CVE-2015-5370: s3:rpc_server: make use of pipe_auth_data->auth_context_id

This is better than using hardcoded values.
We need to use the value the client used in the BIND request.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
index 5514956b9837795ae81f7fa6a401197a4692964d..5647596f559cc8668346a4bde3e14f597bd805ba 100644 (file)
--- a/source3/rpc_server/rpc_ncacn_np.c
+++ b/source3/rpc_server/rpc_ncacn_np.c
@@ -977,6 +977,7 @@ static NTSTATUS rpc_pipe_open_external(TALLOC_CTX *mem_ctx,
        }
        result->auth->auth_type = DCERPC_AUTH_TYPE_NONE;
        result->auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
+       result->auth->auth_context_id = 0;
 
        status = rpccli_anon_bind_data(result, &auth);
        if (!NT_STATUS_IS_OK(status)) {

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index bb3c3e8691c3a478758cdacdae2666dd26d8e77e..821623c7cd8b8c38511668cdcfe40358ec244f13 100644 (file)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -539,6 +539,7 @@ static bool pipe_auth_generic_bind(struct pipes_struct *p,
        p->auth.auth_ctx = gensec_security;
        p->auth.auth_type = auth_info->auth_type;
        p->auth.auth_level = auth_info->auth_level;
+       p->auth.auth_context_id = auth_info->auth_context_id;
 
        if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
                p->auth.client_hdr_signing = true;
@@ -812,6 +813,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
        } else {
                p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
                p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
+               p->auth.auth_context_id = 0;
        }
 
        ZERO_STRUCT(u.bind_ack);
@@ -862,12 +864,11 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
        }
 
        if (auth_resp.length) {
-
                status = dcerpc_push_dcerpc_auth(pkt,
                                                 p->auth.auth_type,
                                                 p->auth.auth_level,
-                                                0,
-                                                1, /* auth_context_id */
+                                                0, /* pad_len */
+                                                p->auth.auth_context_id,
                                                 &auth_resp,
                                                 &auth_blob);
                if (!NT_STATUS_IS_OK(status)) {
@@ -1222,10 +1223,10 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
 
        if (auth_resp.length) {
                status = dcerpc_push_dcerpc_auth(pkt,
-                                                auth_info.auth_type,
-                                                auth_info.auth_level,
+                                                p->auth.auth_type,
+                                                p->auth.auth_level,
                                                 0, /* pad_len */
-                                                1, /* auth_context_id */
+                                                p->auth.auth_context_id,
                                                 &auth_resp,
                                                 &auth_blob);
                if (!NT_STATUS_IS_OK(status)) {