sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Code

CVE-2015-5370: s4:librpc/rpc: avoid using c->security_state.auth_info in ncacn_pull_request_auth()

Browse Source 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This commit is contained in:
Stefan Metzmacher 2015-06-27 10:31:48 +02:00
parent a735892f51
commit 8a93fbc7e3
1 changed files with 10 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
source4/librpc/rpc/dcerpc.c
View File

@ -744,12 +744,7 @@ static NTSTATUS ncacn_pull_request_auth(struct dcecli_connection *c, TALLOC_CTX
struct dcerpc_auth auth;
uint32_t auth_length;
if (!c->security_state.auth_info ||
!c->security_state.generic_state) {
return NT_STATUS_OK;
}
switch (c->security_state.auth_info->auth_level) {
switch (c->security_state.auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY:
case DCERPC_AUTH_LEVEL_INTEGRITY:
break;
@ -769,6 +764,14 @@ static NTSTATUS ncacn_pull_request_auth(struct dcecli_connection *c, TALLOC_CTX
return NT_STATUS_INVALID_LEVEL;
}
if (pkt->auth_length == 0) {
return NT_STATUS_INVALID_NETWORK_RESPONSE;
}
if (c->security_state.generic_state == NULL) {
return NT_STATUS_INTERNAL_ERROR;
}
status = dcerpc_pull_auth_trailer(pkt, mem_ctx,
&pkt->u.response.stub_and_verifier,
&auth, &auth_length, false);
@ -777,7 +780,7 @@ static NTSTATUS ncacn_pull_request_auth(struct dcecli_connection *c, TALLOC_CTX
pkt->u.response.stub_and_verifier.length -= auth_length;
/* check signature or unseal the packet */
switch (c->security_state.auth_info->auth_level) {
switch (c->security_state.auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY:
status = gensec_unseal_packet(c->security_state.generic_state,
raw_packet->data + DCERPC_REQUEST_LENGTH,