diff options
| author | Jeremy Allison <jra@samba.org> | 2011-02-27 17:58:06 +0100 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2011-02-27 18:00:09 +0100 |
| commit | c3ad6eb506623435d3d9ce62d6f34ed1c960d4be (patch) | |
| tree | 243604df916ab59382f7ffce9f485f3773e96bbc /source3/lib | |
| parent | 01a15b10d185fcb3be6ceaf29fd0b70a5b0c98fd (diff) | |
| download | samba-c3ad6eb506623435d3d9ce62d6f34ed1c960d4be.tar.gz | |
Fix denial of service - memory corruption.
CVE-2011-0719
Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open).
All current released versions of Samba are vulnerable to
a denial of service caused by memory corruption. Range
checks on file descriptors being used in the FD_SET macro
were not present allowing stack corruption. This can cause
the Samba code to crash or to loop attempting to select
on a bad file descriptor set.
A connection to a file share, or a local account is needed
to exploit this problem, either authenticated or unauthenticated
(guest connection).
Currently we do not believe this flaw is exploitable
beyond a crash or causing the code to loop, but on the
advice of our security reviewers we are releasing fixes
in case an exploit is discovered at a later date.
Diffstat (limited to 'source3/lib')
| -rw-r--r-- | source3/lib/events.c | 8 | ||||
| -rw-r--r-- | source3/lib/g_lock.c | 4 | ||||
| -rw-r--r-- | source3/lib/packet.c | 5 | ||||
| -rw-r--r-- | source3/lib/readline.c | 5 | ||||
| -rw-r--r-- | source3/lib/select.c | 12 | ||||
| -rw-r--r-- | source3/lib/util_sock.c | 15 |
6 files changed, 45 insertions, 4 deletions
diff --git a/source3/lib/events.c b/source3/lib/events.c index 75aa2507266..63aba589474 100644 --- a/source3/lib/events.c +++ b/source3/lib/events.c @@ -55,6 +55,14 @@ bool event_add_to_select_args(struct tevent_context *ev, bool ret = false; for (fde = ev->fd_events; fde; fde = fde->next) { + if (fde->fd < 0 || fde->fd >= FD_SETSIZE) { + /* We ignore here, as it shouldn't be + possible to add an invalid fde->fd + but we don't want FD_SET to see an + invalid fd. */ + continue; + } + if (fde->flags & EVENT_FD_READ) { FD_SET(fde->fd, read_fds); ret = true; diff --git a/source3/lib/g_lock.c b/source3/lib/g_lock.c index 17260478865..356c104bd15 100644 --- a/source3/lib/g_lock.c +++ b/source3/lib/g_lock.c @@ -391,7 +391,9 @@ NTSTATUS g_lock_lock(struct g_lock_ctx *ctx, const char *name, r_fds = &_r_fds; FD_ZERO(r_fds); max_fd = ctdbd_conn_get_fd(conn); - FD_SET(max_fd, r_fds); + if (max_fd >= 0 && max_fd < FD_SETSIZE) { + FD_SET(max_fd, r_fds); + } } #endif diff --git a/source3/lib/packet.c b/source3/lib/packet.c index c131b973bc3..8d815c99515 100644 --- a/source3/lib/packet.c +++ b/source3/lib/packet.c @@ -107,6 +107,11 @@ NTSTATUS packet_fd_read_sync(struct packet_context *ctx, int res; fd_set r_fds; + if (ctx->fd < 0 || ctx->fd >= FD_SETSIZE) { + errno = EBADF; + return map_nt_error_from_unix(errno); + } + FD_ZERO(&r_fds); FD_SET(ctx->fd, &r_fds); diff --git a/source3/lib/readline.c b/source3/lib/readline.c index 34867aad9e7..70a82f27ab7 100644 --- a/source3/lib/readline.c +++ b/source3/lib/readline.c @@ -91,6 +91,11 @@ static char *smb_readline_replacement(const char *prompt, void (*callback)(void) timeout.tv_sec = 5; timeout.tv_usec = 0; + if (fd < 0 || fd >= FD_SETSIZE) { + errno = EBADF; + break; + } + FD_ZERO(&fds); FD_SET(fd,&fds); diff --git a/source3/lib/select.c b/source3/lib/select.c index b5443ff20ca..2230b43475a 100644 --- a/source3/lib/select.c +++ b/source3/lib/select.c @@ -75,6 +75,17 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, s return -1; } + if (select_pipe[0] < 0 || select_pipe[0] >= FD_SETSIZE) { + DEBUG(0, ("sys_select: bad fd\n")); + if (readfds != NULL) + FD_ZERO(readfds); + if (writefds != NULL) + FD_ZERO(writefds); + if (errorfds != NULL) + FD_ZERO(errorfds); + errno = EBADF; + return -1; + } /* * These next two lines seem to fix a bug with the Linux * 2.0.x kernel (and probably other UNIXes as well) where @@ -101,6 +112,7 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, s readfds2 = &readfds_buf; FD_ZERO(readfds2); } + FD_SET(select_pipe[0], readfds2); errno = 0; diff --git a/source3/lib/util_sock.c b/source3/lib/util_sock.c index 08cbced1e51..7a573ad5204 100644 --- a/source3/lib/util_sock.c +++ b/source3/lib/util_sock.c @@ -495,6 +495,11 @@ NTSTATUS read_fd_with_timeout(int fd, char *buf, timeout.tv_usec = (long)(1000 * (time_out % 1000)); for (nread=0; nread < mincnt; ) { + if (fd < 0 || fd >= FD_SETSIZE) { + errno = EBADF; + return map_nt_error_from_unix(EBADF); + } + FD_ZERO(&fds); FD_SET(fd,&fds); @@ -1235,7 +1240,7 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs, for (i=0; i<num_addrs; i++) { sockets[i] = socket(addrs[i].ss_family, SOCK_STREAM, 0); - if (sockets[i] < 0) + if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) goto done; set_blocking(sockets[i], false); } @@ -1284,8 +1289,10 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs, FD_ZERO(&r_fds); for (i=0; i<num_addrs; i++) { - if (sockets[i] == -1) + if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) { + /* This cannot happen - ignore if so. */ continue; + } FD_SET(sockets[i], &wr_fds); FD_SET(sockets[i], &r_fds); if (sockets[i]>maxfd) @@ -1305,8 +1312,10 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs, for (i=0; i<num_addrs; i++) { - if (sockets[i] == -1) + if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) { + /* This cannot happen - ignore if so. */ continue; + } /* Stevens, Network Programming says that if there's a * successful connect, the socket is only writable. Upon an |