$OpenBSD: patch-source3_rpc_server_netlogon_srv_netlog_nt_c,v 1.2 2015/02/25 01:37:49 jca Exp $

- CVE-2013-4408: DCE-RPC fragment length field is incorrectly checked.

- CVE-2015-0240: talloc free on uninitialized stack pointer in netlogon
  server could lead to remote-code execution.
  https://bugzilla.samba.org/show_bug.cgi?id=11077

--- source3/rpc_server/netlogon/srv_netlog_nt.c.orig	Wed May  8 10:16:26 2013
+++ source3/rpc_server/netlogon/srv_netlog_nt.c	Mon Feb 23 19:51:23 2015
@@ -586,7 +586,7 @@ static NTSTATUS samr_find_machine_account(TALLOC_CTX *
 		status = NT_STATUS_NO_SUCH_USER;
 		goto out;
 	}
-	if (rids.count != types.count) {
+	if (types.count != 1) {
 		status = NT_STATUS_INVALID_PARAMETER;
 		goto out;
 	}
@@ -1070,6 +1070,10 @@ static NTSTATUS netr_creds_server_step_check(struct pi
 	NTSTATUS status;
 	bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
 
+	if (creds_out != NULL) {
+		*creds_out = NULL;
+	}
+
 	if (schannel_global_required) {
 		status = schannel_check_required(&p->auth,
 						 computer_name,
@@ -1205,7 +1209,7 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *
 {
 	NTSTATUS status = NT_STATUS_OK;
 	int i;
-	struct netlogon_creds_CredentialState *creds;
+	struct netlogon_creds_CredentialState *creds = NULL;
 
 	DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__));
 
@@ -1218,9 +1222,14 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *
 	unbecome_root();
 
 	if (!NT_STATUS_IS_OK(status)) {
+		const char *computer_name = "<unknown>";
+
+		if (creds != NULL && creds->computer_name != NULL) {
+			computer_name = creds->computer_name;
+		}
 		DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
 			"request from client %s machine account %s\n",
-			r->in.computer_name, creds->computer_name));
+			r->in.computer_name, computer_name));
 		TALLOC_FREE(creds);
 		return status;
 	}
