From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 26 Jun 2015 06:10:46 +0000 (+0200)
Subject: CVE-2015-5370: s4:rpc_server: changing an existing presentation context via alter_con... 
X-Git-Tag: samba-4.2.10~50
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b430b1fbb74dd980a5050a6152e4d930a8a508af;p=thirdparty%2Fsamba.git

CVE-2015-5370: s4:rpc_server: changing an existing presentation context via alter_context is a protocol error

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index 750a28d36d2..988552488cc 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -1152,6 +1152,27 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
 				DCERPC_BIND_PROVIDER_REJECT,
 				DCERPC_BIND_REASON_ASYNTAX);
 		}
+	} else {
+		bool ok;
+
+		ok = ndr_syntax_id_equal(&ctx->abstract_syntax,
+					 &call->context->iface->syntax_id);
+		if (!ok) {
+			return dcesrv_fault_disconnect(call,
+					DCERPC_NCA_S_PROTO_ERROR);
+		}
+
+		if (ctx->num_transfer_syntaxes != 1) {
+			return dcesrv_fault_disconnect(call,
+					DCERPC_NCA_S_PROTO_ERROR);
+		}
+
+		ok = ndr_syntax_id_equal(&ctx->transfer_syntaxes[0],
+					 &ndr_transfer_syntax_ndr);
+		if (!ok) {
+			return dcesrv_fault_disconnect(call,
+					DCERPC_NCA_S_PROTO_ERROR);
+		}
 	}
 
 	if (call->pkt.u.alter.assoc_group_id != 0 &&