1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00

CVE-2015-5370: s4:rpc_server: fix the order of error checking in dcesrv_alter()

The basically matches Windows 2012R2, it's not 100%
but it's enough for our raw protocol tests to pass.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This commit is contained in:
Stefan Metzmacher 2015-06-26 08:10:46 +02:00
parent 1f7dc721e7
commit ed066b6ca4

View File

@ -1106,6 +1106,7 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
{ {
NTSTATUS status; NTSTATUS status;
const struct dcerpc_ctx_list *ctx = NULL; const struct dcerpc_ctx_list *ctx = NULL;
bool auth_ok = false;
if (!call->conn->allow_alter) { if (!call->conn->allow_alter) {
return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR); return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
@ -1127,12 +1128,12 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR); return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
} }
/* handle any authentication that is being requested */ auth_ok = dcesrv_auth_alter(call);
if (!dcesrv_auth_alter(call)) { if (!auth_ok) {
/* TODO: work out the right reject code */ if (call->in_auth_info.auth_type == DCERPC_AUTH_TYPE_NONE) {
return dcesrv_alter_resp(call, return dcesrv_fault_disconnect(call,
DCERPC_BIND_PROVIDER_REJECT, DCERPC_FAULT_ACCESS_DENIED);
DCERPC_BIND_REASON_ASYNTAX); }
} }
if (call->pkt.u.alter.num_contexts < 1) { if (call->pkt.u.alter.num_contexts < 1) {
@ -1186,6 +1187,17 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
DCERPC_BIND_REASON_ASYNTAX); DCERPC_BIND_REASON_ASYNTAX);
} }
/* handle any authentication that is being requested */
if (!auth_ok) {
if (call->in_auth_info.auth_type !=
call->conn->auth_state.auth_type)
{
return dcesrv_fault_disconnect(call,
DCERPC_FAULT_SEC_PKG_ERROR);
}
return dcesrv_fault_disconnect(call, DCERPC_FAULT_ACCESS_DENIED);
}
return dcesrv_alter_resp(call, return dcesrv_alter_resp(call,
DCERPC_BIND_ACK_RESULT_ACCEPTANCE, DCERPC_BIND_ACK_RESULT_ACCEPTANCE,
DCERPC_BIND_ACK_REASON_NOT_SPECIFIED); DCERPC_BIND_ACK_REASON_NOT_SPECIFIED);