From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 14 Jul 2015 14:18:45 +0000 (+0200)
Subject: CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid
X-Git-Tag: samba-4.2.10~47
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9dd171fa441c1aa68d8ac09153c8a2974eac6790;p=thirdparty%2Fsamba.git

CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid

Following requests will generate a fault with ACCESS_DENIED.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index d1d2d8c2255..9cf72498b35 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -940,7 +940,7 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
 
 	/* handle the auth3 in the auth code */
 	if (!dcesrv_auth_auth3(call)) {
-		return dcesrv_fault(call, DCERPC_FAULT_OTHER);
+		call->conn->auth_state.auth_invalid = true;
 	}
 
 	talloc_free(call);
diff --git a/source4/rpc_server/dcerpc_server.h b/source4/rpc_server/dcerpc_server.h
index 79bc45873e4..74f0841586b 100644
--- a/source4/rpc_server/dcerpc_server.h
+++ b/source4/rpc_server/dcerpc_server.h
@@ -163,6 +163,7 @@ struct dcesrv_auth {
 	bool client_hdr_signing;
 	bool hdr_signing;
 	bool auth_finished;
+	bool auth_invalid;
 };
 
 struct dcesrv_connection_context {
diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index afa584b164b..f3de2c33f96 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -275,6 +275,13 @@ bool dcesrv_auth_auth3(struct dcesrv_call_state *call)
 
 		/* Now that we are authenticated, go back to the generic session key... */
 		dce_conn->auth_state.session_key = dcesrv_generic_session_key;
+
+		if (call->out_auth_info->credentials.length != 0) {
+
+			DEBUG(4, ("GENSEC produced output token (len=%u) at bind_auth3\n",
+				  (unsigned)call->out_auth_info->credentials.length));
+			return false;
+		}
 		return true;
 	} else {
 		DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_auth3: %s\n",
@@ -402,6 +409,10 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
 		return false;
 	}
 
+	if (dce_conn->auth_state.auth_invalid) {
+		return false;
+	}
+
 	if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
 		hdr_size += 16;
 	}