From 84cbf3dfedeb30cc1c9a08827234904eaadac097 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 7 Jul 2015 13:05:01 +0200
Subject: [PATCH] CVE-2015-5370: s3:rpc_server: make sure auth_level isn't
 changed by alter_context or auth3
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---
 source3/rpc_server/srv_pipe.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index a37cb3f6918..96bf212b705 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -896,6 +896,13 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
 		goto err;
 	}
 
+	if (auth_info.auth_level != p->auth.auth_level) {
+		DEBUG(1, ("Auth level mismatch! Client sent %d, "
+			  "but auth was started as level %d!\n",
+			  auth_info.auth_level, p->auth.auth_level));
+		goto err;
+	}
+
 	gensec_security = p->auth.auth_ctx;
 
 	status = auth_generic_server_step(gensec_security,
@@ -1008,6 +1015,13 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
 			goto err_exit;
 		}
 
+		if (auth_info.auth_level != p->auth.auth_level) {
+			DEBUG(0, ("Auth level mismatch! Client sent %d, "
+				  "but auth was started as level %d!\n",
+				  auth_info.auth_level, p->auth.auth_level));
+			goto err_exit;
+		}
+
 		gensec_security = p->auth.auth_ctx;
 		status = auth_generic_server_step(gensec_security,
 						  pkt,
-- 
2.11.4.GIT