s3:rpc_server: check header of each packet fragment

Signed-off-by: Gregor Beck <gbeck@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

2 files changed, 14 insertions, 0 deletions

diff --git a/source3/rpc_server/rpc_pipes.h b/source3/rpc_server/rpc_pipes.h
index 4be57d8f96..1c33a27798 100644
--- a/source3/rpc_server/rpc_pipes.h
+++ b/source3/rpc_server/rpc_pipes.h
@@ -164,6 +164,9 @@ struct pipes_struct {
 	/* operation number retrieved from the rpc header */
 	uint16_t opnum;
 
+	/* rpc header information to check fragments for consistency */
+	struct dcerpc_sec_vt_header2 header2;
+
 	/* private data for the interface implementation */
 	void *private_data;
 
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 29e5b8af8e..f58eba49f8 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -1432,6 +1432,7 @@ static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt
 {
 	NTSTATUS status;
 	DATA_BLOB data;
+	struct dcerpc_sec_vt_header2 hdr2;
 
 	if (!p->pipe_bound) {
 		DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
@@ -1439,6 +1440,16 @@ static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt
 		return False;
 	}
 
+	hdr2 = dcerpc_sec_vt_header2_from_ncacn_packet(pkt);
+	if (pkt->pfc_flags & DCERPC_PFC_FLAG_FIRST) {
+		p->header2 = hdr2;
+	} else {
+		if (!dcerpc_sec_vt_header2_equal(&hdr2, &p->header2)) {
+			set_incoming_fault(p);
+			return false;
+		}
+	}
+
 	/* Store the opnum */
 	p->opnum = pkt->u.request.opnum;