From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 27 Jun 2015 08:31:48 +0000 (+0200)
Subject: CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id}
X-Git-Tag: samba-4.2.10~91
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b26aabe9b138ef929bbfc638df0bc22f70b16de0;p=thirdparty%2Fsamba.git

CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id}

This will simplify the following commits and avoids dereferencing
dcecli_security->auth_info.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index fecc0f29a5d..a05b58d9130 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -141,6 +141,9 @@ static struct dcecli_connection *dcerpc_connection_init(TALLOC_CTX *mem_ctx,
 	}
 
 	c->call_id = 1;
+	c->security_state.auth_type = DCERPC_AUTH_TYPE_NONE;
+	c->security_state.auth_level = DCERPC_AUTH_LEVEL_NONE;
+	c->security_state.auth_context_id = 0;
 	c->security_state.auth_info = NULL;
 	c->security_state.session_key = dcerpc_generic_session_key;
 	c->security_state.generic_state = NULL;
diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h
index 8b2aebede45..541afd4b060 100644
--- a/source4/librpc/rpc/dcerpc.h
+++ b/source4/librpc/rpc/dcerpc.h
@@ -46,6 +46,9 @@ struct dcecli_connection;
 struct gensec_settings;
 struct cli_credentials;
 struct dcecli_security {
+	enum dcerpc_AuthType auth_type;
+	enum dcerpc_AuthLevel auth_level;
+	uint32_t auth_context_id;
 	struct dcerpc_auth *auth_info;
 	struct gensec_security *generic_state;
 
diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
index 2d60d38732b..aec72ca9943 100644
--- a/source4/librpc/rpc/dcerpc_auth.c
+++ b/source4/librpc/rpc/dcerpc_auth.c
@@ -353,14 +353,18 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
 		return c;
 	}
 
+	sec->auth_type = auth_type;
+	sec->auth_level = auth_level,
+	sec->auth_context_id = random();
+
 	sec->auth_info = talloc(p, struct dcerpc_auth);
 	if (composite_nomem(sec->auth_info, c)) return c;
 
-	sec->auth_info->auth_type = auth_type;
-	sec->auth_info->auth_level = auth_level,
+	sec->auth_info->auth_type = sec->auth_type;
+	sec->auth_info->auth_level = sec->auth_level,
 	sec->auth_info->auth_pad_length = 0;
 	sec->auth_info->auth_reserved = 0;
-	sec->auth_info->auth_context_id = random();
+	sec->auth_info->auth_context_id = sec->auth_context_id;
 	sec->auth_info->credentials = data_blob(NULL, 0);
 
 	/* The status value here, from GENSEC is vital to the security