From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 10 Jul 2015 11:55:27 +0000 (+0200)
Subject: CVE-2015-5370: s4:rpc_server: give the correct reject reasons for invalid auth_level... 
X-Git-Tag: samba-4.2.10~45
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=74de5d8768eeafbf729fe35fff5cabbd49274130;p=thirdparty%2Fsamba.git

CVE-2015-5370: s4:rpc_server: give the correct reject reasons for invalid auth_level values

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index b7da76ff2f6..50b32c935bb 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -805,9 +805,20 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
 
 	/* handle any authentication that is being requested */
 	if (!dcesrv_auth_bind(call)) {
-		talloc_free(call->context);
-		call->context = NULL;
-		return dcesrv_bind_nak(call, DCERPC_BIND_REASON_INVALID_AUTH_TYPE);
+		struct dcesrv_auth *auth = &call->conn->auth_state;
+
+		TALLOC_FREE(call->context);
+
+		if (auth->auth_level != DCERPC_AUTH_LEVEL_NONE) {
+			/*
+			 * We only give INVALID_AUTH_TYPE if the auth_level was
+			 * valid.
+			 */
+			return dcesrv_bind_nak(call,
+					DCERPC_BIND_NAK_REASON_INVALID_AUTH_TYPE);
+		}
+		return dcesrv_bind_nak(call,
+					DCERPC_BIND_NAK_REASON_NOT_SPECIFIED);
 	}
 
 	/* setup a bind_ack */
diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index f3de2c33f96..2b3f8b07710 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -60,6 +60,30 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
 		return false;
 	}
 
+	switch (call->in_auth_info.auth_level) {
+	case DCERPC_AUTH_LEVEL_CONNECT:
+	case DCERPC_AUTH_LEVEL_CALL:
+	case DCERPC_AUTH_LEVEL_PACKET:
+	case DCERPC_AUTH_LEVEL_INTEGRITY:
+	case DCERPC_AUTH_LEVEL_PRIVACY:
+		/*
+		 * We evaluate auth_type only if auth_level was valid
+		 */
+		break;
+	default:
+		/*
+		 * Setting DCERPC_AUTH_LEVEL_NONE,
+		 * gives the caller a chance to decide what
+		 * reject_reason to use
+		 *
+		 * Note: DCERPC_AUTH_LEVEL_NONE == 1
+		 */
+		auth->auth_type = DCERPC_AUTH_TYPE_NONE;
+		auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
+		auth->auth_context_id = 0;
+		return false;
+	}
+
 	auth->auth_type = call->in_auth_info.auth_type;
 	auth->auth_level = call->in_auth_info.auth_level;
 	auth->auth_context_id = call->in_auth_info.auth_context_id;