From: Stefan Metzmacher Date: Tue, 7 Jul 2015 22:01:37 +0000 (+0200) Subject: CVE-2015-5370: s3:rpc_client: make use of pipe_auth_data->auth_context_id X-Git-Tag: samba-4.2.10~13 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae68d3f325c3880144b80385779c9445897646e6;p=thirdparty%2Fsamba.git CVE-2015-5370: s3:rpc_client: make use of pipe_auth_data->auth_context_id This is better than using hardcoded values. We need to use auth_context_id = 1 for authenticated connections, as old Samba server (before this patchset) will use a hardcoded value of 1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner --- diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 5053de8dd7f..835aec5faec 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -1190,7 +1190,7 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx, auth->auth_type, auth->auth_level, 0, /* auth_pad_length */ - 1, /* auth_context_id */ + auth->auth_context_id, &auth_token, &auth_info); if (!NT_STATUS_IS_OK(ret)) { @@ -1709,7 +1709,7 @@ static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx, auth->auth_type, auth->auth_level, 0, /* auth_pad_length */ - 1, /* auth_context_id */ + auth->auth_context_id, pauth_blob, &u.auth3.auth_info); if (!NT_STATUS_IS_OK(status)) { @@ -1753,7 +1753,7 @@ static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx, auth->auth_type, auth->auth_level, 0, /* auth_pad_length */ - 1, /* auth_context_id */ + auth->auth_context_id, pauth_blob, &auth_info); if (!NT_STATUS_IS_OK(status)) { @@ -2370,6 +2370,7 @@ NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx, result->auth_type = DCERPC_AUTH_TYPE_NONE; result->auth_level = DCERPC_AUTH_LEVEL_NONE; + result->auth_context_id = 0; status = auth_generic_client_prepare(result, &auth_generic_ctx); @@ -2430,6 +2431,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx, result->auth_type = auth_type; result->auth_level = auth_level; + result->auth_context_id = 1; status = auth_generic_client_prepare(result, &auth_generic_ctx);