CVE-2015-5370: s3:rpc_client: make use of dcerpc_pull_auth_trailer()

The does much more validation than dcerpc_pull_dcerpc_auth().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 0fb848f2b4cf5f62d5971e5b783b32dff3782af8..9269f2435abc7736ef01a2c547e133c93fc276a9 100644 (file)
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1807,17 +1807,15 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
                return;
 
        default:
-               /* Paranoid lenght checks */
-               if (pkt->frag_length < DCERPC_AUTH_TRAILER_LENGTH
-                                               + pkt->auth_length) {
-                       tevent_req_nterror(req,
-                                       NT_STATUS_INFO_LENGTH_MISMATCH);
+               if (pkt->auth_length == 0) {
+                       tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
                        return;
                }
+
                /* get auth credentials */
-               status = dcerpc_pull_dcerpc_auth(talloc_tos(),
-                                                &pkt->u.bind_ack.auth_info,
-                                                &auth, false);
+               status = dcerpc_pull_auth_trailer(pkt, talloc_tos(),
+                                                 &pkt->u.bind_ack.auth_info,
+                                                 &auth, NULL, true);
                if (!NT_STATUS_IS_OK(status)) {
                        DEBUG(0, ("Failed to pull dcerpc auth: %s.\n",
                                  nt_errstr(status)));