diff options
author | Jeremy Allison <jra@samba.org> | 2011-02-27 18:16:20 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2011-02-28 14:52:18 +0100 |
commit | feb3fcd0fa4bda0967b881315595d7702f4d1752 (patch) | |
tree | d1dbcfdd58fed95847082a330f47fab5d7a3caa5 /source3/lib/packet.c | |
parent | dff57d78ee0c5528c67a5a86bb356e9729107b11 (diff) | |
download | samba-feb3fcd0fa4bda0967b881315595d7702f4d1752.tar.gz |
Fix denial of service - memory corruption.
CVE-2011-0719
Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open).
All current released versions of Samba are vulnerable to
a denial of service caused by memory corruption. Range
checks on file descriptors being used in the FD_SET macro
were not present allowing stack corruption. This can cause
the Samba code to crash or to loop attempting to select
on a bad file descriptor set.
A connection to a file share, or a local account is needed
to exploit this problem, either authenticated or unauthenticated
(guest connection).
Currently we do not believe this flaw is exploitable
beyond a crash or causing the code to loop, but on the
advice of our security reviewers we are releasing fixes
in case an exploit is discovered at a later date.
(cherry picked from commit 43babef991feedbe2acb77d27254d302ab107fa8)
Diffstat (limited to 'source3/lib/packet.c')
-rw-r--r-- | source3/lib/packet.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/source3/lib/packet.c b/source3/lib/packet.c index ef28bf9f625..c14d1e51ec3 100644 --- a/source3/lib/packet.c +++ b/source3/lib/packet.c @@ -106,6 +106,11 @@ NTSTATUS packet_fd_read_sync(struct packet_context *ctx) int res; fd_set r_fds; + if (ctx->fd < 0 || ctx->fd >= FD_SETSIZE) { + errno = EBADF; + return map_nt_error_from_unix(errno); + } + FD_ZERO(&r_fds); FD_SET(ctx->fd, &r_fds); |