From d33cb24f17e18c84243d359b10afdd0bcef0637c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 26 Mar 2016 08:47:42 +0100
Subject: [PATCH] CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow
 DCERPC_AUTH_LEVEL_CONNECT by default

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
 source3/rpc_server/srv_pipe.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 57043231b97..e6e39df3eb3 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -48,6 +48,8 @@
 #include "../librpc/gen_ndr/ndr_samr.h"
 #include "../librpc/gen_ndr/ndr_lsa.h"
 #include "../librpc/gen_ndr/ndr_netlogon.h"
+#include "../librpc/gen_ndr/ndr_epmapper.h"
+#include "../librpc/gen_ndr/ndr_echo.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_SRV
@@ -397,6 +399,18 @@ static bool check_bind_req(struct pipes_struct *p,
 	if (ok) {
 		context_fns->allow_connect = false;
 	}
+	/*
+	 * for the epmapper and echo interfaces we allow "connect"
+	 * auth_level by default.
+	 */
+	ok = ndr_syntax_id_equal(abstract, &ndr_table_epmapper.syntax_id);
+	if (ok) {
+		context_fns->allow_connect = true;
+	}
+	ok = ndr_syntax_id_equal(abstract, &ndr_table_rpcecho.syntax_id);
+	if (ok) {
+		context_fns->allow_connect = true;
+	}
 	/*
 	 * every interface can be modified to allow "connect" auth_level by
 	 * using a parametric option like:
-- 
2.47.2