From: Stefan Metzmacher Date: Fri, 26 Jun 2015 06:10:46 +0000 (+0200) Subject: CVE-2015-5370: s4:rpc_server: fix the order of error checking in dcesrv_alter() X-Git-Tag: samba-4.2.10~49 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5ac7fc8b9a1c6a9701c4d2145099cf8963cdb5c4;p=thirdparty%2Fsamba.git CVE-2015-5370: s4:rpc_server: fix the order of error checking in dcesrv_alter() The basically matches Windows 2012R2, it's not 100% but it's enough for our raw protocol tests to pass. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner --- diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c index 988552488cc..ee6ee95f7bb 100644 --- a/source4/rpc_server/dcerpc_server.c +++ b/source4/rpc_server/dcerpc_server.c @@ -1106,6 +1106,7 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call) { NTSTATUS status; const struct dcerpc_ctx_list *ctx = NULL; + bool auth_ok = false; if (!call->conn->allow_alter) { return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR); @@ -1127,12 +1128,12 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call) return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR); } - /* handle any authentication that is being requested */ - if (!dcesrv_auth_alter(call)) { - /* TODO: work out the right reject code */ - return dcesrv_alter_resp(call, - DCERPC_BIND_PROVIDER_REJECT, - DCERPC_BIND_REASON_ASYNTAX); + auth_ok = dcesrv_auth_alter(call); + if (!auth_ok) { + if (call->in_auth_info.auth_type == DCERPC_AUTH_TYPE_NONE) { + return dcesrv_fault_disconnect(call, + DCERPC_FAULT_ACCESS_DENIED); + } } if (call->pkt.u.alter.num_contexts < 1) { @@ -1186,6 +1187,17 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call) DCERPC_BIND_REASON_ASYNTAX); } + /* handle any authentication that is being requested */ + if (!auth_ok) { + if (call->in_auth_info.auth_type != + call->conn->auth_state.auth_type) + { + return dcesrv_fault_disconnect(call, + DCERPC_FAULT_SEC_PKG_ERROR); + } + return dcesrv_fault_disconnect(call, DCERPC_FAULT_ACCESS_DENIED); + } + return dcesrv_alter_resp(call, DCERPC_BIND_ACK_RESULT_ACCEPTANCE, DCERPC_BIND_ACK_REASON_NOT_SPECIFIED);