CVE-2015-5370: s3:rpc_server: verify auth_context_id in api_pipe_{bind_auth3,alter_co...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 821623c7cd8b8c38511668cdcfe40358ec244f13..bcd7e5db6c29887331dae0983399d02f7ef3b5fb 100644 (file)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -1004,6 +1004,14 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
                goto err;
        }
 
+       if (auth_info.auth_context_id != p->auth.auth_context_id) {
+               DEBUG(0, ("Auth context id mismatch! Client sent %u, "
+                         "but auth was started as level %u!\n",
+                         (unsigned)auth_info.auth_context_id,
+                         (unsigned)p->auth.auth_context_id));
+               goto err;
+       }
+
        gensec_security = p->auth.auth_ctx;
 
        status = auth_generic_server_step(gensec_security,
@@ -1160,6 +1168,14 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
                        goto err_exit;
                }
 
+               if (auth_info.auth_context_id != p->auth.auth_context_id) {
+                       DEBUG(0, ("Auth context id mismatch! Client sent %u, "
+                                 "but auth was started as level %u!\n",
+                                 (unsigned)auth_info.auth_context_id,
+                                 (unsigned)p->auth.auth_context_id));
+                       goto err_exit;
+               }
+
                gensec_security = p->auth.auth_ctx;
                status = auth_generic_server_step(gensec_security,
                                                  pkt,