diff options
| author | Ken Raeburn <raeburn@mit.edu> | 2008-03-18 18:55:26 +0000 |
|---|---|---|
| committer | Ken Raeburn <raeburn@mit.edu> | 2008-03-18 18:55:26 +0000 |
| commit | d8d990c823f7ba6070622acf5ff2d08af7c1d7a9 (patch) | |
| tree | 22ac46ec09ebd94a20f9e06d54e48ae38a823fb4 /src | |
| parent | f62112276c2147b1334585322db40cd45da30ace (diff) | |
| download | krb5-d8d990c823f7ba6070622acf5ff2d08af7c1d7a9.tar.gz krb5-d8d990c823f7ba6070622acf5ff2d08af7c1d7a9.tar.xz krb5-d8d990c823f7ba6070622acf5ff2d08af7c1d7a9.zip | |
MITKRB5-SA-2008-002
Fix MITKRB5-SA-2008-002: array overrun in libgssrpc.
Don't update the internally-tracked maximum file descriptor value if
the new one is FD_SETSIZE (or NOFILE) or above. Reject TCP file
descriptors of FD_SETSIZE (NOFILE) or above.
ticket: new
target_version: 1.6.4
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20278 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/rpc/svc.c | 6 | ||||
| -rw-r--r-- | src/lib/rpc/svc_tcp.c | 25 |
2 files changed, 29 insertions, 2 deletions
diff --git a/src/lib/rpc/svc.c b/src/lib/rpc/svc.c index 93b4fd121..25b13f63b 100644 --- a/src/lib/rpc/svc.c +++ b/src/lib/rpc/svc.c @@ -109,15 +109,17 @@ xprt_register(SVCXPRT *xprt) if (sock < FD_SETSIZE) { xports[sock] = xprt; FD_SET(sock, &svc_fdset); + if (sock > svc_maxfd) + svc_maxfd = sock; } #else if (sock < NOFILE) { xports[sock] = xprt; svc_fds |= (1 << sock); + if (sock > svc_maxfd) + svc_maxfd = sock; } #endif /* def FD_SETSIZE */ - if (sock > svc_maxfd) - svc_maxfd = sock; } /* diff --git a/src/lib/rpc/svc_tcp.c b/src/lib/rpc/svc_tcp.c index e48d50455..a81221f34 100644 --- a/src/lib/rpc/svc_tcp.c +++ b/src/lib/rpc/svc_tcp.c @@ -54,6 +54,14 @@ static char sccsid[] = "@(#)svc_tcp.c 1.21 87/08/11 Copyr 1984 Sun Micro"; extern errno; */ +#ifndef FD_SETSIZE +#ifdef NBBY +#define NOFILE (sizeof(int) * NBBY) +#else +#define NOFILE (sizeof(int) * 8) +#endif +#endif + /* * Ops vector for TCP/IP based rpc service handle */ @@ -215,6 +223,19 @@ makefd_xprt( register SVCXPRT *xprt; register struct tcp_conn *cd; +#ifdef FD_SETSIZE + if (fd >= FD_SETSIZE) { + (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); + xprt = NULL; + goto done; + } +#else + if (fd >= NOFILE) { + (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); + xprt = NULL; + goto done; + } +#endif xprt = (SVCXPRT *)mem_alloc(sizeof(SVCXPRT)); if (xprt == (SVCXPRT *)NULL) { (void) fprintf(stderr, "svc_tcp: makefd_xprt: out of memory\n"); @@ -271,6 +292,10 @@ rendezvous_request( * make a new transporter (re-uses xprt) */ xprt = makefd_xprt(sock, r->sendsize, r->recvsize); + if (xprt == NULL) { + close(sock); + return (FALSE); + } xprt->xp_raddr = addr; xprt->xp_addrlen = len; xprt->xp_laddr = laddr; |