From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 10 Mar 2016 15:02:31 +0000 (+0100)
Subject: CVE-2015-5370: s4:rpc_server: make use of dce_call->conn->auth_state.auth_* in dcesrv... 
X-Git-Tag: samba-4.2.10~70
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b075822116a1ba84de99ae3f1acbd8bfbb3498d2;p=thirdparty%2Fsamba.git

CVE-2015-5370: s4:rpc_server: make use of dce_call->conn->auth_state.auth_* in dcesrv_request()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index daebe91a6b3..0fc7955a4ae 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -1101,8 +1101,6 @@ static NTSTATUS dcesrv_request(struct dcesrv_call_state *call)
 	struct ndr_pull *pull;
 	NTSTATUS status;
 	struct dcesrv_connection_context *context;
-	uint32_t auth_type = DCERPC_AUTH_TYPE_NONE;
-	uint32_t auth_level = DCERPC_AUTH_LEVEL_NONE;
 
 	/* if authenticated, and the mech we use can't do async replies, don't use them... */
 	if (call->conn->auth_state.gensec_security && 
@@ -1115,12 +1113,7 @@ static NTSTATUS dcesrv_request(struct dcesrv_call_state *call)
 		return dcesrv_fault(call, DCERPC_FAULT_UNK_IF);
 	}
 
-	if (call->conn->auth_state.auth_info != NULL) {
-		auth_type = call->conn->auth_state.auth_info->auth_type;
-		auth_level = call->conn->auth_state.auth_info->auth_level;
-	}
-
-	switch (auth_level) {
+	switch (call->conn->auth_state.auth_level) {
 	case DCERPC_AUTH_LEVEL_NONE:
 	case DCERPC_AUTH_LEVEL_INTEGRITY:
 	case DCERPC_AUTH_LEVEL_PRIVACY:
@@ -1136,7 +1129,8 @@ static NTSTATUS dcesrv_request(struct dcesrv_call_state *call)
 				  "to [%s] with auth[type=0x%x,level=0x%x] "
 				  "on [%s] from [%s]\n",
 				  __func__, context->iface->name,
-				  auth_type, auth_level,
+				  call->conn->auth_state.auth_type,
+				  call->conn->auth_state.auth_level,
 				  derpc_transport_string_by_transport(transport),
 				  addr));
 			return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
@@ -1144,7 +1138,7 @@ static NTSTATUS dcesrv_request(struct dcesrv_call_state *call)
 		break;
 	}
 
-	if (auth_level < context->min_auth_level) {
+	if (call->conn->auth_state.auth_level < context->min_auth_level) {
 		char *addr;
 
 		addr = tsocket_address_string(call->conn->remote_address, call);
@@ -1155,7 +1149,8 @@ static NTSTATUS dcesrv_request(struct dcesrv_call_state *call)
 			  __func__,
 			  context->min_auth_level,
 			  context->iface->name,
-			  auth_type, auth_level,
+			  call->conn->auth_state.auth_type,
+			  call->conn->auth_state.auth_level,
 			  derpc_transport_string_by_transport(transport),
 			  addr));
 		return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);