diff options
| author | Karolin Seeger <kseeger@samba.org> | 2011-02-27 18:28:29 +0100 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2011-02-27 18:28:29 +0100 |
| commit | 724e44eed299c618066dec411530aa9f156119ec (patch) | |
| tree | 143e8ac3903ebff1b46382c5b0e89fc74a5d8eac /source/lib | |
| parent | 23ec2b1a988fff922864a03b6061c6bc2e584ce0 (diff) | |
| download | samba-724e44eed299c618066dec411530aa9f156119ec.tar.gz samba-724e44eed299c618066dec411530aa9f156119ec.tar.xz samba-724e44eed299c618066dec411530aa9f156119ec.zip | |
Fix denial of service - memory corruption.
CVE-2011-0719
Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open).
All current released versions of Samba are vulnerable to
a denial of service caused by memory corruption. Range
checks on file descriptors being used in the FD_SET macro
were not present allowing stack corruption. This can cause
the Samba code to crash or to loop attempting to select
on a bad file descriptor set.
A connection to a file share, or a local account is needed
to exploit this problem, either authenticated or unauthenticated
(guest connection).
Currently we do not believe this flaw is exploitable
beyond a crash or causing the code to loop, but on the
advice of our security reviewers we are releasing fixes
in case an exploit is discovered at a later date.
Diffstat (limited to 'source/lib')
| -rw-r--r-- | source/lib/events.c | 13 | ||||
| -rw-r--r-- | source/lib/packet.c | 5 | ||||
| -rw-r--r-- | source/lib/readline.c | 5 | ||||
| -rw-r--r-- | source/lib/select.c | 6 | ||||
| -rw-r--r-- | source/lib/util_sock.c | 11 |
5 files changed, 38 insertions, 2 deletions
diff --git a/source/lib/events.c b/source/lib/events.c index cd20ceb43f8..2ddbab7f24a 100644 --- a/source/lib/events.c +++ b/source/lib/events.c @@ -140,6 +140,11 @@ struct fd_event *event_add_fd(struct event_context *event_ctx, { struct fd_event *fde; + if (fd < 0 || fd >= FD_SETSIZE) { + errno = EBADF; + return NULL; + } + if (!(fde = TALLOC_P(mem_ctx, struct fd_event))) { return NULL; } @@ -190,6 +195,14 @@ bool event_add_to_select_args(struct event_context *event_ctx, bool ret = False; for (fde = event_ctx->fd_events; fde; fde = fde->next) { + if (fde->fd < 0 || fde->fd >= FD_SETSIZE) { + /* We ignore here, as it shouldn't be + possible to add an invalid fde->fd + but we don't want FD_SET to see an + invalid fd. */ + continue; + } + if (fde->flags & EVENT_FD_READ) { FD_SET(fde->fd, read_fds); ret = True; diff --git a/source/lib/packet.c b/source/lib/packet.c index e0486165f34..512c7f2f8f5 100644 --- a/source/lib/packet.c +++ b/source/lib/packet.c @@ -106,6 +106,11 @@ NTSTATUS packet_fd_read_sync(struct packet_context *ctx) int res; fd_set r_fds; + if (ctx->fd < 0 || ctx->fd >= FD_SETSIZE) { + errno = EBADF; + return map_nt_error_from_unix(errno); + } + FD_ZERO(&r_fds); FD_SET(ctx->fd, &r_fds); diff --git a/source/lib/readline.c b/source/lib/readline.c index 34867aad9e7..70a82f27ab7 100644 --- a/source/lib/readline.c +++ b/source/lib/readline.c @@ -91,6 +91,11 @@ static char *smb_readline_replacement(const char *prompt, void (*callback)(void) timeout.tv_sec = 5; timeout.tv_usec = 0; + if (fd < 0 || fd >= FD_SETSIZE) { + errno = EBADF; + break; + } + FD_ZERO(&fds); FD_SET(fd,&fds); diff --git a/source/lib/select.c b/source/lib/select.c index c3da6a9bbaf..2d5f02c0945 100644 --- a/source/lib/select.c +++ b/source/lib/select.c @@ -61,6 +61,11 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, s if (pipe(select_pipe) == -1) smb_panic("Could not create select pipe"); + if (select_pipe[0] < 0 || select_pipe[0] >= FD_SETSIZE) { + errno = EBADF; + return -1; + } + /* * These next two lines seem to fix a bug with the Linux * 2.0.x kernel (and probably other UNIXes as well) where @@ -87,6 +92,7 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, s readfds2 = &readfds_buf; FD_ZERO(readfds2); } + FD_SET(select_pipe[0], readfds2); errno = 0; diff --git a/source/lib/util_sock.c b/source/lib/util_sock.c index 650bd1302f8..8aa2c97f235 100644 --- a/source/lib/util_sock.c +++ b/source/lib/util_sock.c @@ -960,6 +960,11 @@ NTSTATUS read_socket_with_timeout(int fd, char *buf, timeout.tv_usec = (long)(1000 * (time_out % 1000)); for (nread=0; nread < mincnt; ) { + if (fd < 0 || fd >= FD_SETSIZE) { + errno = EBADF; + return map_nt_error_from_unix(EBADF); + } + FD_ZERO(&fds); FD_SET(fd,&fds); @@ -1492,7 +1497,7 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs, for (i=0; i<num_addrs; i++) { sockets[i] = socket(addrs[i].ss_family, SOCK_STREAM, 0); - if (sockets[i] < 0) + if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) goto done; set_blocking(sockets[i], false); } @@ -1541,8 +1546,10 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs, FD_ZERO(&r_fds); for (i=0; i<num_addrs; i++) { - if (sockets[i] == -1) + if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) { + /* This cannot happen - ignore if so. */ continue; + } FD_SET(sockets[i], &wr_fds); FD_SET(sockets[i], &r_fds); if (sockets[i]>maxfd) |