From 3a504d48c39a9dda97b3d02d63c247329631d168 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary@catalyst.net.nz>
Date: Mon, 11 Dec 2017 09:39:43 +1300
Subject: [PATCH] source3/rpc_server/rpc_server.c set socket close on exec

Set SOCKET_CLOEXEC on the sockets returned by accept.  This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source3/rpc_server/rpc_server.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
index e15cd205cdc..94335b3ea53 100644
--- a/source3/rpc_server/rpc_server.c
+++ b/source3/rpc_server/rpc_server.c
@@ -216,6 +216,7 @@ static void named_pipe_listener(struct tevent_context *ev,
 		}
 		return;
 	}
+	smb_set_close_on_exec(sd);
 
 	DEBUG(6, ("Accepted socket %d\n", sd));
 
@@ -722,6 +723,7 @@ static void dcerpc_ncacn_tcpip_listener(struct tevent_context *ev,
 		}
 		return;
 	}
+	smb_set_close_on_exec(s);
 
 	rc = tsocket_address_bsd_from_sockaddr(state,
 					       (struct sockaddr *)(void *) &addr,
@@ -892,6 +894,7 @@ static void dcerpc_ncalrpc_listener(struct tevent_context *ev,
 		}
 		return;
 	}
+	smb_set_close_on_exec(sd);
 
 	rc = tsocket_address_bsd_from_sockaddr(state,
 					       addr, len,
-- 
2.34.1