diff options
author | Karolin Seeger <kseeger@samba.org> | 2011-02-27 18:28:29 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2011-02-27 18:28:29 +0100 |
commit | 724e44eed299c618066dec411530aa9f156119ec (patch) | |
tree | 143e8ac3903ebff1b46382c5b0e89fc74a5d8eac /source/lib/util_sock.c | |
parent | 23ec2b1a988fff922864a03b6061c6bc2e584ce0 (diff) | |
download | samba-724e44eed299c618066dec411530aa9f156119ec.tar.gz samba-724e44eed299c618066dec411530aa9f156119ec.tar.xz samba-724e44eed299c618066dec411530aa9f156119ec.zip |
Fix denial of service - memory corruption.
CVE-2011-0719
Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open).
All current released versions of Samba are vulnerable to
a denial of service caused by memory corruption. Range
checks on file descriptors being used in the FD_SET macro
were not present allowing stack corruption. This can cause
the Samba code to crash or to loop attempting to select
on a bad file descriptor set.
A connection to a file share, or a local account is needed
to exploit this problem, either authenticated or unauthenticated
(guest connection).
Currently we do not believe this flaw is exploitable
beyond a crash or causing the code to loop, but on the
advice of our security reviewers we are releasing fixes
in case an exploit is discovered at a later date.
Diffstat (limited to 'source/lib/util_sock.c')
-rw-r--r-- | source/lib/util_sock.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/source/lib/util_sock.c b/source/lib/util_sock.c index 650bd1302f8..8aa2c97f235 100644 --- a/source/lib/util_sock.c +++ b/source/lib/util_sock.c @@ -960,6 +960,11 @@ NTSTATUS read_socket_with_timeout(int fd, char *buf, timeout.tv_usec = (long)(1000 * (time_out % 1000)); for (nread=0; nread < mincnt; ) { + if (fd < 0 || fd >= FD_SETSIZE) { + errno = EBADF; + return map_nt_error_from_unix(EBADF); + } + FD_ZERO(&fds); FD_SET(fd,&fds); @@ -1492,7 +1497,7 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs, for (i=0; i<num_addrs; i++) { sockets[i] = socket(addrs[i].ss_family, SOCK_STREAM, 0); - if (sockets[i] < 0) + if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) goto done; set_blocking(sockets[i], false); } @@ -1541,8 +1546,10 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs, FD_ZERO(&r_fds); for (i=0; i<num_addrs; i++) { - if (sockets[i] == -1) + if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) { + /* This cannot happen - ignore if so. */ continue; + } FD_SET(sockets[i], &wr_fds); FD_SET(sockets[i], &r_fds); if (sockets[i]>maxfd) |