { - return dcesrv_fault(call2, DCERPC_NCA_S_PROTO_ERROR); + return dcesrv_fault_disconnect(call, + DCERPC_NCA_S_PROTO_ERROR); } if (call->pkt.u.request.opnum != call2->pkt.u.request.opnum) { - return dcesrv_fault(call2, DCERPC_NCA_S_PROTO_ERROR); + return dcesrv_fault_disconnect(call, + DCERPC_NCA_S_PROTO_ERROR); } alloc_size = call->pkt.u.request.stub_and_verifier.length +