From 00b06bccde173d8b9613d34c1f3e9c4e4788ca12 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 23 Jun 2016 13:50:39 +0200
Subject: [PATCH] s4:rpc_server: generate the correct error when we got an
 invalid auth_pad_length on BIND,ALTER,AUTH3

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11982

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 7d8edcc24148658e92729b3d155e432994e27525)
---
 source4/rpc_server/dcerpc_server.c | 13 ++++++++++---
 source4/rpc_server/dcesrv_auth.c   | 18 ++++++++++++++++++
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index 8439d84e37d..c6b992e7917 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -804,6 +804,11 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
 
 		TALLOC_FREE(call->context);
 
+		if (call->fault_code == DCERPC_NCA_S_PROTO_ERROR) {
+			return dcesrv_bind_nak(call,
+			DCERPC_BIND_NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED);
+		}
+
 		if (auth->auth_level != DCERPC_AUTH_LEVEL_NONE) {
 			/*
 			 * We only give INVALID_AUTH_TYPE if the auth_level was
@@ -936,6 +941,9 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
 	/* handle the auth3 in the auth code */
 	if (!dcesrv_auth_auth3(call)) {
 		call->conn->auth_state.auth_invalid = true;
+		if (call->fault_code != 0) {
+			return dcesrv_fault_disconnect(call, call->fault_code);
+		}
 	}
 
 	talloc_free(call);
@@ -1105,9 +1113,8 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
 
 	auth_ok = dcesrv_auth_alter(call);
 	if (!auth_ok) {
-		if (call->in_auth_info.auth_type == DCERPC_AUTH_TYPE_NONE) {
-			return dcesrv_fault_disconnect(call,
-					DCERPC_FAULT_ACCESS_DENIED);
+		if (call->fault_code != 0) {
+			return dcesrv_fault_disconnect(call, call->fault_code);
 		}
 	}
 
diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index 802876b2da7..74a62dfa9b7 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -56,6 +56,12 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
 					  &call->in_auth_info,
 					  NULL, true);
 	if (!NT_STATUS_IS_OK(status)) {
+		/*
+		 * This will cause a
+		 * DCERPC_BIND_NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED
+		 * in the caller
+		 */
+		call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
 		return false;
 	}
 
@@ -257,6 +263,11 @@ bool dcesrv_auth_auth3(struct dcesrv_call_state *call)
 	status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.auth3.auth_info,
 					  &call->in_auth_info, NULL, true);
 	if (!NT_STATUS_IS_OK(status)) {
+		/*
+		 * Windows returns DCERPC_NCA_S_FAULT_REMOTE_NO_MEMORY
+		 * instead of DCERPC_NCA_S_PROTO_ERROR.
+		 */
+		call->fault_code = DCERPC_NCA_S_FAULT_REMOTE_NO_MEMORY;
 		return false;
 	}
 
@@ -332,6 +343,7 @@ bool dcesrv_auth_alter(struct dcesrv_call_state *call)
 	}
 
 	if (dce_conn->auth_state.auth_finished) {
+		call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
 		return false;
 	}
 
@@ -343,6 +355,12 @@ bool dcesrv_auth_alter(struct dcesrv_call_state *call)
 	status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.alter.auth_info,
 					  &call->in_auth_info, NULL, true);
 	if (!NT_STATUS_IS_OK(status)) {
+		call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
+		return false;
+	}
+
+	if (call->in_auth_info.auth_type == DCERPC_AUTH_TYPE_NONE) {
+		call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
 		return false;
 	}
 
-- 
2.47.2