From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Dec 2015 11:40:58 +0000 (+0100)
Subject: CVE-2015-5370: s3:rpc_server: disconnect the connection after a fatal FAULT pdu
X-Git-Tag: samba-4.2.10~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=664d7ace0e68b42d2de99583757e0a985647eb4b;p=thirdparty%2Fsamba.git

CVE-2015-5370: s3:rpc_server: disconnect the connection after a fatal FAULT pdu

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
index 01a854ccafa..5effe66d9bb 100644
--- a/source3/rpc_server/rpc_server.c
+++ b/source3/rpc_server/rpc_server.c
@@ -558,6 +558,12 @@ static void named_pipe_packet_done(struct tevent_req *subreq)
 		return;
 	}
 
+	if (npc->p->fault_state != 0) {
+		DEBUG(2, ("Disconnect after fault\n"));
+		sys_errno = EINVAL;
+		goto fail;
+	}
+
 	/* clear out any data that may have been left around */
 	npc->count = 0;
 	TALLOC_FREE(npc->iov);
@@ -1292,6 +1298,12 @@ static void dcerpc_ncacn_packet_done(struct tevent_req *subreq)
 		goto fail;
 	}
 
+	if (ncacn_conn->p->fault_state != 0) {
+		DEBUG(2, ("Disconnect after fault\n"));
+		sys_errno = EINVAL;
+		goto fail;
+	}
+
 	/* clear out any data that may have been left around */
 	ncacn_conn->count = 0;
 	TALLOC_FREE(ncacn_conn->iov);