Fix denial of service - memory corruption.

CVE-2011-0719

Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open).

All current released versions of Samba are vulnerable to
a denial of service caused by memory corruption. Range
checks on file descriptors being used in the FD_SET macro
were not present allowing stack corruption. This can cause
the Samba code to crash or to loop attempting to select
on a bad file descriptor set.

A connection to a file share, or a local account is needed
to exploit this problem, either authenticated or unauthenticated
(guest connection).

Currently we do not believe this flaw is exploitable
beyond a crash or causing the code to loop, but on the
advice of our security reviewers we are releasing fixes
in case an exploit is discovered at a later date.

1 files changed, 11 insertions, 1 deletions

diff --git a/source/winbindd/winbindd.c b/source/winbindd/winbindd.c
index 1d618e26317..6b5c251bf6b 100644
--- a/source/winbindd/winbindd.c
+++ b/source/winbindd/winbindd.c
@@ -836,7 +836,8 @@ static void process_loop(void)
 	listen_sock = open_winbindd_socket();
 	listen_priv_sock = open_winbindd_priv_socket();
 
-	if (listen_sock == -1 || listen_priv_sock == -1) {
+	if (listen_sock < 0 || listen_sock >= FD_SETSIZE ||
+			listen_priv_sock < 0 || listen_priv_sock >= FD_SETSIZE) {
 		perror("open_winbind_socket");
 		exit(1);
 	}
@@ -861,6 +862,9 @@ static void process_loop(void)
 
 	FD_ZERO(&r_fds);
 	FD_ZERO(&w_fds);
+
+	/* We check the range for listen_sock and
+	   listen_priv_sock above. */
 	FD_SET(listen_sock, &r_fds);
 	FD_SET(listen_priv_sock, &r_fds);
 
@@ -890,6 +894,12 @@ static void process_loop(void)
 	}
 
 	for (ev = fd_events; ev; ev = ev->next) {
+		if (ev->fd < 0 || ev->fd >= FD_SETSIZE) {
+			/* Ignore here - event_add_to_select_args
+			   should make this impossible. */
+			continue;
+		}
+
 		if (ev->flags & EVENT_FD_READ) {
 			FD_SET(ev->fd, &r_fds);
 			maxfd = MAX(ev->fd, maxfd);