From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 26 Jun 2015 06:10:46 +0000 (+0200)
Subject: CVE-2015-5370: s4:rpc_server: fill context_id in dcesrv_fault()
X-Git-Tag: samba-4.2.10~63
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=494ba35faa766fbc241f51d0b7509caf5b233f9a;p=thirdparty%2Fsamba.git

CVE-2015-5370: s4:rpc_server: fill context_id in dcesrv_fault()

This depends on the type of the incoming pdu.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/source4/rpc_server/common/reply.c b/source4/rpc_server/common/reply.c
index 9bbd62319b4..1ef3d05b485 100644
--- a/source4/rpc_server/common/reply.c
+++ b/source4/rpc_server/common/reply.c
@@ -111,7 +111,20 @@ NTSTATUS dcesrv_fault(struct dcesrv_call_state *call, uint32_t fault_code)
 	pkt.ptype = DCERPC_PKT_FAULT;
 	pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
 	pkt.u.fault.alloc_hint = 24;
-	pkt.u.fault.context_id = 0;
+	switch (call->pkt.ptype) {
+	case DCERPC_PKT_REQUEST:
+		pkt.u.fault.context_id = call->pkt.u.request.context_id;
+		break;
+	default:
+		pkt.u.fault.context_id = 0;
+		break;
+	}
+	if (fault_code == DCERPC_NCA_S_PROTO_ERROR) {
+		/*
+		 * context_id = 0 is forced on protocol errors.
+		 */
+		pkt.u.fault.context_id = 0;
+	}
 	pkt.u.fault.cancel_count = 0;
 	pkt.u.fault.status = fault_code;
 	pkt.u.fault._pad = data_blob_const(zeros, sizeof(zeros));