CVE-2011-0719
Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open).
All current released versions of Samba are vulnerable to
a denial of service caused by memory corruption. Range
checks on file descriptors being used in the FD_SET macro
were not present allowing stack corruption. This can cause
the Samba code to crash or to loop attempting to select
on a bad file descriptor set.
A connection to a file share, or a local account is needed
to exploit this problem, either authenticated or unauthenticated
(guest connection).
Currently we do not believe this flaw is exploitable
beyond a crash or causing the code to loop, but on the
advice of our security reviewers we are releasing fixes
in case an exploit is discovered at a later date.
struct select_event_context);
struct tevent_fd *fde;
+ if (fd < 0 || fd >= FD_SETSIZE) {
+ errno = EBADF;
+ return NULL;
+ }
+
fde = tevent_common_add_fd(ev, mem_ctx, fd, flags,
handler, private_data,
handler_name, location);
/* setup any fd events */
for (fde = select_ev->ev->fd_events; fde; fde = fde->next) {
+ if (fde->fd < 0 || fde->fd >= FD_SETSIZE) {
+ errno = EBADF;
+ return -1;
+ }
+
if (fde->flags & TEVENT_FD_READ) {
FD_SET(fde->fd, &r_fds);
}
/* setup any fd events */
for (fde = std_ev->ev->fd_events; fde; fde = fde->next) {
+ if (fde->fd < 0 || fde->fd >= FD_SETSIZE) {
+ std_ev->exit_code = EBADF;
+ return -1;
+ }
+
if (fde->flags & TEVENT_FD_READ) {
FD_SET(fde->fd, &r_fds);
}