From b26aabe9b138ef929bbfc638df0bc22f70b16de0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 27 Jun 2015 10:31:48 +0200 Subject: [PATCH] CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id} MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This will simplify the following commits and avoids dereferencing dcecli_security->auth_info. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner --- source4/librpc/rpc/dcerpc.c | 3 +++ source4/librpc/rpc/dcerpc.h | 3 +++ source4/librpc/rpc/dcerpc_auth.c | 10 +++++++--- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c index fecc0f29a5d..a05b58d9130 100644 --- a/source4/librpc/rpc/dcerpc.c +++ b/source4/librpc/rpc/dcerpc.c @@ -141,6 +141,9 @@ static struct dcecli_connection *dcerpc_connection_init(TALLOC_CTX *mem_ctx, } c->call_id = 1; + c->security_state.auth_type = DCERPC_AUTH_TYPE_NONE; + c->security_state.auth_level = DCERPC_AUTH_LEVEL_NONE; + c->security_state.auth_context_id = 0; c->security_state.auth_info = NULL; c->security_state.session_key = dcerpc_generic_session_key; c->security_state.generic_state = NULL; diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h index 8b2aebede45..541afd4b060 100644 --- a/source4/librpc/rpc/dcerpc.h +++ b/source4/librpc/rpc/dcerpc.h @@ -46,6 +46,9 @@ struct dcecli_connection; struct gensec_settings; struct cli_credentials; struct dcecli_security { + enum dcerpc_AuthType auth_type; + enum dcerpc_AuthLevel auth_level; + uint32_t auth_context_id; struct dcerpc_auth *auth_info; struct gensec_security *generic_state; diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c index 2d60d38732b..aec72ca9943 100644 --- a/source4/librpc/rpc/dcerpc_auth.c +++ b/source4/librpc/rpc/dcerpc_auth.c @@ -353,14 +353,18 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx, return c; } + sec->auth_type = auth_type; + sec->auth_level = auth_level, + sec->auth_context_id = random(); + sec->auth_info = talloc(p, struct dcerpc_auth); if (composite_nomem(sec->auth_info, c)) return c; - sec->auth_info->auth_type = auth_type; - sec->auth_info->auth_level = auth_level, + sec->auth_info->auth_type = sec->auth_type; + sec->auth_info->auth_level = sec->auth_level, sec->auth_info->auth_pad_length = 0; sec->auth_info->auth_reserved = 0; - sec->auth_info->auth_context_id = random(); + sec->auth_info->auth_context_id = sec->auth_context_id; sec->auth_info->credentials = data_blob(NULL, 0); /* The status value here, from GENSEC is vital to the security -- 2.47.2