sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code

CVE-2015-5370: s4:rpc_server: make use of dce_call->conn->auth_state.auth_* in dcesrv_request()

Browse Source 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This commit is contained in:
Stefan Metzmacher 2016-03-10 16:02:31 +01:00
parent accac3a3bd
commit 06b9c93d39
1 changed files with 6 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
source4/rpc_server/dcerpc_server.c
View File

@ -1101,8 +1101,6 @@ static NTSTATUS dcesrv_request(struct dcesrv_call_state *call)
struct ndr_pull *pull;
NTSTATUS status;
struct dcesrv_connection_context *context;
uint32_t auth_type = DCERPC_AUTH_TYPE_NONE;
uint32_t auth_level = DCERPC_AUTH_LEVEL_NONE;
/* if authenticated, and the mech we use can't do async replies, don't use them... */
if (call->conn->auth_state.gensec_security &&
@ -1115,12 +1113,7 @@ static NTSTATUS dcesrv_request(struct dcesrv_call_state *call)
return dcesrv_fault(call, DCERPC_FAULT_UNK_IF);
}
if (call->conn->auth_state.auth_info != NULL) {
auth_type = call->conn->auth_state.auth_info->auth_type;
auth_level = call->conn->auth_state.auth_info->auth_level;
}
switch (auth_level) {
switch (call->conn->auth_state.auth_level) {
case DCERPC_AUTH_LEVEL_NONE:
case DCERPC_AUTH_LEVEL_INTEGRITY:
case DCERPC_AUTH_LEVEL_PRIVACY:
@ -1136,7 +1129,8 @@ static NTSTATUS dcesrv_request(struct dcesrv_call_state *call)
"to [%s] with auth[type=0x%x,level=0x%x] "
"on [%s] from [%s]\n",
__func__, context->iface->name,
auth_type, auth_level,
call->conn->auth_state.auth_type,
call->conn->auth_state.auth_level,
derpc_transport_string_by_transport(transport),
addr));
return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
@ -1144,7 +1138,7 @@ static NTSTATUS dcesrv_request(struct dcesrv_call_state *call)
break;
}
if (auth_level < context->min_auth_level) {
if (call->conn->auth_state.auth_level < context->min_auth_level) {
char *addr;
addr = tsocket_address_string(call->conn->remote_address, call);
@ -1155,7 +1149,8 @@ static NTSTATUS dcesrv_request(struct dcesrv_call_state *call)
__func__,
context->min_auth_level,
context->iface->name,
auth_type, auth_level,
call->conn->auth_state.auth_type,
call->conn->auth_state.auth_level,
derpc_transport_string_by_transport(transport),
addr));
return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);