CVE-2015-5370: s4:rpc_server: return the correct secondary_address in dcesrv_bind()

For now we still force \\PIPE\\ in upper case, we may be able to remove
this and change it in our idl files later. But for now we better
behave like a windows server without changing too much.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

source4/rpc_server/dcerpc_server.c

@@ -638,6 +638,8 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
 	uint32_t extra_flags = 0;
 	uint16_t max_req = 0;
 	uint16_t max_rep = 0;
+	const char *ep_prefix = "";
+	const char *endpoint = NULL;
 
 	/* max_recv_frag and max_xmit_frag result always in the same value! */
 	max_req = MIN(call->pkt.u.bind.max_xmit_frag,
@@ -782,10 +784,31 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
 	}
 
 	if (iface) {
-		/* FIXME: Use pipe name as specified by endpoint instead of interface name */
-		pkt.u.bind_ack.secondary_address = talloc_asprintf(call, "\\PIPE\\%s", iface->name);
-	} else {
-		pkt.u.bind_ack.secondary_address = "";
+		endpoint = dcerpc_binding_get_string_option(
+				call->conn->endpoint->ep_description,
+				"endpoint");
+	}
+
+	if (endpoint == NULL) {
+		endpoint = "";
+	}
+
+	if (strncasecmp(endpoint, "\\pipe\\", 6) == 0) {
+		/*
+		 * TODO: check if this is really needed
+		 *
+		 * Or if we should fix this in our idl files.
+		 */
+		ep_prefix = "\\PIPE\\";
+		endpoint += 6;
+	}
+
+	pkt.u.bind_ack.secondary_address = talloc_asprintf(call, "%s%s",
+							   ep_prefix,
+							   endpoint);
+	if (pkt.u.bind_ack.secondary_address == NULL) {
+		TALLOC_FREE(call->context);
+		return NT_STATUS_NO_MEMORY;
 	}
 	pkt.u.bind_ack.num_results = 1;
 	pkt.u.bind_ack.ctx_list = talloc_zero(call, struct dcerpc_ack_ctx);