The branch, v3-5-test has been updated
via e20d2b7 WHATSNEW: Start release notes for 3.5.8.
via b557702 VERSION: Bump version number up to 3.5.8.
via 0db8582 WHATSNEW: Prepare 3.5.7 release notes.
via b9c9874 Fix denial of service - memory corruption.
from a5b388f s3-winbindd: let winbind try to use samlogon validation
level 6. (bug #7945)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test
- Log -----------------------------------------------------------------
commit e20d2b70cc28cf0fb6978eb4c4b208470993b51b
Author: Karolin Seeger <[email protected]>
Date: Mon Feb 28 14:46:28 2011 +0100
WHATSNEW: Start release notes for 3.5.8.
Karolin
(cherry picked from commit 6964fc50a01d53dd4ad05895213fbb66f66898f4)
commit b557702d70ab3ef1273d7ea41da3eaff95206e5b
Author: Karolin Seeger <[email protected]>
Date: Mon Feb 28 14:44:31 2011 +0100
VERSION: Bump version number up to 3.5.8.
Karolin
(cherry picked from commit 1faa7a838e91d894026e009f463cb9e629a86a60)
commit 0db85822dfe0cea16574bfac96b85c62a3387924
Author: Karolin Seeger <[email protected]>
Date: Sun Feb 27 18:42:19 2011 +0100
WHATSNEW: Prepare 3.5.7 release notes.
Karolin
(cherry picked from commit ba3837e1ce6024e8cc5153e803d32a6ed750408b)
commit b9c9874cdddfde5726c985b2154adee47597f77f
Author: Jeremy Allison <[email protected]>
Date: Sun Feb 27 17:58:06 2011 +0100
Fix denial of service - memory corruption.
CVE-2011-0719
Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open).
All current released versions of Samba are vulnerable to
a denial of service caused by memory corruption. Range
checks on file descriptors being used in the FD_SET macro
were not present allowing stack corruption. This can cause
the Samba code to crash or to loop attempting to select
on a bad file descriptor set.
A connection to a file share, or a local account is needed
to exploit this problem, either authenticated or unauthenticated
(guest connection).
Currently we do not believe this flaw is exploitable
beyond a crash or causing the code to loop, but on the
advice of our security reviewers we are releasing fixes
in case an exploit is discovered at a later date.
(cherry picked from commit c3ad6eb506623435d3d9ce62d6f34ed1c960d4be)
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 61 ++++++++++++++++++++++++++++++++++----
lib/tevent/tevent_select.c | 10 ++++++
lib/tevent/tevent_standard.c | 5 +++
nsswitch/libwbclient/wbc_async.c | 2 +-
nsswitch/wb_common.c | 14 +++++++++
source3/VERSION | 2 +-
source3/client/client.c | 4 ++-
source3/client/dnsbrowse.c | 11 +++++++
source3/lib/events.c | 8 +++++
source3/lib/g_lock.c | 4 ++-
source3/lib/packet.c | 5 +++
source3/lib/readline.c | 5 +++
source3/lib/select.c | 12 +++++++
source3/lib/util_sock.c | 15 +++++++--
source3/libaddns/dnssock.c | 5 +++
source3/libsmb/nmblib.c | 5 +++
source3/nmbd/nmbd_packets.c | 37 +++++++++++++++++++----
source3/utils/smbfilter.c | 7 +++-
source3/winbindd/winbindd_dual.c | 7 ++++
19 files changed, 198 insertions(+), 21 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a9edeb1..70b1c24 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,17 +1,17 @@
=============================
- Release Notes for Samba 3.5.7
- , 2010
+ Release Notes for Samba 3.5.8
+ March 7, 2011
=============================
This is the latest stable release of Samba 3.5.
-Major enhancements in Samba 3.5.7 include:
- o
+o
-Changes since 3.5.5
--------------------
+
+Changes since 3.5.7:
+--------------------
o Jeremy Allison <[email protected]>
@@ -41,6 +41,55 @@ Release notes for older releases follow:
----------------------------------------
=============================
+ Release Notes for Samba 3.5.7
+ February 28, 2011
+ =============================
+
+
+This is a security release in order to address CVE-2011-0719.
+
+
+o CVE-2011-0719:
+ All current released versions of Samba are vulnerable to
+ a denial of service caused by memory corruption. Range
+ checks on file descriptors being used in the FD_SET macro
+ were not present allowing stack corruption. This can cause
+ the Samba code to crash or to loop attempting to select
+ on a bad file descriptor set.
+
+
+Changes since 3.5.6:
+--------------------
+
+
+o Jeremy Allison <[email protected]>
+ * BUG 7949: Fix DoS in Winbind and smbd with many file descriptors open.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.5 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
+ =============================
Release Notes for Samba 3.5.6
October 8, 2010
=============================
diff --git a/lib/tevent/tevent_select.c b/lib/tevent/tevent_select.c
index d974189..890e031 100644
--- a/lib/tevent/tevent_select.c
+++ b/lib/tevent/tevent_select.c
@@ -111,6 +111,11 @@ static struct tevent_fd *select_event_add_fd(struct
tevent_context *ev, TALLOC_C
struct
select_event_context);
struct tevent_fd *fde;
+ if (fd < 0 || fd >= FD_SETSIZE) {
+ errno = EBADF;
+ return NULL;
+ }
+
fde = tevent_common_add_fd(ev, mem_ctx, fd, flags,
handler, private_data,
handler_name, location);
@@ -143,6 +148,11 @@ static int select_event_loop_select(struct
select_event_context *select_ev, stru
/* setup any fd events */
for (fde = select_ev->ev->fd_events; fde; fde = fde->next) {
+ if (fde->fd < 0 || fde->fd >= FD_SETSIZE) {
+ errno = EBADF;
+ return -1;
+ }
+
if (fde->flags & TEVENT_FD_READ) {
FD_SET(fde->fd, &r_fds);
}
diff --git a/lib/tevent/tevent_standard.c b/lib/tevent/tevent_standard.c
index c3f8b36..d4a00cc 100644
--- a/lib/tevent/tevent_standard.c
+++ b/lib/tevent/tevent_standard.c
@@ -457,6 +457,11 @@ static int std_event_loop_select(struct std_event_context
*std_ev, struct timeva
/* setup any fd events */
for (fde = std_ev->ev->fd_events; fde; fde = fde->next) {
+ if (fde->fd < 0 || fde->fd >= FD_SETSIZE) {
+ std_ev->exit_code = EBADF;
+ return -1;
+ }
+
if (fde->flags & TEVENT_FD_READ) {
FD_SET(fde->fd, &r_fds);
}
diff --git a/nsswitch/libwbclient/wbc_async.c b/nsswitch/libwbclient/wbc_async.c
index 181d546..bb95b91 100644
--- a/nsswitch/libwbclient/wbc_async.c
+++ b/nsswitch/libwbclient/wbc_async.c
@@ -509,7 +509,7 @@ static bool closed_fd(int fd)
fd_set r_fds;
int selret;
- if (fd == -1) {
+ if (fd < 0 || fd >= FD_SETSIZE) {
return true;
}
diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
index b7fafc3..def41d5 100644
--- a/nsswitch/wb_common.c
+++ b/nsswitch/wb_common.c
@@ -244,6 +244,10 @@ static int winbind_named_pipe_sock(const char *dir)
switch (errno) {
case EINPROGRESS:
FD_ZERO(&w_fds);
+ if (fd < 0 || fd >= FD_SETSIZE) {
+ errno = EBADF;
+ goto error_out;
+ }
FD_SET(fd, &w_fds);
tv.tv_sec = CONNECT_TIMEOUT - wait_time;
tv.tv_usec = 0;
@@ -391,6 +395,11 @@ int winbind_write_sock(void *buffer, int count, int
recursing, int need_priv)
call would not block by calling select(). */
FD_ZERO(&r_fds);
+ if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) {
+ errno = EBADF;
+ winbind_close_sock();
+ return -1;
+ }
FD_SET(winbindd_fd, &r_fds);
ZERO_STRUCT(tv);
@@ -451,6 +460,11 @@ int winbind_read_sock(void *buffer, int count)
call would not block by calling select(). */
FD_ZERO(&r_fds);
+ if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) {
+ errno = EBADF;
+ winbind_close_sock();
+ return -1;
+ }
FD_SET(winbindd_fd, &r_fds);
ZERO_STRUCT(tv);
/* Wait for 5 seconds for a reply. May need to parameterise
this... */
diff --git a/source3/VERSION b/source3/VERSION
index 7a0f588..86cb33a 100644
--- a/source3/VERSION
+++ b/source3/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=5
-SAMBA_VERSION_RELEASE=7
+SAMBA_VERSION_RELEASE=8
########################################################
# Bug fix releases use a letter for the patch revision #
diff --git a/source3/client/client.c b/source3/client/client.c
index 6d39977..e1952b5 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -4420,8 +4420,10 @@ static void readline_callback(void)
again:
- if (cli->fd == -1)
+ if (cli->fd < 0 || cli->fd >= FD_SETSIZE) {
+ errno = EBADF;
return;
+ }
FD_ZERO(&fds);
FD_SET(cli->fd,&fds);
diff --git a/source3/client/dnsbrowse.c b/source3/client/dnsbrowse.c
index 5e3a4de..a6b9360 100644
--- a/source3/client/dnsbrowse.c
+++ b/source3/client/dnsbrowse.c
@@ -81,6 +81,11 @@ static void do_smb_resolve(struct mdns_smbsrv_result
*browsesrv)
TALLOC_FREE(fdset);
}
+ if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) {
+ errno = EBADF;
+ break;
+ }
+
fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask);
fdset = TALLOC_ZERO(ctx, fdsetsz);
FD_SET(mdnsfd, fdset);
@@ -181,6 +186,12 @@ int do_smb_browse(void)
TALLOC_FREE(fdset);
}
+ if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) {
+ errno = EBADF;
+ TALLOC_FREE(ctx);
+ return 1;
+ }
+
fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask);
fdset = TALLOC_ZERO(ctx, fdsetsz);
FD_SET(mdnsfd, fdset);
diff --git a/source3/lib/events.c b/source3/lib/events.c
index c529038..01ea017 100644
--- a/source3/lib/events.c
+++ b/source3/lib/events.c
@@ -55,6 +55,14 @@ bool event_add_to_select_args(struct tevent_context *ev,
bool ret = false;
for (fde = ev->fd_events; fde; fde = fde->next) {
+ if (fde->fd < 0 || fde->fd >= FD_SETSIZE) {
+ /* We ignore here, as it shouldn't be
+ possible to add an invalid fde->fd
+ but we don't want FD_SET to see an
+ invalid fd. */
+ continue;
+ }
+
if (fde->flags & EVENT_FD_READ) {
FD_SET(fde->fd, read_fds);
ret = true;
diff --git a/source3/lib/g_lock.c b/source3/lib/g_lock.c
index 1726047..356c104 100644
--- a/source3/lib/g_lock.c
+++ b/source3/lib/g_lock.c
@@ -391,7 +391,9 @@ NTSTATUS g_lock_lock(struct g_lock_ctx *ctx, const char
*name,
r_fds = &_r_fds;
FD_ZERO(r_fds);
max_fd = ctdbd_conn_get_fd(conn);
- FD_SET(max_fd, r_fds);
+ if (max_fd >= 0 && max_fd < FD_SETSIZE) {
+ FD_SET(max_fd, r_fds);
+ }
}
#endif
diff --git a/source3/lib/packet.c b/source3/lib/packet.c
index c131b97..8d815c9 100644
--- a/source3/lib/packet.c
+++ b/source3/lib/packet.c
@@ -107,6 +107,11 @@ NTSTATUS packet_fd_read_sync(struct packet_context *ctx,
int res;
fd_set r_fds;
+ if (ctx->fd < 0 || ctx->fd >= FD_SETSIZE) {
+ errno = EBADF;
+ return map_nt_error_from_unix(errno);
+ }
+
FD_ZERO(&r_fds);
FD_SET(ctx->fd, &r_fds);
diff --git a/source3/lib/readline.c b/source3/lib/readline.c
index 34867aa..70a82f2 100644
--- a/source3/lib/readline.c
+++ b/source3/lib/readline.c
@@ -91,6 +91,11 @@ static char *smb_readline_replacement(const char *prompt,
void (*callback)(void)
timeout.tv_sec = 5;
timeout.tv_usec = 0;
+ if (fd < 0 || fd >= FD_SETSIZE) {
+ errno = EBADF;
+ break;
+ }
+
FD_ZERO(&fds);
FD_SET(fd,&fds);
diff --git a/source3/lib/select.c b/source3/lib/select.c
index b5443ff..2230b43 100644
--- a/source3/lib/select.c
+++ b/source3/lib/select.c
@@ -75,6 +75,17 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds,
fd_set *errorfds, s
return -1;
}
+ if (select_pipe[0] < 0 || select_pipe[0] >= FD_SETSIZE) {
+ DEBUG(0, ("sys_select: bad fd\n"));
+ if (readfds != NULL)
+ FD_ZERO(readfds);
+ if (writefds != NULL)
+ FD_ZERO(writefds);
+ if (errorfds != NULL)
+ FD_ZERO(errorfds);
+ errno = EBADF;
+ return -1;
+ }
/*
* These next two lines seem to fix a bug with the Linux
* 2.0.x kernel (and probably other UNIXes as well) where
@@ -101,6 +112,7 @@ int sys_select(int maxfd, fd_set *readfds, fd_set
*writefds, fd_set *errorfds, s
readfds2 = &readfds_buf;
FD_ZERO(readfds2);
}
+
FD_SET(select_pipe[0], readfds2);
errno = 0;
diff --git a/source3/lib/util_sock.c b/source3/lib/util_sock.c
index 08cbced..7a573ad 100644
--- a/source3/lib/util_sock.c
+++ b/source3/lib/util_sock.c
@@ -495,6 +495,11 @@ NTSTATUS read_fd_with_timeout(int fd, char *buf,
timeout.tv_usec = (long)(1000 * (time_out % 1000));
for (nread=0; nread < mincnt; ) {
+ if (fd < 0 || fd >= FD_SETSIZE) {
+ errno = EBADF;
+ return map_nt_error_from_unix(EBADF);
+ }
+
FD_ZERO(&fds);
FD_SET(fd,&fds);
@@ -1235,7 +1240,7 @@ bool open_any_socket_out(struct sockaddr_storage *addrs,
int num_addrs,
for (i=0; i<num_addrs; i++) {
sockets[i] = socket(addrs[i].ss_family, SOCK_STREAM, 0);
- if (sockets[i] < 0)
+ if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE)
goto done;
set_blocking(sockets[i], false);
}
@@ -1284,8 +1289,10 @@ bool open_any_socket_out(struct sockaddr_storage *addrs,
int num_addrs,
FD_ZERO(&r_fds);
for (i=0; i<num_addrs; i++) {
- if (sockets[i] == -1)
+ if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) {
+ /* This cannot happen - ignore if so. */
continue;
+ }
FD_SET(sockets[i], &wr_fds);
FD_SET(sockets[i], &r_fds);
if (sockets[i]>maxfd)
@@ -1305,8 +1312,10 @@ bool open_any_socket_out(struct sockaddr_storage *addrs,
int num_addrs,
for (i=0; i<num_addrs; i++) {
- if (sockets[i] == -1)
+ if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) {
+ /* This cannot happen - ignore if so. */
continue;
+ }
/* Stevens, Network Programming says that if there's a
* successful connect, the socket is only writable. Upon an
diff --git a/source3/libaddns/dnssock.c b/source3/libaddns/dnssock.c
index 7c8bd41..bf11fea 100644
--- a/source3/libaddns/dnssock.c
+++ b/source3/libaddns/dnssock.c
@@ -219,6 +219,11 @@ static DNS_ERROR read_all(int fd, uint8 *data, size_t len)
ssize_t ret;
int fd_ready;
+ if (fd < 0 || fd >= FD_SETSIZE) {
+ /* read timeout */
+ return ERROR_DNS_SOCKET_ERROR;
+ }
+
FD_ZERO( &rfds );
FD_SET( fd, &rfds );
diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c
index 267a49f..c47f827 100644
--- a/source3/libsmb/nmblib.c
+++ b/source3/libsmb/nmblib.c
@@ -1094,6 +1094,11 @@ struct packet_struct *receive_packet(int fd,enum
packet_type type,int t)
struct timeval timeout;
int ret;
+ if (fd < 0 || fd >= FD_SETSIZE) {
+ errno = EBADF;
+ return NULL;
+ }
+
FD_ZERO(&fds);
FD_SET(fd,&fds);
timeout.tv_sec = t/1000;
diff --git a/source3/nmbd/nmbd_packets.c b/source3/nmbd/nmbd_packets.c
index a753b28..0eafb2c 100644
--- a/source3/nmbd/nmbd_packets.c
+++ b/source3/nmbd/nmbd_packets.c
@@ -1696,7 +1696,7 @@ static bool create_listen_fdset(fd_set **ppset, int
**psock_array, int *listen_n
/* each interface gets 4 sockets */
count *= 4;
- if(count > FD_SETSIZE) {
+ if(count >= FD_SETSIZE) {
DEBUG(0,("create_listen_fdset: Too many file descriptors needed
(%d). We can \
only use %d.\n", count, FD_SETSIZE));
SAFE_FREE(pset);
@@ -1712,6 +1712,12 @@ only use %d.\n", count, FD_SETSIZE));
FD_ZERO(pset);
/* Add in the lp_socket_address() interface on 137. */
+ if (ClientNMB < 0 || ClientNMB >= FD_SETSIZE) {
+ errno = EBADF;
+ SAFE_FREE(pset);
+ return True;
+ }
+
FD_SET(ClientNMB,pset);
sock_array[num++] = ClientNMB;
*maxfd = MAX( *maxfd, ClientNMB);
@@ -1721,18 +1727,29 @@ only use %d.\n", count, FD_SETSIZE));
/* Add in the 137 sockets on all the interfaces. */
for (subrec = FIRST_SUBNET; subrec; subrec =
NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) {
+ if (subrec->nmb_sock < 0 || subrec->nmb_sock >= FD_SETSIZE) {
+ /* We have to ignore sockets outside FD_SETSIZE. */
+ continue;
+ }
FD_SET(subrec->nmb_sock,pset);
sock_array[num++] = subrec->nmb_sock;
*maxfd = MAX( *maxfd, subrec->nmb_sock);
- sock_array[num++] = subrec->nmb_bcast;
- if (subrec->nmb_bcast != -1) {
- FD_SET(subrec->nmb_bcast,pset);
- *maxfd = MAX( *maxfd, subrec->nmb_bcast);
+ if (subrec->nmb_bcast < 0 || subrec->nmb_bcast >= FD_SETSIZE) {
+ /* We have to ignore sockets outside FD_SETSIZE. */
+ continue;
}
+ sock_array[num++] = subrec->nmb_bcast;
+ FD_SET(subrec->nmb_bcast,pset);
+ *maxfd = MAX( *maxfd, subrec->nmb_bcast);
}
/* Add in the lp_socket_address() interface on 138. */
+ if (ClientDGRAM < 0 || ClientDGRAM >= FD_SETSIZE) {
+ errno = EBADF;
+ SAFE_FREE(pset);
+ return True;
+ }
FD_SET(ClientDGRAM,pset);
sock_array[num++] = ClientDGRAM;
*maxfd = MAX( *maxfd, ClientDGRAM);
@@ -1742,10 +1759,18 @@ only use %d.\n", count, FD_SETSIZE));
/* Add in the 138 sockets on all the interfaces. */
for (subrec = FIRST_SUBNET; subrec; subrec =
NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) {
+ if (subrec->dgram_sock < 0 || subrec->dgram_sock >= FD_SETSIZE)
{
+ /* We have to ignore sockets outside FD_SETSIZE. */
+ continue;
+ }
FD_SET(subrec->dgram_sock,pset);
sock_array[num++] = subrec->dgram_sock;
*maxfd = MAX( *maxfd, subrec->dgram_sock);
+ if (subrec->dgram_bcast < 0 || subrec->dgram_bcast >=
FD_SETSIZE) {
+ /* We have to ignore sockets outside FD_SETSIZE. */
+ continue;
+ }
sock_array[num++] = subrec->dgram_bcast;
if (subrec->dgram_bcast != -1) {
FD_SET(subrec->dgram_bcast,pset);
@@ -1876,7 +1901,7 @@ bool listen_for_packets(bool run_election)
#ifndef SYNC_DNS
dns_fd = asyncdns_fd();
- if (dns_fd != -1) {
+ if (dns_fd >= 0 && dns_fd < FD_SETSIZE) {
--
Samba Shared Repository
