sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-02 09:47:23 +03:00
Code

CVE-2015-5370: s3:rpc_client: make use of dcerpc_pull_auth_trailer()

Browse Source 
The does much more validation than dcerpc_pull_dcerpc_auth().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This commit is contained in:
Stefan Metzmacher 2015-07-07 13:05:01 +02:00
parent 8a6240872c
commit 712320489d
1 changed files with 6 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
source3/rpc_client/cli_pipe.c
View File

@ -1807,17 +1807,15 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
return;
default:
/* Paranoid lenght checks */
if (pkt->frag_length < DCERPC_AUTH_TRAILER_LENGTH
+ pkt->auth_length) {
tevent_req_nterror(req,
NT_STATUS_INFO_LENGTH_MISMATCH);
if (pkt->auth_length == 0) {
tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
return;
}
/* get auth credentials */
status = dcerpc_pull_dcerpc_auth(talloc_tos(),
&pkt->u.bind_ack.auth_info,
&auth, false);
status = dcerpc_pull_auth_trailer(pkt, talloc_tos(),
&pkt->u.bind_ack.auth_info,
&auth, NULL, true);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to pull dcerpc auth: %s.\n",
nt_errstr(status)));