From c0236de09e542dbb168969d8ae9f0c150a75198e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 26 Jun 2015 08:10:46 +0200 Subject: [PATCH] CVE-2015-5370: s4:rpc_server: no authentication is indicated by pkt->auth_length == 0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit pkt->u.*.auth_info.length is not the correct thing to check. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner --- selftest/knownfail | 4 ---- source4/rpc_server/dcesrv_auth.c | 28 +++++++++++++++++++--------- 2 files changed, 19 insertions(+), 13 deletions(-) diff --git a/selftest/knownfail b/selftest/knownfail index 803439df7fe..f8a52cf91e3 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -1,7 +1,3 @@ -# These are temporary failures until the next commits fix it again -# -^samba4.rpc.altercontext.*seal # tmp -^samba4.rpc.altercontext.*ncalrpc # tmp # This file contains a list of regular expressions matching the names of # tests that are expected to fail. # diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 52fe26fb9d2..beccc78e3ec 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -46,7 +46,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) NTSTATUS status; uint32_t auth_length; - if (pkt->u.bind.auth_info.length == 0) { + if (pkt->auth_length == 0) { dce_conn->auth_state.auth_info = NULL; return true; } @@ -119,10 +119,15 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe NTSTATUS status; bool want_header_signing = false; - if (!call->conn->auth_state.gensec_security) { + if (call->pkt.auth_length == 0) { return NT_STATUS_OK; } + /* We can't work without an existing gensec state */ + if (!call->conn->auth_state.gensec_security) { + return NT_STATUS_INTERNAL_ERROR; + } + if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) { dce_conn->auth_state.client_hdr_signing = true; want_header_signing = true; @@ -198,10 +203,16 @@ bool dcesrv_auth_auth3(struct dcesrv_call_state *call) NTSTATUS status; uint32_t auth_length; - /* We can't work without an existing gensec state, and an new blob to feed it */ - if (!dce_conn->auth_state.auth_info || - !dce_conn->auth_state.gensec_security || - pkt->u.auth3.auth_info.length == 0) { + if (pkt->auth_length == 0) { + return false; + } + + if (!dce_conn->auth_state.auth_info) { + return false; + } + + /* We can't work without an existing gensec state */ + if (!dce_conn->auth_state.gensec_security) { return false; } @@ -247,7 +258,7 @@ bool dcesrv_auth_alter(struct dcesrv_call_state *call) uint32_t auth_length; /* on a pure interface change there is no auth blob */ - if (pkt->u.alter.auth_info.length == 0) { + if (pkt->auth_length == 0) { return true; } @@ -282,8 +293,7 @@ NTSTATUS dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_pack /* on a pure interface change there is no auth_info structure setup */ - if (!call->conn->auth_state.auth_info || - dce_conn->auth_state.auth_info->credentials.length == 0) { + if (call->pkt.auth_length == 0) { return NT_STATUS_OK; } -- 2.47.2