From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 23 Jun 2016 11:50:39 +0000 (+0200)
Subject: s4:rpc_server: generate the correct error when we got an invalid auth_pad_length... 
X-Git-Tag: samba-4.3.12~118
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a3bb37732f48ebf2f92d7ba0743bd448dfefac7d;p=thirdparty%2Fsamba.git

s4:rpc_server: generate the correct error when we got an invalid auth_pad_length on BIND,ALTER,AUTH3

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11982

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 7d8edcc24148658e92729b3d155e432994e27525)
---

diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index a303d3c4272..f14211ac706 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -803,6 +803,11 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
 
 		TALLOC_FREE(call->context);
 
+		if (call->fault_code == DCERPC_NCA_S_PROTO_ERROR) {
+			return dcesrv_bind_nak(call,
+			DCERPC_BIND_NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED);
+		}
+
 		if (auth->auth_level != DCERPC_AUTH_LEVEL_NONE) {
 			/*
 			 * We only give INVALID_AUTH_TYPE if the auth_level was
@@ -935,6 +940,9 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
 	/* handle the auth3 in the auth code */
 	if (!dcesrv_auth_auth3(call)) {
 		call->conn->auth_state.auth_invalid = true;
+		if (call->fault_code != 0) {
+			return dcesrv_fault_disconnect(call, call->fault_code);
+		}
 	}
 
 	talloc_free(call);
@@ -1104,9 +1112,8 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
 
 	auth_ok = dcesrv_auth_alter(call);
 	if (!auth_ok) {
-		if (call->in_auth_info.auth_type == DCERPC_AUTH_TYPE_NONE) {
-			return dcesrv_fault_disconnect(call,
-					DCERPC_FAULT_ACCESS_DENIED);
+		if (call->fault_code != 0) {
+			return dcesrv_fault_disconnect(call, call->fault_code);
 		}
 	}
 
diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index 802876b2da7..74a62dfa9b7 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -56,6 +56,12 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
 					  &call->in_auth_info,
 					  NULL, true);
 	if (!NT_STATUS_IS_OK(status)) {
+		/*
+		 * This will cause a
+		 * DCERPC_BIND_NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED
+		 * in the caller
+		 */
+		call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
 		return false;
 	}
 
@@ -257,6 +263,11 @@ bool dcesrv_auth_auth3(struct dcesrv_call_state *call)
 	status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.auth3.auth_info,
 					  &call->in_auth_info, NULL, true);
 	if (!NT_STATUS_IS_OK(status)) {
+		/*
+		 * Windows returns DCERPC_NCA_S_FAULT_REMOTE_NO_MEMORY
+		 * instead of DCERPC_NCA_S_PROTO_ERROR.
+		 */
+		call->fault_code = DCERPC_NCA_S_FAULT_REMOTE_NO_MEMORY;
 		return false;
 	}
 
@@ -332,6 +343,7 @@ bool dcesrv_auth_alter(struct dcesrv_call_state *call)
 	}
 
 	if (dce_conn->auth_state.auth_finished) {
+		call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
 		return false;
 	}
 
@@ -343,6 +355,12 @@ bool dcesrv_auth_alter(struct dcesrv_call_state *call)
 	status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.alter.auth_info,
 					  &call->in_auth_info, NULL, true);
 	if (!NT_STATUS_IS_OK(status)) {
+		call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
+		return false;
+	}
+
+	if (call->in_auth_info.auth_type == DCERPC_AUTH_TYPE_NONE) {
+		call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
 		return false;
 	}