From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 27 Jun 2015 08:31:48 +0000 (+0200)
Subject: CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1
X-Git-Tag: samba-4.2.10~90
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9153fc5fe23dfd8ca6cc9ee4412edd82b87e58cb;p=thirdparty%2Fsamba.git

CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1

In future we want to verify that the auth_context_id from the server
is what we expect.

As Samba (<= 4.2.3) use a hardcoded value of 1 in responses, we
need to use that.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
index aec72ca9943..443c7587e72 100644
--- a/source4/librpc/rpc/dcerpc_auth.c
+++ b/source4/librpc/rpc/dcerpc_auth.c
@@ -355,7 +355,12 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
 
 	sec->auth_type = auth_type;
 	sec->auth_level = auth_level,
-	sec->auth_context_id = random();
+	/*
+	 * We use auth_context_id = 1 as some older
+	 * Samba versions (<= 4.2.3) use that value hardcoded
+	 * in a response.
+	 */
+	sec->auth_context_id = 1;
 
 	sec->auth_info = talloc(p, struct dcerpc_auth);
 	if (composite_nomem(sec->auth_info, c)) return c;