Fix denial of service - memory corruption.

CVE-2011-0719

Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open).

All current released versions of Samba are vulnerable to
a denial of service caused by memory corruption. Range
checks on file descriptors being used in the FD_SET macro
were not present allowing stack corruption. This can cause
the Samba code to crash or to loop attempting to select
on a bad file descriptor set.

A connection to a file share, or a local account is needed
to exploit this problem, either authenticated or unauthenticated
(guest connection).

Currently we do not believe this flaw is exploitable
beyond a crash or causing the code to loop, but on the
advice of our security reviewers we are releasing fixes
in case an exploit is discovered at a later date.

1 files changed, 12 insertions, 0 deletions

diff --git a/source/client/dnsbrowse.c b/source/client/dnsbrowse.c
index 5e3a4de9cff..aa2fb22ad65 100644
--- a/source/client/dnsbrowse.c
+++ b/source/client/dnsbrowse.c
@@ -81,6 +81,11 @@ static void do_smb_resolve(struct mdns_smbsrv_result *browsesrv)
 			TALLOC_FREE(fdset);
 		}
 
+		if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) {
+			errno = EBADF;
+			break;
+		}
+
 		fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask);
 		fdset = TALLOC_ZERO(ctx, fdsetsz);
 		FD_SET(mdnsfd, fdset);
@@ -183,6 +188,13 @@ int do_smb_browse(void)
 
 		fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask);
 		fdset = TALLOC_ZERO(ctx, fdsetsz);
+
+		if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) {
+			errno = EBADF;
+			TALLOC_FREE(ctx);
+			return 1;
+		}
+
 		FD_SET(mdnsfd, fdset);
 
 		tv.tv_sec = 1;