From 724e44eed299c618066dec411530aa9f156119ec Mon Sep 17 00:00:00 2001
From: Karolin Seeger <kseeger@samba.org>
Date: Sun, 27 Feb 2011 18:28:29 +0100
Subject: Fix denial of service - memory corruption.

CVE-2011-0719

Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open).

All current released versions of Samba are vulnerable to
a denial of service caused by memory corruption. Range
checks on file descriptors being used in the FD_SET macro
were not present allowing stack corruption. This can cause
the Samba code to crash or to loop attempting to select
on a bad file descriptor set.

A connection to a file share, or a local account is needed
to exploit this problem, either authenticated or unauthenticated
(guest connection).

Currently we do not believe this flaw is exploitable
beyond a crash or causing the code to loop, but on the
advice of our security reviewers we are releasing fixes
in case an exploit is discovered at a later date.
---
 source/lib/events.c    | 13 +++++++++++++
 source/lib/packet.c    |  5 +++++
 source/lib/readline.c  |  5 +++++
 source/lib/select.c    |  6 ++++++
 source/lib/util_sock.c | 11 +++++++++--
 5 files changed, 38 insertions(+), 2 deletions(-)

(limited to 'source/lib')

diff --git a/source/lib/events.c b/source/lib/events.c
index cd20ceb43f8..2ddbab7f24a 100644
--- a/source/lib/events.c
+++ b/source/lib/events.c
@@ -140,6 +140,11 @@ struct fd_event *event_add_fd(struct event_context *event_ctx,
 {
 	struct fd_event *fde;
 
+	if (fd < 0 || fd >= FD_SETSIZE) {
+		errno = EBADF;
+		return NULL;
+	}
+
 	if (!(fde = TALLOC_P(mem_ctx, struct fd_event))) {
 		return NULL;
 	}
@@ -190,6 +195,14 @@ bool event_add_to_select_args(struct event_context *event_ctx,
 	bool ret = False;
 
 	for (fde = event_ctx->fd_events; fde; fde = fde->next) {
+		if (fde->fd < 0 || fde->fd >= FD_SETSIZE) {
+			/* We ignore here, as it shouldn't be
+			   possible to add an invalid fde->fd
+			   but we don't want FD_SET to see an
+			   invalid fd. */
+			continue;
+		}
+
 		if (fde->flags & EVENT_FD_READ) {
 			FD_SET(fde->fd, read_fds);
 			ret = True;
diff --git a/source/lib/packet.c b/source/lib/packet.c
index e0486165f34..512c7f2f8f5 100644
--- a/source/lib/packet.c
+++ b/source/lib/packet.c
@@ -106,6 +106,11 @@ NTSTATUS packet_fd_read_sync(struct packet_context *ctx)
 	int res;
 	fd_set r_fds;
 
+	if (ctx->fd < 0 || ctx->fd >= FD_SETSIZE) {
+		errno = EBADF;
+		return map_nt_error_from_unix(errno);
+	}
+
 	FD_ZERO(&r_fds);
 	FD_SET(ctx->fd, &r_fds);
 
diff --git a/source/lib/readline.c b/source/lib/readline.c
index 34867aad9e7..70a82f27ab7 100644
--- a/source/lib/readline.c
+++ b/source/lib/readline.c
@@ -91,6 +91,11 @@ static char *smb_readline_replacement(const char *prompt, void (*callback)(void)
 		timeout.tv_sec = 5;
 		timeout.tv_usec = 0;
 
+		if (fd < 0 || fd >= FD_SETSIZE) {
+			errno = EBADF;
+			break;
+		}
+
 		FD_ZERO(&fds);
 		FD_SET(fd,&fds);
 
diff --git a/source/lib/select.c b/source/lib/select.c
index c3da6a9bbaf..2d5f02c0945 100644
--- a/source/lib/select.c
+++ b/source/lib/select.c
@@ -61,6 +61,11 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, s
 		if (pipe(select_pipe) == -1)
 			smb_panic("Could not create select pipe");
 
+		if (select_pipe[0] < 0 || select_pipe[0] >= FD_SETSIZE) {
+			errno = EBADF;
+			return -1;
+		}
+
 		/*
 		 * These next two lines seem to fix a bug with the Linux
 		 * 2.0.x kernel (and probably other UNIXes as well) where
@@ -87,6 +92,7 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, s
 		readfds2 = &readfds_buf;
 		FD_ZERO(readfds2);
 	}
+
 	FD_SET(select_pipe[0], readfds2);
 
 	errno = 0;
diff --git a/source/lib/util_sock.c b/source/lib/util_sock.c
index 650bd1302f8..8aa2c97f235 100644
--- a/source/lib/util_sock.c
+++ b/source/lib/util_sock.c
@@ -960,6 +960,11 @@ NTSTATUS read_socket_with_timeout(int fd, char *buf,
 	timeout.tv_usec = (long)(1000 * (time_out % 1000));
 
 	for (nread=0; nread < mincnt; ) {
+		if (fd < 0 || fd >= FD_SETSIZE) {
+			errno = EBADF;
+			return map_nt_error_from_unix(EBADF);
+		}
+
 		FD_ZERO(&fds);
 		FD_SET(fd,&fds);
 
@@ -1492,7 +1497,7 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs,
 
 	for (i=0; i<num_addrs; i++) {
 		sockets[i] = socket(addrs[i].ss_family, SOCK_STREAM, 0);
-		if (sockets[i] < 0)
+		if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE)
 			goto done;
 		set_blocking(sockets[i], false);
 	}
@@ -1541,8 +1546,10 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs,
 	FD_ZERO(&r_fds);
 
 	for (i=0; i<num_addrs; i++) {
-		if (sockets[i] == -1)
+		if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) {
+			/* This cannot happen - ignore if so. */
 			continue;
+		}
 		FD_SET(sockets[i], &wr_fds);
 		FD_SET(sockets[i], &r_fds);
 		if (sockets[i]>maxfd)
-- 
cgit