1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-25 06:04:04 +03:00

CVE-2015-5370: s4:rpc_server: let invalid request fragments disconnect the connection with a protocol error

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This commit is contained in:
Stefan Metzmacher 2015-06-26 08:10:46 +02:00
parent 5cb1250457
commit 57afdaa79b

View File

@ -1456,33 +1456,34 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn,
struct dcesrv_call_state *call2 = call; struct dcesrv_call_state *call2 = call;
uint32_t alloc_size; uint32_t alloc_size;
/* we only allow fragmented requests, no other packet types */
if (call->pkt.ptype != DCERPC_PKT_REQUEST) {
return dcesrv_fault(call2, DCERPC_FAULT_OTHER);
}
/* this is a continuation of an existing call - find the call /* this is a continuation of an existing call - find the call
then tack it on the end */ then tack it on the end */
call = dcesrv_find_fragmented_call(dce_conn, call2->pkt.call_id); call = dcesrv_find_fragmented_call(dce_conn, call2->pkt.call_id);
if (!call) { if (!call) {
return dcesrv_fault(call2, DCERPC_FAULT_OTHER); return dcesrv_fault_disconnect(call2,
DCERPC_NCA_S_PROTO_ERROR);
} }
if (call->pkt.ptype != call2->pkt.ptype) { if (call->pkt.ptype != call2->pkt.ptype) {
/* trying to play silly buggers are we? */ /* trying to play silly buggers are we? */
return dcesrv_fault(call2, DCERPC_NCA_S_PROTO_ERROR); return dcesrv_fault_disconnect(call,
DCERPC_NCA_S_PROTO_ERROR);
} }
if (memcmp(call->pkt.drep, call2->pkt.drep, sizeof(pkt->drep)) != 0) { if (memcmp(call->pkt.drep, call2->pkt.drep, sizeof(pkt->drep)) != 0) {
return dcesrv_fault(call2, DCERPC_NCA_S_PROTO_ERROR); return dcesrv_fault_disconnect(call,
DCERPC_NCA_S_PROTO_ERROR);
} }
if (call->pkt.call_id != call2->pkt.call_id) { if (call->pkt.call_id != call2->pkt.call_id) {
return dcesrv_fault(call2, DCERPC_NCA_S_PROTO_ERROR); return dcesrv_fault_disconnect(call,
DCERPC_NCA_S_PROTO_ERROR);
} }
if (call->pkt.u.request.context_id != call2->pkt.u.request.context_id) { if (call->pkt.u.request.context_id != call2->pkt.u.request.context_id) {
return dcesrv_fault(call2, DCERPC_NCA_S_PROTO_ERROR); return dcesrv_fault_disconnect(call,
DCERPC_NCA_S_PROTO_ERROR);
} }
if (call->pkt.u.request.opnum != call2->pkt.u.request.opnum) { if (call->pkt.u.request.opnum != call2->pkt.u.request.opnum) {
return dcesrv_fault(call2, DCERPC_NCA_S_PROTO_ERROR); return dcesrv_fault_disconnect(call,
DCERPC_NCA_S_PROTO_ERROR);
} }
alloc_size = call->pkt.u.request.stub_and_verifier.length + alloc_size = call->pkt.u.request.stub_and_verifier.length +