From b51da52c76ef8ee77ef1dcaa3bb21160d42adf25 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 26 Jun 2015 08:10:46 +0200 Subject: [PATCH] CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't change auth_{type,level,context_id} MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner --- source4/rpc_server/dcesrv_auth.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 565c3733727..afa584b164b 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -238,6 +238,18 @@ bool dcesrv_auth_auth3(struct dcesrv_call_state *call) return false; } + if (call->in_auth_info.auth_type != dce_conn->auth_state.auth_type) { + return false; + } + + if (call->in_auth_info.auth_level != dce_conn->auth_state.auth_level) { + return false; + } + + if (call->in_auth_info.auth_context_id != dce_conn->auth_state.auth_context_id) { + return false; + } + call->_out_auth_info = (struct dcerpc_auth) { .auth_type = dce_conn->auth_state.auth_type, .auth_level = dce_conn->auth_state.auth_level, @@ -306,6 +318,18 @@ bool dcesrv_auth_alter(struct dcesrv_call_state *call) return false; } + if (call->in_auth_info.auth_type != dce_conn->auth_state.auth_type) { + return false; + } + + if (call->in_auth_info.auth_level != dce_conn->auth_state.auth_level) { + return false; + } + + if (call->in_auth_info.auth_context_id != dce_conn->auth_state.auth_context_id) { + return false; + } + return true; } -- 2.47.2