sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-26 21:57:41 +03:00
Code

CVE-2015-5370: s4:librpc/rpc: call dcerpc_connection_dead() on protocol errors

Browse Source 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This commit is contained in:
Stefan Metzmacher 2015-12-22 21:13:41 +01:00
parent 7e0b9c2f4b
commit 3b359d0a8d
1 changed files with 15 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
source4/librpc/rpc/dcerpc.c
View File

@ -1546,7 +1546,16 @@ static void dcerpc_request_recv_data(struct dcecli_connection *c,
} }
if (pkt->ptype == DCERPC_PKT_FAULT) { if (pkt->ptype == DCERPC_PKT_FAULT) {
status = dcerpc_fault_to_nt_status(pkt->u.fault.status);
DEBUG(5,("rpc fault: %s\n", dcerpc_errstr(c, pkt->u.fault.status))); DEBUG(5,("rpc fault: %s\n", dcerpc_errstr(c, pkt->u.fault.status)));
if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTOCOL_ERROR)) {
dcerpc_connection_dead(c, status);
return;
}
if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
dcerpc_connection_dead(c, status);
return;
}
req->fault_code = pkt->u.fault.status; req->fault_code = pkt->u.fault.status;
req->status = NT_STATUS_NET_WRITE_FAULT; req->status = NT_STATUS_NET_WRITE_FAULT;
goto req_done; goto req_done;
@ -1555,16 +1564,15 @@ static void dcerpc_request_recv_data(struct dcecli_connection *c,
if (pkt->ptype != DCERPC_PKT_RESPONSE) { if (pkt->ptype != DCERPC_PKT_RESPONSE) {
DEBUG(2,("Unexpected packet type %d in dcerpc response\n", DEBUG(2,("Unexpected packet type %d in dcerpc response\n",
(int)pkt->ptype)); (int)pkt->ptype));
req->fault_code = DCERPC_FAULT_OTHER; dcerpc_connection_dead(c, NT_STATUS_RPC_PROTOCOL_ERROR);
req->status = NT_STATUS_NET_WRITE_FAULT; return;
goto req_done;
} }
/* now check the status from the auth routines, and if it failed then fail /* now check the status from the auth routines, and if it failed then fail
this request accordingly */ this request accordingly */
if (!NT_STATUS_IS_OK(status)) { if (!NT_STATUS_IS_OK(status)) {
req->status = status; dcerpc_connection_dead(c, status);
goto req_done; return;
} }
length = pkt->u.response.stub_and_verifier.length; length = pkt->u.response.stub_and_verifier.length;
@ -1573,9 +1581,8 @@ static void dcerpc_request_recv_data(struct dcecli_connection *c,
DEBUG(2,("Unexpected total payload 0x%X > 0x%X dcerpc response\n", DEBUG(2,("Unexpected total payload 0x%X > 0x%X dcerpc response\n",
(unsigned)req->payload.length + length, (unsigned)req->payload.length + length,
DCERPC_NCACN_PAYLOAD_MAX_SIZE)); DCERPC_NCACN_PAYLOAD_MAX_SIZE));
req->fault_code = DCERPC_FAULT_OTHER; dcerpc_connection_dead(c, NT_STATUS_RPC_PROTOCOL_ERROR);
req->status = NT_STATUS_NET_WRITE_FAULT; return;
goto req_done;
} }
if (length > 0) { if (length > 0) {