CVE-2015-5370: s4:rpc_server: changing an existing presentation context via alter_con...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index 750a28d36d215e2b8828291ded0e15c13fa3297a..988552488cc1d8810416ee7d9fd4fb8a2f2a9fca 100644 (file)
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -1152,6 +1152,27 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
                                DCERPC_BIND_PROVIDER_REJECT,
                                DCERPC_BIND_REASON_ASYNTAX);
                }
+       } else {
+               bool ok;
+
+               ok = ndr_syntax_id_equal(&ctx->abstract_syntax,
+                                        &call->context->iface->syntax_id);
+               if (!ok) {
+                       return dcesrv_fault_disconnect(call,
+                                       DCERPC_NCA_S_PROTO_ERROR);
+               }
+
+               if (ctx->num_transfer_syntaxes != 1) {
+                       return dcesrv_fault_disconnect(call,
+                                       DCERPC_NCA_S_PROTO_ERROR);
+               }
+
+               ok = ndr_syntax_id_equal(&ctx->transfer_syntaxes[0],
+                                        &ndr_transfer_syntax_ndr);
+               if (!ok) {
+                       return dcesrv_fault_disconnect(call,
+                                       DCERPC_NCA_S_PROTO_ERROR);
+               }
        }
 
        if (call->pkt.u.alter.assoc_group_id != 0 &&