From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 10 Mar 2016 03:06:04 +0000 (+0100)
Subject: CVE-2016-2118: s4:rpc_server/dnsserver: require at least DCERPC_AUTH_LEVEL_INTEGRITY
X-Git-Tag: samba-4.2.10~114
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ddbcb1119e805328c045d14d5ebe8b4053eca612;p=thirdparty%2Fsamba.git

CVE-2016-2118: s4:rpc_server/dnsserver: require at least DCERPC_AUTH_LEVEL_INTEGRITY

This matches windows and prevents man in the middle downgrade attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
index be315001ee2..7571756845c 100644
--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
@@ -28,6 +28,14 @@
 #include "dnsserver.h"
 #include "lib/ldb/include/ldb_private.h"
 
+#define DCESRV_INTERFACE_DNSSERVER_BIND(call, iface) \
+	dcesrv_interface_dnsserver_bind(call, iface)
+static NTSTATUS dcesrv_interface_dnsserver_bind(struct dcesrv_call_state *dce_call,
+					        const struct dcesrv_interface *iface)
+{
+	return dcesrv_interface_bind_require_integrity(dce_call, iface);
+}
+
 struct dnsserver_state {
 	struct loadparm_context *lp_ctx;
 	struct ldb_context *samdb;