From 6b02b94d037429e7bdca67377e390fb636c63f64 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 21 Nov 2018 23:27:50 +0100 Subject: [PATCH] s4:rpc_server: add a min_auth_level to context handles BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison --- source4/rpc_server/dcerpc_server.h | 1 + source4/rpc_server/handles.c | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/source4/rpc_server/dcerpc_server.h b/source4/rpc_server/dcerpc_server.h index 4b6c0d145bf..abfb5c0b894 100644 --- a/source4/rpc_server/dcerpc_server.h +++ b/source4/rpc_server/dcerpc_server.h @@ -189,6 +189,7 @@ struct dcesrv_handle { struct dcesrv_assoc_group *assoc_group; struct policy_handle wire_handle; struct dom_sid *sid; + enum dcerpc_AuthLevel min_auth_level; const struct dcesrv_interface *iface; void *data; }; diff --git a/source4/rpc_server/handles.c b/source4/rpc_server/handles.c index b0cef1c27f7..68bacefaaf5 100644 --- a/source4/rpc_server/handles.c +++ b/source4/rpc_server/handles.c @@ -65,6 +65,7 @@ struct dcesrv_handle *dcesrv_handle_create(struct dcesrv_call_state *call, talloc_free(h); return NULL; } + h->min_auth_level = call->auth_state->auth_level; h->assoc_group = context->conn->assoc_group; h->iface = context->iface; h->wire_handle.handle_type = handle_type; @@ -120,6 +121,12 @@ struct dcesrv_handle *dcesrv_handle_lookup(struct dcesrv_call_state *call, dom_sid_string(context, sid))); return NULL; } + if (call->auth_state->auth_level < h->min_auth_level) { + DEBUG(0,(__location__ ": Attempt to use invalid auth_level %u < %u\n", + call->auth_state->auth_level, + h->min_auth_level)); + return NULL; + } if (h->iface != context->iface) { DEBUG(0,(__location__ ": Attempt to use invalid iface\n")); return NULL; -- 2.11.4.GIT