diff options
author | Karolin Seeger <kseeger@samba.org> | 2011-02-27 18:28:29 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2011-02-27 18:28:29 +0100 |
commit | 724e44eed299c618066dec411530aa9f156119ec (patch) | |
tree | 143e8ac3903ebff1b46382c5b0e89fc74a5d8eac /source/nsswitch | |
parent | 23ec2b1a988fff922864a03b6061c6bc2e584ce0 (diff) | |
download | samba-724e44eed299c618066dec411530aa9f156119ec.tar.gz samba-724e44eed299c618066dec411530aa9f156119ec.tar.xz samba-724e44eed299c618066dec411530aa9f156119ec.zip |
Fix denial of service - memory corruption.
CVE-2011-0719
Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open).
All current released versions of Samba are vulnerable to
a denial of service caused by memory corruption. Range
checks on file descriptors being used in the FD_SET macro
were not present allowing stack corruption. This can cause
the Samba code to crash or to loop attempting to select
on a bad file descriptor set.
A connection to a file share, or a local account is needed
to exploit this problem, either authenticated or unauthenticated
(guest connection).
Currently we do not believe this flaw is exploitable
beyond a crash or causing the code to loop, but on the
advice of our security reviewers we are releasing fixes
in case an exploit is discovered at a later date.
Diffstat (limited to 'source/nsswitch')
-rw-r--r-- | source/nsswitch/wb_common.c | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/source/nsswitch/wb_common.c b/source/nsswitch/wb_common.c index a1646215bdf..4f76bd0cffe 100644 --- a/source/nsswitch/wb_common.c +++ b/source/nsswitch/wb_common.c @@ -240,6 +240,12 @@ static int winbind_named_pipe_sock(const char *dir) switch (errno) { case EINPROGRESS: + + if (fd < 0 || fd >= FD_SETSIZE) { + errno = EBADF; + goto error_out; + } + FD_ZERO(&w_fds); FD_SET(fd, &w_fds); tv.tv_sec = CONNECT_TIMEOUT - wait_time; @@ -383,7 +389,13 @@ int winbind_write_sock(void *buffer, int count, int recursing, int need_priv) while(nwritten < count) { struct timeval tv; fd_set r_fds; - + + if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) { + errno = EBADF; + winbind_close_sock(); + return -1; + } + /* Catch pipe close on other end by checking if a read() call would not block by calling select(). */ @@ -443,7 +455,13 @@ int winbind_read_sock(void *buffer, int count) while(nread < count) { struct timeval tv; fd_set r_fds; - + + if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) { + errno = EBADF; + winbind_close_sock(); + return -1; + } + /* Catch pipe close on other end by checking if a read() call would not block by calling select(). */ |