diff options
| author | Karolin Seeger <kseeger@samba.org> | 2011-02-27 18:28:29 +0100 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2011-02-27 18:28:29 +0100 |
| commit | 724e44eed299c618066dec411530aa9f156119ec (patch) | |
| tree | 143e8ac3903ebff1b46382c5b0e89fc74a5d8eac /source/smbd/oplock_irix.c | |
| parent | 23ec2b1a988fff922864a03b6061c6bc2e584ce0 (diff) | |
| download | samba-724e44eed299c618066dec411530aa9f156119ec.tar.gz samba-724e44eed299c618066dec411530aa9f156119ec.tar.xz samba-724e44eed299c618066dec411530aa9f156119ec.zip | |
Fix denial of service - memory corruption.
CVE-2011-0719
Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open).
All current released versions of Samba are vulnerable to
a denial of service caused by memory corruption. Range
checks on file descriptors being used in the FD_SET macro
were not present allowing stack corruption. This can cause
the Samba code to crash or to loop attempting to select
on a bad file descriptor set.
A connection to a file share, or a local account is needed
to exploit this problem, either authenticated or unauthenticated
(guest connection).
Currently we do not believe this flaw is exploitable
beyond a crash or causing the code to loop, but on the
advice of our security reviewers we are releasing fixes
in case an exploit is discovered at a later date.
Diffstat (limited to 'source/smbd/oplock_irix.c')
| -rw-r--r-- | source/smbd/oplock_irix.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/source/smbd/oplock_irix.c b/source/smbd/oplock_irix.c index 8c287c9836e..6e86fac65b2 100644 --- a/source/smbd/oplock_irix.c +++ b/source/smbd/oplock_irix.c @@ -284,6 +284,11 @@ struct kernel_oplocks *irix_init_kernel_oplocks(void) return False; } + if (pfd[0] < 0 || pfd[0] >= FD_SETSIZE) { + DEBUG(0,("setup_kernel_oplock_pipe: fd out of range.\n")); + return False; + } + oplock_pipe_read = pfd[0]; oplock_pipe_write = pfd[1]; |