From 724e44eed299c618066dec411530aa9f156119ec Mon Sep 17 00:00:00 2001 From: Karolin Seeger Date: Sun, 27 Feb 2011 18:28:29 +0100 Subject: Fix denial of service - memory corruption. CVE-2011-0719 Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open). All current released versions of Samba are vulnerable to a denial of service caused by memory corruption. Range checks on file descriptors being used in the FD_SET macro were not present allowing stack corruption. This can cause the Samba code to crash or to loop attempting to select on a bad file descriptor set. A connection to a file share, or a local account is needed to exploit this problem, either authenticated or unauthenticated (guest connection). Currently we do not believe this flaw is exploitable beyond a crash or causing the code to loop, but on the advice of our security reviewers we are releasing fixes in case an exploit is discovered at a later date. --- source/winbindd/winbindd.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'source/winbindd/winbindd.c') diff --git a/source/winbindd/winbindd.c b/source/winbindd/winbindd.c index 1d618e26317..6b5c251bf6b 100644 --- a/source/winbindd/winbindd.c +++ b/source/winbindd/winbindd.c @@ -836,7 +836,8 @@ static void process_loop(void) listen_sock = open_winbindd_socket(); listen_priv_sock = open_winbindd_priv_socket(); - if (listen_sock == -1 || listen_priv_sock == -1) { + if (listen_sock < 0 || listen_sock >= FD_SETSIZE || + listen_priv_sock < 0 || listen_priv_sock >= FD_SETSIZE) { perror("open_winbind_socket"); exit(1); } @@ -861,6 +862,9 @@ static void process_loop(void) FD_ZERO(&r_fds); FD_ZERO(&w_fds); + + /* We check the range for listen_sock and + listen_priv_sock above. */ FD_SET(listen_sock, &r_fds); FD_SET(listen_priv_sock, &r_fds); @@ -890,6 +894,12 @@ static void process_loop(void) } for (ev = fd_events; ev; ev = ev->next) { + if (ev->fd < 0 || ev->fd >= FD_SETSIZE) { + /* Ignore here - event_add_to_select_args + should make this impossible. */ + continue; + } + if (ev->flags & EVENT_FD_READ) { FD_SET(ev->fd, &r_fds); maxfd = MAX(ev->fd, maxfd); -- cgit