The branch, v3-3-stable has been updated
via 074ad65 WHATSNEW: Prepare 3.3.15 release notes.
via 724e44e Fix denial of service - memory corruption.
via 23ec2b1 VERSION: Bump version number up to 3.3.15.
from cdb6f49 WHATSNEW: Update release date.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-stable
- Log -----------------------------------------------------------------
commit 074ad65a4b429c7671043e062bec4d9f53df53bf
Author: Karolin Seeger <[email protected]>
Date: Sun Feb 27 18:49:27 2011 +0100
WHATSNEW: Prepare 3.3.15 release notes.
Karolin
commit 724e44eed299c618066dec411530aa9f156119ec
Author: Karolin Seeger <[email protected]>
Date: Sun Feb 27 18:28:29 2011 +0100
Fix denial of service - memory corruption.
CVE-2011-0719
Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open).
All current released versions of Samba are vulnerable to
a denial of service caused by memory corruption. Range
checks on file descriptors being used in the FD_SET macro
were not present allowing stack corruption. This can cause
the Samba code to crash or to loop attempting to select
on a bad file descriptor set.
A connection to a file share, or a local account is needed
to exploit this problem, either authenticated or unauthenticated
(guest connection).
Currently we do not believe this flaw is exploitable
beyond a crash or causing the code to loop, but on the
advice of our security reviewers we are releasing fixes
in case an exploit is discovered at a later date.
commit 23ec2b1a988fff922864a03b6061c6bc2e584ce0
Author: Karolin Seeger <[email protected]>
Date: Sun Feb 27 18:27:59 2011 +0100
VERSION: Bump version number up to 3.3.15.
Karolin
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 53 +++++++++++++++++++++++++++++++++++++-
source/VERSION | 2 +-
source/client/client.c | 4 ++-
source/client/dnsbrowse.c | 12 +++++++++
source/lib/events.c | 13 +++++++++
source/lib/packet.c | 5 +++
source/lib/readline.c | 5 +++
source/lib/select.c | 6 ++++
source/lib/util_sock.c | 11 ++++++-
source/libaddns/dnssock.c | 6 +++-
source/libsmb/nmblib.c | 5 +++
source/nmbd/nmbd_packets.c | 24 ++++++++++++++++-
source/nsswitch/wb_common.c | 22 ++++++++++++++-
source/printing/printing.c | 5 +++
source/smbd/dnsregister.c | 6 ++++
source/smbd/oplock.c | 5 +++-
source/smbd/oplock_irix.c | 5 +++
source/smbd/process.c | 2 +-
source/smbd/server.c | 29 +++++++++++++++------
source/utils/smbfilter.c | 8 ++++-
source/winbindd/winbindd.c | 12 ++++++++-
source/winbindd/winbindd_dual.c | 7 +++++
22 files changed, 223 insertions(+), 24 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a5026cd..08a606b 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,53 @@
==============================
+ Release Notes for Samba 3.3.15
+ February 28, 2011
+ ==============================
+
+
+This is a security release in order to address CVE-2011-0719.
+
+
+o CVE-2011-0719:
+ All current released versions of Samba are vulnerable to
+ a denial of service caused by memory corruption. Range
+ checks on file descriptors being used in the FD_SET macro
+ were not present allowing stack corruption. This can cause
+ the Samba code to crash or to loop attempting to select
+ on a bad file descriptor set.
+
+
+Changes since 3.3.14
+--------------------
+
+
+o Jeremy Allison <[email protected]>
+ * BUG 7949: Fix DoS in Winbind and smbd with many file descriptors open.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.3 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ ==============================
Release Notes for Samba 3.3.14
September 14, 2010
==============================
@@ -50,8 +99,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
==============================
Release Notes for Samba 3.3.13
diff --git a/source/VERSION b/source/VERSION
index 83d25bc..6e41021 100644
--- a/source/VERSION
+++ b/source/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=3
-SAMBA_VERSION_RELEASE=14
+SAMBA_VERSION_RELEASE=15
########################################################
# Bug fix releases use a letter for the patch revision #
diff --git a/source/client/client.c b/source/client/client.c
index 53bd9e6..a989441 100644
--- a/source/client/client.c
+++ b/source/client/client.c
@@ -4379,8 +4379,10 @@ static void readline_callback(void)
again:
- if (cli->fd == -1)
+ if (cli->fd < 0 || cli->fd >= FD_SETSIZE) {
+ errno = EBADF;
return;
+ }
FD_ZERO(&fds);
FD_SET(cli->fd,&fds);
diff --git a/source/client/dnsbrowse.c b/source/client/dnsbrowse.c
index 5e3a4de..aa2fb22 100644
--- a/source/client/dnsbrowse.c
+++ b/source/client/dnsbrowse.c
@@ -81,6 +81,11 @@ static void do_smb_resolve(struct mdns_smbsrv_result
*browsesrv)
TALLOC_FREE(fdset);
}
+ if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) {
+ errno = EBADF;
+ break;
+ }
+
fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask);
fdset = TALLOC_ZERO(ctx, fdsetsz);
FD_SET(mdnsfd, fdset);
@@ -183,6 +188,13 @@ int do_smb_browse(void)
fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask);
fdset = TALLOC_ZERO(ctx, fdsetsz);
+
+ if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) {
+ errno = EBADF;
+ TALLOC_FREE(ctx);
+ return 1;
+ }
+
FD_SET(mdnsfd, fdset);
tv.tv_sec = 1;
diff --git a/source/lib/events.c b/source/lib/events.c
index cd20ceb..2ddbab7 100644
--- a/source/lib/events.c
+++ b/source/lib/events.c
@@ -140,6 +140,11 @@ struct fd_event *event_add_fd(struct event_context
*event_ctx,
{
struct fd_event *fde;
+ if (fd < 0 || fd >= FD_SETSIZE) {
+ errno = EBADF;
+ return NULL;
+ }
+
if (!(fde = TALLOC_P(mem_ctx, struct fd_event))) {
return NULL;
}
@@ -190,6 +195,14 @@ bool event_add_to_select_args(struct event_context
*event_ctx,
bool ret = False;
for (fde = event_ctx->fd_events; fde; fde = fde->next) {
+ if (fde->fd < 0 || fde->fd >= FD_SETSIZE) {
+ /* We ignore here, as it shouldn't be
+ possible to add an invalid fde->fd
+ but we don't want FD_SET to see an
+ invalid fd. */
+ continue;
+ }
+
if (fde->flags & EVENT_FD_READ) {
FD_SET(fde->fd, read_fds);
ret = True;
diff --git a/source/lib/packet.c b/source/lib/packet.c
index e048616..512c7f2 100644
--- a/source/lib/packet.c
+++ b/source/lib/packet.c
@@ -106,6 +106,11 @@ NTSTATUS packet_fd_read_sync(struct packet_context *ctx)
int res;
fd_set r_fds;
+ if (ctx->fd < 0 || ctx->fd >= FD_SETSIZE) {
+ errno = EBADF;
+ return map_nt_error_from_unix(errno);
+ }
+
FD_ZERO(&r_fds);
FD_SET(ctx->fd, &r_fds);
diff --git a/source/lib/readline.c b/source/lib/readline.c
index 34867aa..70a82f2 100644
--- a/source/lib/readline.c
+++ b/source/lib/readline.c
@@ -91,6 +91,11 @@ static char *smb_readline_replacement(const char *prompt,
void (*callback)(void)
timeout.tv_sec = 5;
timeout.tv_usec = 0;
+ if (fd < 0 || fd >= FD_SETSIZE) {
+ errno = EBADF;
+ break;
+ }
+
FD_ZERO(&fds);
FD_SET(fd,&fds);
diff --git a/source/lib/select.c b/source/lib/select.c
index c3da6a9..2d5f02c 100644
--- a/source/lib/select.c
+++ b/source/lib/select.c
@@ -61,6 +61,11 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds,
fd_set *errorfds, s
if (pipe(select_pipe) == -1)
smb_panic("Could not create select pipe");
+ if (select_pipe[0] < 0 || select_pipe[0] >= FD_SETSIZE) {
+ errno = EBADF;
+ return -1;
+ }
+
/*
* These next two lines seem to fix a bug with the Linux
* 2.0.x kernel (and probably other UNIXes as well) where
@@ -87,6 +92,7 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds,
fd_set *errorfds, s
readfds2 = &readfds_buf;
FD_ZERO(readfds2);
}
+
FD_SET(select_pipe[0], readfds2);
errno = 0;
diff --git a/source/lib/util_sock.c b/source/lib/util_sock.c
index 650bd13..8aa2c97 100644
--- a/source/lib/util_sock.c
+++ b/source/lib/util_sock.c
@@ -960,6 +960,11 @@ NTSTATUS read_socket_with_timeout(int fd, char *buf,
timeout.tv_usec = (long)(1000 * (time_out % 1000));
for (nread=0; nread < mincnt; ) {
+ if (fd < 0 || fd >= FD_SETSIZE) {
+ errno = EBADF;
+ return map_nt_error_from_unix(EBADF);
+ }
+
FD_ZERO(&fds);
FD_SET(fd,&fds);
@@ -1492,7 +1497,7 @@ bool open_any_socket_out(struct sockaddr_storage *addrs,
int num_addrs,
for (i=0; i<num_addrs; i++) {
sockets[i] = socket(addrs[i].ss_family, SOCK_STREAM, 0);
- if (sockets[i] < 0)
+ if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE)
goto done;
set_blocking(sockets[i], false);
}
@@ -1541,8 +1546,10 @@ bool open_any_socket_out(struct sockaddr_storage *addrs,
int num_addrs,
FD_ZERO(&r_fds);
for (i=0; i<num_addrs; i++) {
- if (sockets[i] == -1)
+ if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) {
+ /* This cannot happen - ignore if so. */
continue;
+ }
FD_SET(sockets[i], &wr_fds);
FD_SET(sockets[i], &r_fds);
if (sockets[i]>maxfd)
diff --git a/source/libaddns/dnssock.c b/source/libaddns/dnssock.c
index 7c8bd41..f427bd5 100644
--- a/source/libaddns/dnssock.c
+++ b/source/libaddns/dnssock.c
@@ -218,7 +218,11 @@ static DNS_ERROR read_all(int fd, uint8 *data, size_t len)
while (total < len) {
ssize_t ret;
int fd_ready;
-
+
+ if (fd < 0 || fd >= FD_SETSIZE) {
+ return ERROR_DNS_SOCKET_ERROR;
+ }
+
FD_ZERO( &rfds );
FD_SET( fd, &rfds );
diff --git a/source/libsmb/nmblib.c b/source/libsmb/nmblib.c
index bfe5e7b..768e54d 100644
--- a/source/libsmb/nmblib.c
+++ b/source/libsmb/nmblib.c
@@ -1097,6 +1097,11 @@ struct packet_struct *receive_packet(int fd,enum
packet_type type,int t)
struct timeval timeout;
int ret;
+ if (fd < 0 || fd >= FD_SETSIZE) {
+ errno = EBADF;
+ return NULL;
+ }
+
FD_ZERO(&fds);
FD_SET(fd,&fds);
timeout.tv_sec = t/1000;
diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c
index 4b97819..03e5362 100644
--- a/source/nmbd/nmbd_packets.c
+++ b/source/nmbd/nmbd_packets.c
@@ -1683,7 +1683,7 @@ static bool create_listen_fdset(fd_set **ppset, int
**psock_array, int *listen_n
for (subrec = FIRST_SUBNET; subrec; subrec =
NEXT_SUBNET_EXCLUDING_UNICAST(subrec))
count++;
- if((count*2) + 2 > FD_SETSIZE) {
+ if((count*2) + 2 >= FD_SETSIZE) {
DEBUG(0,("create_listen_fdset: Too many file descriptors needed
(%d). We can \
only use %d.\n", (count*2) + 2, FD_SETSIZE));
SAFE_FREE(pset);
@@ -1699,24 +1699,44 @@ only use %d.\n", (count*2) + 2, FD_SETSIZE));
FD_ZERO(pset);
/* Add in the broadcast socket on 137. */
+ if (ClientNMB < 0 || ClientNMB >= FD_SETSIZE) {
+ errno = EBADF;
+ SAFE_FREE(pset);
+ return True;
+ }
+
FD_SET(ClientNMB,pset);
sock_array[num++] = ClientNMB;
*maxfd = MAX( *maxfd, ClientNMB);
/* Add in the 137 sockets on all the interfaces. */
for (subrec = FIRST_SUBNET; subrec; subrec =
NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) {
+ if (subrec->nmb_sock < 0 || subrec->nmb_sock >= FD_SETSIZE) {
+ /* We have to ignore sockets outside FD_SETSIZE. */
+ continue;
+ }
FD_SET(subrec->nmb_sock,pset);
sock_array[num++] = subrec->nmb_sock;
*maxfd = MAX( *maxfd, subrec->nmb_sock);
}
/* Add in the broadcast socket on 138. */
+ if (ClientDGRAM < 0 || ClientDGRAM >= FD_SETSIZE) {
+ errno = EBADF;
+ SAFE_FREE(pset);
+ return True;
+ }
+
FD_SET(ClientDGRAM,pset);
sock_array[num++] = ClientDGRAM;
*maxfd = MAX( *maxfd, ClientDGRAM);
/* Add in the 138 sockets on all the interfaces. */
for (subrec = FIRST_SUBNET; subrec; subrec =
NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) {
+ if (subrec->dgram_sock < 0 || subrec->dgram_sock >= FD_SETSIZE)
{
+ /* We have to ignore sockets outside FD_SETSIZE. */
+ continue;
+ }
FD_SET(subrec->dgram_sock,pset);
sock_array[num++] = subrec->dgram_sock;
*maxfd = MAX( *maxfd, subrec->dgram_sock);
@@ -1767,7 +1787,7 @@ bool listen_for_packets(bool run_election)
#ifndef SYNC_DNS
dns_fd = asyncdns_fd();
- if (dns_fd != -1) {
+ if (dns_fd >= 0 && dns_fd < FD_SETSIZE) {
FD_SET(dns_fd, &r_fds);
maxfd = MAX( maxfd, dns_fd);
}
diff --git a/source/nsswitch/wb_common.c b/source/nsswitch/wb_common.c
index a164621..4f76bd0 100644
--- a/source/nsswitch/wb_common.c
+++ b/source/nsswitch/wb_common.c
@@ -240,6 +240,12 @@ static int winbind_named_pipe_sock(const char *dir)
switch (errno) {
case EINPROGRESS:
+
+ if (fd < 0 || fd >= FD_SETSIZE) {
+ errno = EBADF;
+ goto error_out;
+ }
+
FD_ZERO(&w_fds);
FD_SET(fd, &w_fds);
tv.tv_sec = CONNECT_TIMEOUT - wait_time;
@@ -383,7 +389,13 @@ int winbind_write_sock(void *buffer, int count, int
recursing, int need_priv)
while(nwritten < count) {
struct timeval tv;
fd_set r_fds;
-
+
+ if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) {
+ errno = EBADF;
+ winbind_close_sock();
+ return -1;
+ }
+
/* Catch pipe close on other end by checking if a read()
call would not block by calling select(). */
@@ -443,7 +455,13 @@ int winbind_read_sock(void *buffer, int count)
while(nread < count) {
struct timeval tv;
fd_set r_fds;
-
+
+ if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) {
+ errno = EBADF;
+ winbind_close_sock();
+ return -1;
+ }
+
/* Catch pipe close on other end by checking if a read()
call would not block by calling select(). */
diff --git a/source/printing/printing.c b/source/printing/printing.c
index a9272eb..c3b8c61 100644
--- a/source/printing/printing.c
+++ b/source/printing/printing.c
@@ -1407,6 +1407,11 @@ void start_background_queue(void)
exit(1);
}
+ if (pause_pipe[1] < 0 || pause_pipe[1] >= FD_SETSIZE) {
+ DEBUG(5,("start_background_queue: pipe fd out of range.\n"));
+ exit(1);
+ }
+
background_lpq_updater_pid = sys_fork();
if (background_lpq_updater_pid == -1) {
diff --git a/source/smbd/dnsregister.c b/source/smbd/dnsregister.c
index f02739e..3c689b9 100644
--- a/source/smbd/dnsregister.c
+++ b/source/smbd/dnsregister.c
@@ -125,6 +125,9 @@ void dns_register_smbd(struct dns_reg_state **
dns_state_ptr,
*/
if (dns_state->srv_ref != NULL) {
mdnsd_conn_fd = DNSServiceRefSockFD(dns_state->srv_ref);
+ if (mdnsd_conn_fd < 0 || mdnsd_conn_fd >= FD_SETSIZE) {
+ return;
+ }
FD_SET(mdnsd_conn_fd, listen_set);
return;
}
@@ -156,6 +159,9 @@ void dns_register_smbd(struct dns_reg_state **
dns_state_ptr,
}
mdnsd_conn_fd = DNSServiceRefSockFD(dns_state->srv_ref);
+ if (mdnsd_conn_fd < 0 || mdnsd_conn_fd >= FD_SETSIZE) {
+ return;
+ }
FD_SET(mdnsd_conn_fd, listen_set);
*maxfd = MAX(*maxfd, mdnsd_conn_fd);
*timeout = timeval_zero();
diff --git a/source/smbd/oplock.c b/source/smbd/oplock.c
index a07d05d..5ae3fdf 100644
--- a/source/smbd/oplock.c
+++ b/source/smbd/oplock.c
@@ -241,7 +241,10 @@ bool downgrade_oplock(files_struct *fsp)
int oplock_notify_fd(void)
{
if (koplocks) {
- return koplocks->notification_fd;
+ int fd = koplocks->notification_fd;
+ if (fd < 0 || fd >= FD_SETSIZE) {
+ return -1;
+ }
}
return -1;
diff --git a/source/smbd/oplock_irix.c b/source/smbd/oplock_irix.c
index 8c287c9..6e86fac 100644
--- a/source/smbd/oplock_irix.c
+++ b/source/smbd/oplock_irix.c
@@ -284,6 +284,11 @@ struct kernel_oplocks *irix_init_kernel_oplocks(void)
return False;
}
+ if (pfd[0] < 0 || pfd[0] >= FD_SETSIZE) {
+ DEBUG(0,("setup_kernel_oplock_pipe: fd out of range.\n"));
+ return False;
+ }
+
oplock_pipe_read = pfd[0];
oplock_pipe_write = pfd[1];
diff --git a/source/smbd/process.c b/source/smbd/process.c
index 403c7c6..9b8f29b 100644
--- a/source/smbd/process.c
+++ b/source/smbd/process.c
@@ -698,7 +698,7 @@ static void async_processing(fd_set *pfds)
static int select_on_fd(int fd, int maxfd, fd_set *fds)
{
- if (fd != -1) {
+ if (fd != -1 && fd < FD_SETSIZE) {
FD_SET(fd, fds);
maxfd = MAX(maxfd, fd);
}
diff --git a/source/smbd/server.c b/source/smbd/server.c
index 5129484..a670334 100644
--- a/source/smbd/server.c
+++ b/source/smbd/server.c
@@ -209,7 +209,13 @@ static bool open_sockets_inetd(void)
/* Started from inetd. fd 0 is the socket. */
/* We will abort gracefully when the client or remote system
goes away */
- smbd_set_server_fd(dup(0));
+ int fd = dup(0);
+
+ if (fd < 0 || fd >= FD_SETSIZE) {
+ return false;
+ }
+
+ smbd_set_server_fd(fd);
--
Samba Shared Repository
