From: Gustavo Zacarias Date: Fri, 4 Mar 2011 14:22:25 +0000 (-0300) Subject: samba: add security fix for CVE-2011-0719 X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=a3cd2e7671521d60f1a281400d8eca7188bff225;p=buildroot.git samba: add security fix for CVE-2011-0719 Signed-off-by: Gustavo Zacarias Signed-off-by: Peter Korsgaard --- diff --git a/package/samba/samba-3.3.14-CVE-2011-0719.patch b/package/samba/samba-3.3.14-CVE-2011-0719.patch new file mode 100644 index 0000000000..1cb8580aab --- /dev/null +++ b/package/samba/samba-3.3.14-CVE-2011-0719.patch @@ -0,0 +1,613 @@ +From 724e44eed299c618066dec411530aa9f156119ec Mon Sep 17 00:00:00 2001 +From: Karolin Seeger +Date: Sun, 27 Feb 2011 18:28:29 +0100 +Subject: [PATCH] Fix denial of service - memory corruption. + +CVE-2011-0719 + +Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open). + +All current released versions of Samba are vulnerable to +a denial of service caused by memory corruption. Range +checks on file descriptors being used in the FD_SET macro +were not present allowing stack corruption. This can cause +the Samba code to crash or to loop attempting to select +on a bad file descriptor set. + +A connection to a file share, or a local account is needed +to exploit this problem, either authenticated or unauthenticated +(guest connection). + +Currently we do not believe this flaw is exploitable +beyond a crash or causing the code to loop, but on the +advice of our security reviewers we are releasing fixes +in case an exploit is discovered at a later date. +--- + source/client/client.c | 4 +++- + source/client/dnsbrowse.c | 12 ++++++++++++ + source/lib/events.c | 13 +++++++++++++ + source/lib/packet.c | 5 +++++ + source/lib/readline.c | 5 +++++ + source/lib/select.c | 6 ++++++ + source/lib/util_sock.c | 11 +++++++++-- + source/libaddns/dnssock.c | 6 +++++- + source/libsmb/nmblib.c | 5 +++++ + source/nmbd/nmbd_packets.c | 24 ++++++++++++++++++++++-- + source/nsswitch/wb_common.c | 22 ++++++++++++++++++++-- + source/printing/printing.c | 5 +++++ + source/smbd/dnsregister.c | 6 ++++++ + source/smbd/oplock.c | 5 ++++- + source/smbd/oplock_irix.c | 5 +++++ + source/smbd/process.c | 2 +- + source/smbd/server.c | 29 +++++++++++++++++++++-------- + source/utils/smbfilter.c | 8 ++++++-- + source/winbindd/winbindd.c | 12 +++++++++++- + source/winbindd/winbindd_dual.c | 7 +++++++ + 20 files changed, 171 insertions(+), 21 deletions(-) + +diff --git a/source/client/client.c b/source/client/client.c +index 53bd9e6..a989441 100644 +--- a/source/client/client.c ++++ b/source/client/client.c +@@ -4379,8 +4379,10 @@ static void readline_callback(void) + + again: + +- if (cli->fd == -1) ++ if (cli->fd < 0 || cli->fd >= FD_SETSIZE) { ++ errno = EBADF; + return; ++ } + + FD_ZERO(&fds); + FD_SET(cli->fd,&fds); +diff --git a/source/client/dnsbrowse.c b/source/client/dnsbrowse.c +index 5e3a4de..aa2fb22 100644 +--- a/source/client/dnsbrowse.c ++++ b/source/client/dnsbrowse.c +@@ -81,6 +81,11 @@ static void do_smb_resolve(struct mdns_smbsrv_result *browsesrv) + TALLOC_FREE(fdset); + } + ++ if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) { ++ errno = EBADF; ++ break; ++ } ++ + fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask); + fdset = TALLOC_ZERO(ctx, fdsetsz); + FD_SET(mdnsfd, fdset); +@@ -183,6 +188,13 @@ int do_smb_browse(void) + + fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask); + fdset = TALLOC_ZERO(ctx, fdsetsz); ++ ++ if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) { ++ errno = EBADF; ++ TALLOC_FREE(ctx); ++ return 1; ++ } ++ + FD_SET(mdnsfd, fdset); + + tv.tv_sec = 1; +diff --git a/source/lib/events.c b/source/lib/events.c +index cd20ceb..2ddbab7 100644 +--- a/source/lib/events.c ++++ b/source/lib/events.c +@@ -140,6 +140,11 @@ struct fd_event *event_add_fd(struct event_context *event_ctx, + { + struct fd_event *fde; + ++ if (fd < 0 || fd >= FD_SETSIZE) { ++ errno = EBADF; ++ return NULL; ++ } ++ + if (!(fde = TALLOC_P(mem_ctx, struct fd_event))) { + return NULL; + } +@@ -190,6 +195,14 @@ bool event_add_to_select_args(struct event_context *event_ctx, + bool ret = False; + + for (fde = event_ctx->fd_events; fde; fde = fde->next) { ++ if (fde->fd < 0 || fde->fd >= FD_SETSIZE) { ++ /* We ignore here, as it shouldn't be ++ possible to add an invalid fde->fd ++ but we don't want FD_SET to see an ++ invalid fd. */ ++ continue; ++ } ++ + if (fde->flags & EVENT_FD_READ) { + FD_SET(fde->fd, read_fds); + ret = True; +diff --git a/source/lib/packet.c b/source/lib/packet.c +index e048616..512c7f2 100644 +--- a/source/lib/packet.c ++++ b/source/lib/packet.c +@@ -106,6 +106,11 @@ NTSTATUS packet_fd_read_sync(struct packet_context *ctx) + int res; + fd_set r_fds; + ++ if (ctx->fd < 0 || ctx->fd >= FD_SETSIZE) { ++ errno = EBADF; ++ return map_nt_error_from_unix(errno); ++ } ++ + FD_ZERO(&r_fds); + FD_SET(ctx->fd, &r_fds); + +diff --git a/source/lib/readline.c b/source/lib/readline.c +index 34867aa..70a82f2 100644 +--- a/source/lib/readline.c ++++ b/source/lib/readline.c +@@ -91,6 +91,11 @@ static char *smb_readline_replacement(const char *prompt, void (*callback)(void) + timeout.tv_sec = 5; + timeout.tv_usec = 0; + ++ if (fd < 0 || fd >= FD_SETSIZE) { ++ errno = EBADF; ++ break; ++ } ++ + FD_ZERO(&fds); + FD_SET(fd,&fds); + +diff --git a/source/lib/select.c b/source/lib/select.c +index c3da6a9..2d5f02c 100644 +--- a/source/lib/select.c ++++ b/source/lib/select.c +@@ -61,6 +61,11 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, s + if (pipe(select_pipe) == -1) + smb_panic("Could not create select pipe"); + ++ if (select_pipe[0] < 0 || select_pipe[0] >= FD_SETSIZE) { ++ errno = EBADF; ++ return -1; ++ } ++ + /* + * These next two lines seem to fix a bug with the Linux + * 2.0.x kernel (and probably other UNIXes as well) where +@@ -87,6 +92,7 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, s + readfds2 = &readfds_buf; + FD_ZERO(readfds2); + } ++ + FD_SET(select_pipe[0], readfds2); + + errno = 0; +diff --git a/source/lib/util_sock.c b/source/lib/util_sock.c +index 650bd13..8aa2c97 100644 +--- a/source/lib/util_sock.c ++++ b/source/lib/util_sock.c +@@ -960,6 +960,11 @@ NTSTATUS read_socket_with_timeout(int fd, char *buf, + timeout.tv_usec = (long)(1000 * (time_out % 1000)); + + for (nread=0; nread < mincnt; ) { ++ if (fd < 0 || fd >= FD_SETSIZE) { ++ errno = EBADF; ++ return map_nt_error_from_unix(EBADF); ++ } ++ + FD_ZERO(&fds); + FD_SET(fd,&fds); + +@@ -1492,7 +1497,7 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs, + + for (i=0; i= FD_SETSIZE) + goto done; + set_blocking(sockets[i], false); + } +@@ -1541,8 +1546,10 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs, + FD_ZERO(&r_fds); + + for (i=0; i= FD_SETSIZE) { ++ /* This cannot happen - ignore if so. */ + continue; ++ } + FD_SET(sockets[i], &wr_fds); + FD_SET(sockets[i], &r_fds); + if (sockets[i]>maxfd) +diff --git a/source/libaddns/dnssock.c b/source/libaddns/dnssock.c +index 7c8bd41..f427bd5 100644 +--- a/source/libaddns/dnssock.c ++++ b/source/libaddns/dnssock.c +@@ -218,7 +218,11 @@ static DNS_ERROR read_all(int fd, uint8 *data, size_t len) + while (total < len) { + ssize_t ret; + int fd_ready; +- ++ ++ if (fd < 0 || fd >= FD_SETSIZE) { ++ return ERROR_DNS_SOCKET_ERROR; ++ } ++ + FD_ZERO( &rfds ); + FD_SET( fd, &rfds ); + +diff --git a/source/libsmb/nmblib.c b/source/libsmb/nmblib.c +index bfe5e7b..768e54d 100644 +--- a/source/libsmb/nmblib.c ++++ b/source/libsmb/nmblib.c +@@ -1097,6 +1097,11 @@ struct packet_struct *receive_packet(int fd,enum packet_type type,int t) + struct timeval timeout; + int ret; + ++ if (fd < 0 || fd >= FD_SETSIZE) { ++ errno = EBADF; ++ return NULL; ++ } ++ + FD_ZERO(&fds); + FD_SET(fd,&fds); + timeout.tv_sec = t/1000; +diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c +index 4b97819..03e5362 100644 +--- a/source/nmbd/nmbd_packets.c ++++ b/source/nmbd/nmbd_packets.c +@@ -1683,7 +1683,7 @@ static bool create_listen_fdset(fd_set **ppset, int **psock_array, int *listen_n + for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) + count++; + +- if((count*2) + 2 > FD_SETSIZE) { ++ if((count*2) + 2 >= FD_SETSIZE) { + DEBUG(0,("create_listen_fdset: Too many file descriptors needed (%d). We can \ + only use %d.\n", (count*2) + 2, FD_SETSIZE)); + SAFE_FREE(pset); +@@ -1699,24 +1699,44 @@ only use %d.\n", (count*2) + 2, FD_SETSIZE)); + FD_ZERO(pset); + + /* Add in the broadcast socket on 137. */ ++ if (ClientNMB < 0 || ClientNMB >= FD_SETSIZE) { ++ errno = EBADF; ++ SAFE_FREE(pset); ++ return True; ++ } ++ + FD_SET(ClientNMB,pset); + sock_array[num++] = ClientNMB; + *maxfd = MAX( *maxfd, ClientNMB); + + /* Add in the 137 sockets on all the interfaces. */ + for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) { ++ if (subrec->nmb_sock < 0 || subrec->nmb_sock >= FD_SETSIZE) { ++ /* We have to ignore sockets outside FD_SETSIZE. */ ++ continue; ++ } + FD_SET(subrec->nmb_sock,pset); + sock_array[num++] = subrec->nmb_sock; + *maxfd = MAX( *maxfd, subrec->nmb_sock); + } + + /* Add in the broadcast socket on 138. */ ++ if (ClientDGRAM < 0 || ClientDGRAM >= FD_SETSIZE) { ++ errno = EBADF; ++ SAFE_FREE(pset); ++ return True; ++ } ++ + FD_SET(ClientDGRAM,pset); + sock_array[num++] = ClientDGRAM; + *maxfd = MAX( *maxfd, ClientDGRAM); + + /* Add in the 138 sockets on all the interfaces. */ + for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) { ++ if (subrec->dgram_sock < 0 || subrec->dgram_sock >= FD_SETSIZE) { ++ /* We have to ignore sockets outside FD_SETSIZE. */ ++ continue; ++ } + FD_SET(subrec->dgram_sock,pset); + sock_array[num++] = subrec->dgram_sock; + *maxfd = MAX( *maxfd, subrec->dgram_sock); +@@ -1767,7 +1787,7 @@ bool listen_for_packets(bool run_election) + + #ifndef SYNC_DNS + dns_fd = asyncdns_fd(); +- if (dns_fd != -1) { ++ if (dns_fd >= 0 && dns_fd < FD_SETSIZE) { + FD_SET(dns_fd, &r_fds); + maxfd = MAX( maxfd, dns_fd); + } +diff --git a/source/nsswitch/wb_common.c b/source/nsswitch/wb_common.c +index a164621..4f76bd0 100644 +--- a/source/nsswitch/wb_common.c ++++ b/source/nsswitch/wb_common.c +@@ -240,6 +240,12 @@ static int winbind_named_pipe_sock(const char *dir) + + switch (errno) { + case EINPROGRESS: ++ ++ if (fd < 0 || fd >= FD_SETSIZE) { ++ errno = EBADF; ++ goto error_out; ++ } ++ + FD_ZERO(&w_fds); + FD_SET(fd, &w_fds); + tv.tv_sec = CONNECT_TIMEOUT - wait_time; +@@ -383,7 +389,13 @@ int winbind_write_sock(void *buffer, int count, int recursing, int need_priv) + while(nwritten < count) { + struct timeval tv; + fd_set r_fds; +- ++ ++ if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) { ++ errno = EBADF; ++ winbind_close_sock(); ++ return -1; ++ } ++ + /* Catch pipe close on other end by checking if a read() + call would not block by calling select(). */ + +@@ -443,7 +455,13 @@ int winbind_read_sock(void *buffer, int count) + while(nread < count) { + struct timeval tv; + fd_set r_fds; +- ++ ++ if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) { ++ errno = EBADF; ++ winbind_close_sock(); ++ return -1; ++ } ++ + /* Catch pipe close on other end by checking if a read() + call would not block by calling select(). */ + +diff --git a/source/printing/printing.c b/source/printing/printing.c +index a9272eb..c3b8c61 100644 +--- a/source/printing/printing.c ++++ b/source/printing/printing.c +@@ -1407,6 +1407,11 @@ void start_background_queue(void) + exit(1); + } + ++ if (pause_pipe[1] < 0 || pause_pipe[1] >= FD_SETSIZE) { ++ DEBUG(5,("start_background_queue: pipe fd out of range.\n")); ++ exit(1); ++ } ++ + background_lpq_updater_pid = sys_fork(); + + if (background_lpq_updater_pid == -1) { +diff --git a/source/smbd/dnsregister.c b/source/smbd/dnsregister.c +index f02739e..3c689b9 100644 +--- a/source/smbd/dnsregister.c ++++ b/source/smbd/dnsregister.c +@@ -125,6 +125,9 @@ void dns_register_smbd(struct dns_reg_state ** dns_state_ptr, + */ + if (dns_state->srv_ref != NULL) { + mdnsd_conn_fd = DNSServiceRefSockFD(dns_state->srv_ref); ++ if (mdnsd_conn_fd < 0 || mdnsd_conn_fd >= FD_SETSIZE) { ++ return; ++ } + FD_SET(mdnsd_conn_fd, listen_set); + return; + } +@@ -156,6 +159,9 @@ void dns_register_smbd(struct dns_reg_state ** dns_state_ptr, + } + + mdnsd_conn_fd = DNSServiceRefSockFD(dns_state->srv_ref); ++ if (mdnsd_conn_fd < 0 || mdnsd_conn_fd >= FD_SETSIZE) { ++ return; ++ } + FD_SET(mdnsd_conn_fd, listen_set); + *maxfd = MAX(*maxfd, mdnsd_conn_fd); + *timeout = timeval_zero(); +diff --git a/source/smbd/oplock.c b/source/smbd/oplock.c +index a07d05d..5ae3fdf 100644 +--- a/source/smbd/oplock.c ++++ b/source/smbd/oplock.c +@@ -241,7 +241,10 @@ bool downgrade_oplock(files_struct *fsp) + int oplock_notify_fd(void) + { + if (koplocks) { +- return koplocks->notification_fd; ++ int fd = koplocks->notification_fd; ++ if (fd < 0 || fd >= FD_SETSIZE) { ++ return -1; ++ } + } + + return -1; +diff --git a/source/smbd/oplock_irix.c b/source/smbd/oplock_irix.c +index 8c287c9..6e86fac 100644 +--- a/source/smbd/oplock_irix.c ++++ b/source/smbd/oplock_irix.c +@@ -284,6 +284,11 @@ struct kernel_oplocks *irix_init_kernel_oplocks(void) + return False; + } + ++ if (pfd[0] < 0 || pfd[0] >= FD_SETSIZE) { ++ DEBUG(0,("setup_kernel_oplock_pipe: fd out of range.\n")); ++ return False; ++ } ++ + oplock_pipe_read = pfd[0]; + oplock_pipe_write = pfd[1]; + +diff --git a/source/smbd/process.c b/source/smbd/process.c +index 403c7c6..9b8f29b 100644 +--- a/source/smbd/process.c ++++ b/source/smbd/process.c +@@ -698,7 +698,7 @@ static void async_processing(fd_set *pfds) + + static int select_on_fd(int fd, int maxfd, fd_set *fds) + { +- if (fd != -1) { ++ if (fd != -1 && fd < FD_SETSIZE) { + FD_SET(fd, fds); + maxfd = MAX(maxfd, fd); + } +diff --git a/source/smbd/server.c b/source/smbd/server.c +index 5129484..a670334 100644 +--- a/source/smbd/server.c ++++ b/source/smbd/server.c +@@ -209,7 +209,13 @@ static bool open_sockets_inetd(void) + /* Started from inetd. fd 0 is the socket. */ + /* We will abort gracefully when the client or remote system + goes away */ +- smbd_set_server_fd(dup(0)); ++ int fd = dup(0); ++ ++ if (fd < 0 || fd >= FD_SETSIZE) { ++ return false; ++ } ++ ++ smbd_set_server_fd(fd); + + /* close our standard file descriptors */ + close_low_fds(False); /* Don't close stderr */ +@@ -436,7 +442,8 @@ static bool open_sockets_smbd(bool is_daemon, bool interactive, const char *smb_ + num_sockets == 0 ? 0 : 2, + ifss, + true); +- if(s == -1) { ++ if(s < 0 || s >= FD_SETSIZE) { ++ close(s); + continue; + } + +@@ -516,7 +523,7 @@ static bool open_sockets_smbd(bool is_daemon, bool interactive, const char *smb_ + num_sockets == 0 ? 0 : 2, + &ss, + true); +- if (s == -1) { ++ if (s < 0 || s >= FD_SETSIZE) { + continue; + } + +@@ -709,6 +716,7 @@ static bool open_sockets_smbd(bool is_daemon, bool interactive, const char *smb_ + struct sockaddr addr; + socklen_t in_addrlen = sizeof(addr); + pid_t child = 0; ++ int fd; + + s = -1; + for(i = 0; i < num_sockets; i++) { +@@ -721,16 +729,21 @@ static bool open_sockets_smbd(bool is_daemon, bool interactive, const char *smb_ + } + } + +- smbd_set_server_fd(accept(s,&addr,&in_addrlen)); +- +- if (smbd_server_fd() == -1 && errno == EINTR) ++ fd = accept(s,&addr,&in_addrlen); ++ if (fd == -1 && errno == EINTR) + continue; +- +- if (smbd_server_fd() == -1) { ++ if (fd == -1) { + DEBUG(2,("open_sockets_smbd: accept: %s\n", + strerror(errno))); + continue; + } ++ if (fd < 0 || fd >= FD_SETSIZE) { ++ DEBUG(2,("open_sockets_smbd: bad fd %d\n", ++ fd )); ++ continue; ++ } ++ ++ smbd_set_server_fd(fd); + + /* Ensure child is set to blocking mode */ + set_blocking(smbd_server_fd(),True); +diff --git a/source/utils/smbfilter.c b/source/utils/smbfilter.c +index 1e22a40..45f9207 100644 +--- a/source/utils/smbfilter.c ++++ b/source/utils/smbfilter.c +@@ -162,8 +162,8 @@ static void filter_child(int c, struct sockaddr_storage *dest_ss) + int num; + + FD_ZERO(&fds); +- if (s != -1) FD_SET(s, &fds); +- if (c != -1) FD_SET(c, &fds); ++ if (s >= 0 && s < FD_SETSIZE) FD_SET(s, &fds); ++ if (c >= 0 && c < FD_SETSIZE) FD_SET(c, &fds); + + num = sys_select_intr(MAX(s+1, c+1),&fds,NULL,NULL,NULL); + if (num <= 0) continue; +@@ -235,6 +235,10 @@ static void start_filter(char *desthost) + struct sockaddr_storage ss; + socklen_t in_addrlen = sizeof(ss); + ++ if (s < 0 || s >= FD_SETSIZE) { ++ break; ++ } ++ + FD_ZERO(&fds); + FD_SET(s, &fds); + +diff --git a/source/winbindd/winbindd.c b/source/winbindd/winbindd.c +index 1d618e2..6b5c251 100644 +--- a/source/winbindd/winbindd.c ++++ b/source/winbindd/winbindd.c +@@ -836,7 +836,8 @@ static void process_loop(void) + listen_sock = open_winbindd_socket(); + listen_priv_sock = open_winbindd_priv_socket(); + +- if (listen_sock == -1 || listen_priv_sock == -1) { ++ if (listen_sock < 0 || listen_sock >= FD_SETSIZE || ++ listen_priv_sock < 0 || listen_priv_sock >= FD_SETSIZE) { + perror("open_winbind_socket"); + exit(1); + } +@@ -861,6 +862,9 @@ static void process_loop(void) + + FD_ZERO(&r_fds); + FD_ZERO(&w_fds); ++ ++ /* We check the range for listen_sock and ++ listen_priv_sock above. */ + FD_SET(listen_sock, &r_fds); + FD_SET(listen_priv_sock, &r_fds); + +@@ -890,6 +894,12 @@ static void process_loop(void) + } + + for (ev = fd_events; ev; ev = ev->next) { ++ if (ev->fd < 0 || ev->fd >= FD_SETSIZE) { ++ /* Ignore here - event_add_to_select_args ++ should make this impossible. */ ++ continue; ++ } ++ + if (ev->flags & EVENT_FD_READ) { + FD_SET(ev->fd, &r_fds); + maxfd = MAX(ev->fd, maxfd); +diff --git a/source/winbindd/winbindd_dual.c b/source/winbindd/winbindd_dual.c +index ff004f2..b30ec20 100644 +--- a/source/winbindd/winbindd_dual.c ++++ b/source/winbindd/winbindd_dual.c +@@ -1250,6 +1250,12 @@ static bool fork_domain_child(struct winbindd_child *child) + return False; + } + ++ if (fdpair[0] < 0 || fdpair[0] >= FD_SETSIZE) { ++ DEBUG(0, ("fork_domain_child: bad fd range (%d)\n", fdpair[0])); ++ errno = EBADF; ++ return False; ++ } ++ + ZERO_STRUCT(state); + state.pid = sys_getpid(); + +@@ -1405,6 +1411,7 @@ static bool fork_domain_child(struct winbindd_child *child) + message_dispatch(winbind_messaging_context()); + + FD_ZERO(&read_fds); ++ /* We check state.sock against FD_SETSIZE above. */ + FD_SET(state.sock, &read_fds); + + ret = sys_select(state.sock + 1, &read_fds, NULL, NULL, tp); +-- +1.6.4.2 +