From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 7 Jul 2015 22:01:37 +0000 (+0200)
Subject: CVE-2015-5370: s3:rpc_server: make use of pipe_auth_data->auth_context_id
X-Git-Tag: samba-4.2.10~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2bc617293a5d8652e484af69660b3646f3d48690;p=thirdparty%2Fsamba.git

CVE-2015-5370: s3:rpc_server: make use of pipe_auth_data->auth_context_id

This is better than using hardcoded values.
We need to use the value the client used in the BIND request.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
index 5514956b983..5647596f559 100644
--- a/source3/rpc_server/rpc_ncacn_np.c
+++ b/source3/rpc_server/rpc_ncacn_np.c
@@ -977,6 +977,7 @@ static NTSTATUS rpc_pipe_open_external(TALLOC_CTX *mem_ctx,
 	}
 	result->auth->auth_type = DCERPC_AUTH_TYPE_NONE;
 	result->auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
+	result->auth->auth_context_id = 0;
 
 	status = rpccli_anon_bind_data(result, &auth);
 	if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index bb3c3e8691c..821623c7cd8 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -539,6 +539,7 @@ static bool pipe_auth_generic_bind(struct pipes_struct *p,
 	p->auth.auth_ctx = gensec_security;
 	p->auth.auth_type = auth_info->auth_type;
 	p->auth.auth_level = auth_info->auth_level;
+	p->auth.auth_context_id = auth_info->auth_context_id;
 
 	if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
 		p->auth.client_hdr_signing = true;
@@ -812,6 +813,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
 	} else {
 		p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
 		p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
+		p->auth.auth_context_id = 0;
 	}
 
 	ZERO_STRUCT(u.bind_ack);
@@ -862,12 +864,11 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
 	}
 
 	if (auth_resp.length) {
-
 		status = dcerpc_push_dcerpc_auth(pkt,
 						 p->auth.auth_type,
 						 p->auth.auth_level,
-						 0,
-						 1, /* auth_context_id */
+						 0, /* pad_len */
+						 p->auth.auth_context_id,
 						 &auth_resp,
 						 &auth_blob);
 		if (!NT_STATUS_IS_OK(status)) {
@@ -1222,10 +1223,10 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
 
 	if (auth_resp.length) {
 		status = dcerpc_push_dcerpc_auth(pkt,
-						 auth_info.auth_type,
-						 auth_info.auth_level,
+						 p->auth.auth_type,
+						 p->auth.auth_level,
 						 0, /* pad_len */
-						 1, /* auth_context_id */
+						 p->auth.auth_context_id,
 						 &auth_resp,
 						 &auth_blob);
 		if (!NT_STATUS_IS_OK(status)) {