From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 26 Jun 2015 06:10:46 +0000 (+0200)
Subject: CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't change auth_... 
X-Git-Tag: samba-4.2.10~54
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b51da52c76ef8ee77ef1dcaa3bb21160d42adf25;p=thirdparty%2Fsamba.git

CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't change auth_{type,level,context_id}

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index 565c3733727..afa584b164b 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -238,6 +238,18 @@ bool dcesrv_auth_auth3(struct dcesrv_call_state *call)
 		return false;
 	}
 
+	if (call->in_auth_info.auth_type != dce_conn->auth_state.auth_type) {
+		return false;
+	}
+
+	if (call->in_auth_info.auth_level != dce_conn->auth_state.auth_level) {
+		return false;
+	}
+
+	if (call->in_auth_info.auth_context_id != dce_conn->auth_state.auth_context_id) {
+		return false;
+	}
+
 	call->_out_auth_info = (struct dcerpc_auth) {
 		.auth_type = dce_conn->auth_state.auth_type,
 		.auth_level = dce_conn->auth_state.auth_level,
@@ -306,6 +318,18 @@ bool dcesrv_auth_alter(struct dcesrv_call_state *call)
 		return false;
 	}
 
+	if (call->in_auth_info.auth_type != dce_conn->auth_state.auth_type) {
+		return false;
+	}
+
+	if (call->in_auth_info.auth_level != dce_conn->auth_state.auth_level) {
+		return false;
+	}
+
+	if (call->in_auth_info.auth_context_id != dce_conn->auth_state.auth_context_id) {
+		return false;
+	}
+
 	return true;
 }