From bc001b09b0213ac1a3c6171d6a9250a924213d67 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 8 Jul 2015 00:01:37 +0200
Subject: [PATCH] CVE-2015-5370: s3:rpc_server: make use of
 pipe_auth_data->auth_context_id
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

This is better than using hardcoded values.
We need to use the value the client used in the BIND request.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---
 source3/rpc_server/rpc_ncacn_np.c |  1 +
 source3/rpc_server/srv_pipe.c     | 13 +++++++------
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
index 5514956b983..5647596f559 100644
--- a/source3/rpc_server/rpc_ncacn_np.c
+++ b/source3/rpc_server/rpc_ncacn_np.c
@@ -977,6 +977,7 @@ static NTSTATUS rpc_pipe_open_external(TALLOC_CTX *mem_ctx,
 	}
 	result->auth->auth_type = DCERPC_AUTH_TYPE_NONE;
 	result->auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
+	result->auth->auth_context_id = 0;
 
 	status = rpccli_anon_bind_data(result, &auth);
 	if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index bb3c3e8691c..821623c7cd8 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -539,6 +539,7 @@ static bool pipe_auth_generic_bind(struct pipes_struct *p,
 	p->auth.auth_ctx = gensec_security;
 	p->auth.auth_type = auth_info->auth_type;
 	p->auth.auth_level = auth_info->auth_level;
+	p->auth.auth_context_id = auth_info->auth_context_id;
 
 	if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
 		p->auth.client_hdr_signing = true;
@@ -812,6 +813,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
 	} else {
 		p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
 		p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
+		p->auth.auth_context_id = 0;
 	}
 
 	ZERO_STRUCT(u.bind_ack);
@@ -862,12 +864,11 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
 	}
 
 	if (auth_resp.length) {
-
 		status = dcerpc_push_dcerpc_auth(pkt,
 						 p->auth.auth_type,
 						 p->auth.auth_level,
-						 0,
-						 1, /* auth_context_id */
+						 0, /* pad_len */
+						 p->auth.auth_context_id,
 						 &auth_resp,
 						 &auth_blob);
 		if (!NT_STATUS_IS_OK(status)) {
@@ -1222,10 +1223,10 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
 
 	if (auth_resp.length) {
 		status = dcerpc_push_dcerpc_auth(pkt,
-						 auth_info.auth_type,
-						 auth_info.auth_level,
+						 p->auth.auth_type,
+						 p->auth.auth_level,
 						 0, /* pad_len */
-						 1, /* auth_context_id */
+						 p->auth.auth_context_id,
 						 &auth_resp,
 						 &auth_blob);
 		if (!NT_STATUS_IS_OK(status)) {
-- 
2.11.4.GIT