Part of fix for bug 8276 - FD_SET out of bounds access crash.

Ensure we never add fd's set to -1 to the pollfd set.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Thu Jun 30 21:15:25 CEST 2011 on sn-devel-104

diff --git a/source3/nmbd/nmbd_packets.c b/source3/nmbd/nmbd_packets.c
index a89f49c8fc97257c0cc134364953381cba655c0c..0324c9dd4274402d31d2088785f79bd94f3a1762 100644 (file)
--- a/source3/nmbd/nmbd_packets.c
+++ b/source3/nmbd/nmbd_packets.c
@@ -1698,7 +1698,12 @@ static bool create_listen_pollfds(struct pollfd **pfds,
        for (subrec = FIRST_SUBNET;
             subrec != NULL;
             subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) {
-               count += 2;     /* nmb_sock and dgram_sock */
+               if (subrec->nmb_sock != -1) {
+                       count += 1;
+               }
+               if (subrec->dgram_sock != -1) {
+                       count += 1;
+               }
                if (subrec->nmb_bcast != -1) {
                        count += 1;
                }
@@ -1736,10 +1741,12 @@ static bool create_listen_pollfds(struct pollfd **pfds,
 
        for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) {
 
-               fds[num].fd = subrec->nmb_sock;
-               attrs[num].type = NMB_PACKET;
-               attrs[num].broadcast = false;
-               num += 1;
+               if (subrec->nmb_sock != -1) {
+                       fds[num].fd = subrec->nmb_sock;
+                       attrs[num].type = NMB_PACKET;
+                       attrs[num].broadcast = false;
+                       num += 1;
+               }
 
                if (subrec->nmb_bcast != -1) {
                        fds[num].fd = subrec->nmb_bcast;
@@ -1748,10 +1755,12 @@ static bool create_listen_pollfds(struct pollfd **pfds,
                        num += 1;
                }
 
-               fds[num].fd = subrec->dgram_sock;
-               attrs[num].type = DGRAM_PACKET;
-               attrs[num].broadcast = false;
-               num += 1;
+               if (subrec->dgram_sock != -1) {
+                       fds[num].fd = subrec->dgram_sock;
+                       attrs[num].type = DGRAM_PACKET;
+                       attrs[num].broadcast = false;
+                       num += 1;
+               }
 
                if (subrec->dgram_bcast != -1) {
                        fds[num].fd = subrec->dgram_bcast;