From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 26 Jun 2015 06:10:46 +0000 (+0200)
Subject: CVE-2015-5370: s4:rpc_server/lsa: make use of dce_call->conn->auth_state.auth_{level... 
X-Git-Tag: samba-4.2.10~69
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f0c9d61cee48f85e15fac796fa3d058c7b3a7dc;p=thirdparty%2Fsamba.git

CVE-2015-5370: s4:rpc_server/lsa: make use of dce_call->conn->auth_state.auth_{level,type}

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/source4/rpc_server/lsa/lsa_lookup.c b/source4/rpc_server/lsa/lsa_lookup.c
index 8d92ba89d06..d90ca70c0c1 100644
--- a/source4/rpc_server/lsa/lsa_lookup.c
+++ b/source4/rpc_server/lsa/lsa_lookup.c
@@ -718,7 +718,7 @@ NTSTATUS dcesrv_lsa_LookupSids3(struct dcesrv_call_state *dce_call,
 {
 	enum dcerpc_transport_t transport =
 		dcerpc_binding_get_transport(dce_call->conn->endpoint->ep_description);
-	struct dcerpc_auth *auth_info = dce_call->conn->auth_state.auth_info;
+	const struct dcesrv_auth *auth = &dce_call->conn->auth_state;
 	struct lsa_policy_state *policy_state;
 	struct lsa_LookupSids2 q;
 	NTSTATUS status;
@@ -731,8 +731,8 @@ NTSTATUS dcesrv_lsa_LookupSids3(struct dcesrv_call_state *dce_call,
 	 * We don't have policy handles on this call. So this must be restricted
 	 * to crypto connections only.
 	 */
-	if (auth_info->auth_type != DCERPC_AUTH_TYPE_SCHANNEL ||
-	    auth_info->auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
+	if (auth->auth_type != DCERPC_AUTH_TYPE_SCHANNEL ||
+	    auth->auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
 		DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
 	}
 
@@ -944,7 +944,7 @@ NTSTATUS dcesrv_lsa_LookupNames4(struct dcesrv_call_state *dce_call, TALLOC_CTX
 {
 	enum dcerpc_transport_t transport =
 		dcerpc_binding_get_transport(dce_call->conn->endpoint->ep_description);
-	struct dcerpc_auth *auth_info = dce_call->conn->auth_state.auth_info;
+	const struct dcesrv_auth *auth = &dce_call->conn->auth_state;
 	struct lsa_policy_state *policy_state;
 	struct lsa_LookupNames3 q;
 	NTSTATUS status;
@@ -957,8 +957,8 @@ NTSTATUS dcesrv_lsa_LookupNames4(struct dcesrv_call_state *dce_call, TALLOC_CTX
 	 * We don't have policy handles on this call. So this must be restricted
 	 * to crypto connections only.
 	 */
-	if (auth_info->auth_type != DCERPC_AUTH_TYPE_SCHANNEL ||
-	    auth_info->auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
+	if (auth->auth_type != DCERPC_AUTH_TYPE_SCHANNEL ||
+	    auth->auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
 		DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED);
 	}