From: Stefan Metzmacher Date: Tue, 7 Jul 2015 11:05:01 +0000 (+0200) Subject: CVE-2015-5370: s3:rpc_server: don't allow an existing context to be changed in check_... X-Git-Tag: samba-4.2.10~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a995740d4e7fbd8fbb5c8c6280b73eaceae53574;p=thirdparty%2Fsamba.git CVE-2015-5370: s3:rpc_server: don't allow an existing context to be changed in check_bind_req() An alter context can't change the syntax of an existing context, a new context_id will be used for that. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner --- diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 27fd83cab69..bb3c3e8691c 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -365,6 +365,30 @@ static bool check_bind_req(struct pipes_struct *p, return false; } + for (context_fns = p->contexts; + context_fns != NULL; + context_fns = context_fns->next) + { + if (context_fns->context_id != context_id) { + continue; + } + + ok = ndr_syntax_id_equal(&context_fns->syntax, + abstract); + if (ok) { + return true; + } + + DEBUG(1,("check_bind_req: changing abstract syntax for " + "%s context_id=%u into %s not supported\n", + ndr_interface_name(&context_fns->syntax.uuid, + context_fns->syntax.if_version), + (unsigned)context_id, + ndr_interface_name(&abstract->uuid, + abstract->if_version))); + return false; + } + /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */ if (!rpc_srv_pipe_exists_by_id(abstract)) { return false;