1 files changed, 75 insertions, 0 deletions

diff --git a/krb5-CVE-2008-0947.patch b/krb5-CVE-2008-0947.patch
new file mode 100644
index 0000000..0a0183c
--- /dev/null
+++ b/krb5-CVE-2008-0947.patch
@@ -0,0 +1,75 @@
+Patch from MITKRB5-SA-2008-002.
+=== src/lib/rpc/svc.c
+==================================================================
+--- src/lib/rpc/svc.c   (revision 1666)
++++ src/lib/rpc/svc.c   (local)
+@@ -109,15 +109,17 @@
+ 	if (sock < FD_SETSIZE) {
+ 		xports[sock] = xprt;
+ 		FD_SET(sock, &svc_fdset);
++		if (sock > svc_maxfd)
++			svc_maxfd = sock;
+ 	}
+ #else
+ 	if (sock < NOFILE) {
+ 		xports[sock] = xprt;
+ 		svc_fds |= (1 << sock);
++		if (sock > svc_maxfd)
++			svc_maxfd = sock;
+ 	}
+ #endif /* def FD_SETSIZE */
+-	if (sock > svc_maxfd)
+-		svc_maxfd = sock;
+ }
+  
+ /*
+=== src/lib/rpc/svc_tcp.c
+==================================================================
+--- src/lib/rpc/svc_tcp.c       (revision 1666)
++++ src/lib/rpc/svc_tcp.c       (local)
+@@ -54,6 +54,14 @@
+ extern errno;
+ */
+ 
++#ifndef FD_SETSIZE
++#ifdef NBBY
++#define NOFILE (sizeof(int) * NBBY)
++#else
++#define NOFILE (sizeof(int) * 8)
++#endif
++#endif
++
+ /*
+  * Ops vector for TCP/IP based rpc service handle
+  */
+@@ -215,6 +223,19 @@
+ 	register SVCXPRT *xprt;
+ 	register struct tcp_conn *cd;
+  
++#ifdef FD_SETSIZE
++	if (fd >= FD_SETSIZE) {
++		(void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n");
++		xprt = NULL;
++		goto done;
++	}
++#else
++	if (fd >= NOFILE) {
++		(void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n");
++		xprt = NULL;
++		goto done;
++	}
++#endif
+ 	xprt = (SVCXPRT *)mem_alloc(sizeof(SVCXPRT));
+ 	if (xprt == (SVCXPRT *)NULL) {
+ 		(void) fprintf(stderr, "svc_tcp: makefd_xprt: out of memory\n");
+@@ -271,6 +292,10 @@
+ 	 * make a new transporter (re-uses xprt)
+ 	 */
+ 	xprt = makefd_xprt(sock, r->sendsize, r->recvsize);
++	if (xprt == NULL) {
++		close(sock);
++		return (FALSE);
++	}
+ 	xprt->xp_raddr = addr;
+ 	xprt->xp_addrlen = len;
+ 	xprt->xp_laddr = laddr;