sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-28 01:58:17 +03:00
Code

CVE-2015-5370: s4:rpc_server: maintain dcesrv_auth->auth_{type,level,context_id}

Browse Source 
This will simplify checks in the following commits and avoids
derefencing dcesrv_auth->auth_info which is not always arround.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This commit is contained in:
Stefan Metzmacher 2015-06-29 11:03:58 +02:00
parent f97d9d1d11
commit accac3a3bd
2 changed files with 26 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
source4/rpc_server/dcerpc_server.h
View File

@ -151,6 +151,9 @@ struct dcesrv_handle {
/* hold the authentication state information */
struct dcesrv_auth {
enum dcerpc_AuthType auth_type;
enum dcerpc_AuthLevel auth_level;
uint32_t auth_context_id;
struct dcerpc_auth *auth_info;
struct gensec_security *gensec_security;
struct auth_session_info *session_info;
@ -210,8 +213,15 @@ struct dcesrv_connection {
DATA_BLOB partial_input;
/* the current authentication state */
struct dcesrv_auth auth_state;
/* This can be removed in master... */
struct {
struct dcerpc_auth *auth_info;
struct gensec_security *gensec_security;
struct auth_session_info *session_info;
NTSTATUS (*session_key)(struct dcesrv_connection *, DATA_BLOB *session_key);
bool client_hdr_signing;
bool hdr_signing;
} _unused_auth_state;
/* the event_context that will be used for this connection */
struct tevent_context *event_ctx;
@ -243,6 +253,9 @@ struct dcesrv_connection {
const struct tsocket_address *local_address;
const struct tsocket_address *remote_address;
/* the current authentication state */
struct dcesrv_auth auth_state;
};

15
source4/rpc_server/dcesrv_auth.c
View File

@ -47,6 +47,9 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
uint32_t auth_length;
if (pkt->auth_length == 0) {
auth->auth_type = DCERPC_AUTH_TYPE_NONE;
auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
auth->auth_context_id = 0;
dce_conn->auth_state.auth_info = NULL;
return true;
}
@ -63,6 +66,10 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
return false;
}
auth->auth_type = dce_conn->auth_state.auth_info->auth_type;
auth->auth_level = dce_conn->auth_state.auth_info->auth_level;
auth->auth_context_id = dce_conn->auth_state.auth_info->auth_context_id;
server_credentials
= cli_credentials_init(call);
if (!server_credentials) {
@ -100,12 +107,12 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
}
}
status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_info->auth_type,
auth->auth_info->auth_level);
status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_type,
auth->auth_level);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("Failed to start GENSEC mechanism for DCERPC server: auth_type=%d, auth_level=%d: %s\n",
(int)auth->auth_info->auth_type,
(int)auth->auth_info->auth_level,
(int)auth->auth_type,
(int)auth->auth_level,
nt_errstr(status)));
return false;
}