s3:rpc_server: check header of each packet fragment

Signed-off-by: Gregor Beck <gbeck@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

diff --git a/source3/rpc_server/rpc_pipes.h b/source3/rpc_server/rpc_pipes.h
index 4be57d8f96760d487767a03907eb98123aa1951a..1c33a27798b4b3b683c8cc1f6a25e9b78bea0ef9 100644 (file)
--- a/source3/rpc_server/rpc_pipes.h
+++ b/source3/rpc_server/rpc_pipes.h
@@ -164,6 +164,9 @@ struct pipes_struct {
        /* operation number retrieved from the rpc header */
        uint16_t opnum;
 
+       /* rpc header information to check fragments for consistency */
+       struct dcerpc_sec_vt_header2 header2;
+
        /* private data for the interface implementation */
        void *private_data;
 

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 29e5b8af8ec213520101d21308d3947b4047bc68..f58eba49f8be80356f0ce8b685877537c949f7cd 100644 (file)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -1432,6 +1432,7 @@ static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt
 {
        NTSTATUS status;
        DATA_BLOB data;
+       struct dcerpc_sec_vt_header2 hdr2;
 
        if (!p->pipe_bound) {
                DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
@@ -1439,6 +1440,16 @@ static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt
                return False;
        }
 
+       hdr2 = dcerpc_sec_vt_header2_from_ncacn_packet(pkt);
+       if (pkt->pfc_flags & DCERPC_PFC_FLAG_FIRST) {
+               p->header2 = hdr2;
+       } else {
+               if (!dcerpc_sec_vt_header2_equal(&hdr2, &p->header2)) {
+                       set_incoming_fault(p);
+                       return false;
+               }
+       }
+
        /* Store the opnum */
        p->opnum = pkt->u.request.opnum;