[SCM] Samba Shared Repository - branch v3-4-test updated

Karolin Seeger kseeger at samba.org
Mon Feb 28 06:56:09 MST 2011


The branch, v3-4-test has been updated
       via  22b100f WHATSNEW: Start 3.4.13 release notes.
       via  9c04872 VERSION: Bump version number up to 3.4.13.
       via  4cb0ee4 WHATSNEW: Fix typo.
       via  0fdfde3 VERSION: Bump version number up to 3.4.12.
       via  896bfa2 WHATSNEW: Prepare 3.4.12 release notes.
       via  feb3fcd Fix denial of service - memory corruption.
      from  dff57d7 WHATSNEW: Fix typo.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-4-test


- Log -----------------------------------------------------------------
commit 22b100f3ed9dcc7bb4c1ba142e17a936d54159fa
Author: Karolin Seeger <kseeger at samba.org>
Date:   Mon Feb 28 14:51:37 2011 +0100

    WHATSNEW: Start 3.4.13 release notes.
    
    Karolin
    (cherry picked from commit c32b64f22e0ed14d686cb88554e618f2d63acebe)

commit 9c04872a97da6f510f9c26e01ecd0bf5bf328074
Author: Karolin Seeger <kseeger at samba.org>
Date:   Mon Feb 28 14:49:44 2011 +0100

    VERSION: Bump version number up to 3.4.13.
    
    Karolin
    (cherry picked from commit 7afb216d1d25c1269dcf63f845bebde9a989caa2)

commit 4cb0ee4840f1ccb1d8389fce9e083e0d73d8ad0f
Author: Karolin Seeger <kseeger at samba.org>
Date:   Sun Feb 27 18:44:10 2011 +0100

    WHATSNEW: Fix typo.
    
    Karolin
    (cherry picked from commit 2aa648e4e9c530a4c9e8d1389fa16e775ac91e54)

commit 0fdfde3b3adc0eea4e2f573cc01cb0fb151a473c
Author: Karolin Seeger <kseeger at samba.org>
Date:   Sun Feb 27 18:21:38 2011 +0100

    VERSION: Bump version number up to 3.4.12.
    
    Karolin
    (cherry picked from commit 8da98df066bcfc8a47a83615788a55206075ad2b)

commit 896bfa207c6e3a23ab879a4f47732363edeff1d7
Author: Karolin Seeger <kseeger at samba.org>
Date:   Sun Feb 27 18:20:42 2011 +0100

    WHATSNEW: Prepare 3.4.12 release notes.
    
    Karolin
    (cherry picked from commit da478595190a4a6634b6fc1654fcac58c73e66de)

commit feb3fcd0fa4bda0967b881315595d7702f4d1752
Author: Jeremy Allison <jra at samba.org>
Date:   Sun Feb 27 18:16:20 2011 +0100

    Fix denial of service - memory corruption.
    
    CVE-2011-0719
    
    Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open).
    
    All current released versions of Samba are vulnerable to
    a denial of service caused by memory corruption. Range
    checks on file descriptors being used in the FD_SET macro
    were not present allowing stack corruption. This can cause
    the Samba code to crash or to loop attempting to select
    on a bad file descriptor set.
    
    A connection to a file share, or a local account is needed
    to exploit this problem, either authenticated or unauthenticated
    (guest connection).
    
    Currently we do not believe this flaw is exploitable
    beyond a crash or causing the code to loop, but on the
    advice of our security reviewers we are releasing fixes
    in case an exploit is discovered at a later date.
    (cherry picked from commit 43babef991feedbe2acb77d27254d302ab107fa8)

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt                     |   95 +++++++++++++++++++++++++++++++++++++-
 lib/tevent/tevent_select.c       |   10 ++++
 lib/tevent/tevent_standard.c     |    5 ++
 nsswitch/wb_common.c             |   17 +++++++
 source3/VERSION                  |    2 +-
 source3/client/client.c          |    4 +-
 source3/client/dnsbrowse.c       |   11 ++++
 source3/lib/events.c             |    8 +++
 source3/lib/packet.c             |    5 ++
 source3/lib/readline.c           |    5 ++
 source3/lib/select.c             |   12 +++++
 source3/lib/util_sock.c          |   11 ++++-
 source3/lib/wbclient.c           |    9 +++-
 source3/libaddns/dnssock.c       |    5 ++
 source3/libads/cldap.c           |    5 ++
 source3/libsmb/nmblib.c          |    5 ++
 source3/nmbd/nmbd_packets.c      |   24 +++++++++-
 source3/utils/smbfilter.c        |    8 ++-
 source3/winbindd/winbindd.c      |    6 ++
 source3/winbindd/winbindd_dual.c |    7 +++
 20 files changed, 243 insertions(+), 11 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 74a3d36..1ae912a 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,95 @@
                    ==============================
+                   Release Notes for Samba 3.4.13
+			 , 2011
+                   ==============================
+
+
+This is the latest stable release of Samba 3.4.
+
+
+o  
+
+
+Changes since 3.4.12
+--------------------
+
+
+o   Jeremy Allison <jra at samba.org>
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 3.4 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older versions follow:
+----------------------------------------
+
+                   ==============================
+                   Release Notes for Samba 3.4.12
+			 February 28, 2011
+                   ==============================
+
+
+This is a security release in order to address CVE-2011-0719.
+
+
+o  CVE-2011-0719:
+   All current released versions of Samba are vulnerable to
+   a denial of service caused by memory corruption. Range
+   checks on file descriptors being used in the FD_SET macro
+   were not present allowing stack corruption. This can cause
+   the Samba code to crash or to loop attempting to select
+   on a bad file descriptor set.
+
+
+Changes since 3.4.11
+--------------------
+
+
+o   Jeremy Allison <jra at samba.org>
+    * BUG 7949: Fix DoS in Winbind and smbd with many file descriptors open.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 3.4 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
+                   ==============================
                    Release Notes for Samba 3.4.11
 			  January 23 2011
                    ==============================
@@ -37,8 +128,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older versions follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    ==============================
                    Release Notes for Samba 3.4.10
diff --git a/lib/tevent/tevent_select.c b/lib/tevent/tevent_select.c
index d974189..890e031 100644
--- a/lib/tevent/tevent_select.c
+++ b/lib/tevent/tevent_select.c
@@ -111,6 +111,11 @@ static struct tevent_fd *select_event_add_fd(struct tevent_context *ev, TALLOC_C
 							   struct select_event_context);
 	struct tevent_fd *fde;
 
+	if (fd < 0 || fd >= FD_SETSIZE) {
+		errno = EBADF;
+		return NULL;
+	}
+
 	fde = tevent_common_add_fd(ev, mem_ctx, fd, flags,
 				   handler, private_data,
 				   handler_name, location);
@@ -143,6 +148,11 @@ static int select_event_loop_select(struct select_event_context *select_ev, stru
 
 	/* setup any fd events */
 	for (fde = select_ev->ev->fd_events; fde; fde = fde->next) {
+		if (fde->fd < 0 || fde->fd >= FD_SETSIZE) {
+			errno = EBADF;
+			return -1;
+		}
+
 		if (fde->flags & TEVENT_FD_READ) {
 			FD_SET(fde->fd, &r_fds);
 		}
diff --git a/lib/tevent/tevent_standard.c b/lib/tevent/tevent_standard.c
index c3f8b36..d4a00cc 100644
--- a/lib/tevent/tevent_standard.c
+++ b/lib/tevent/tevent_standard.c
@@ -457,6 +457,11 @@ static int std_event_loop_select(struct std_event_context *std_ev, struct timeva
 
 	/* setup any fd events */
 	for (fde = std_ev->ev->fd_events; fde; fde = fde->next) {
+		if (fde->fd < 0 || fde->fd >= FD_SETSIZE) {
+			std_ev->exit_code = EBADF;
+			return -1;
+		}
+
 		if (fde->flags & TEVENT_FD_READ) {
 			FD_SET(fde->fd, &r_fds);
 		}
diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
index d0dfcb8..75ce585 100644
--- a/nsswitch/wb_common.c
+++ b/nsswitch/wb_common.c
@@ -240,6 +240,12 @@ static int winbind_named_pipe_sock(const char *dir)
 
 		switch (errno) {
 			case EINPROGRESS:
+
+				if (fd < 0 || fd >= FD_SETSIZE) {
+					errno = EBADF;
+					goto error_out;
+				}
+
 				FD_ZERO(&w_fds);
 				FD_SET(fd, &w_fds);
 				tv.tv_sec = CONNECT_TIMEOUT - wait_time;
@@ -384,6 +390,12 @@ int winbind_write_sock(void *buffer, int count, int recursing, int need_priv)
 		struct timeval tv;
 		fd_set r_fds;
 
+		if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) {
+			errno = EBADF;
+			winbind_close_sock();
+			return -1;
+		}
+
 		/* Catch pipe close on other end by checking if a read()
 		   call would not block by calling select(). */
 
@@ -444,6 +456,11 @@ int winbind_read_sock(void *buffer, int count)
 		struct timeval tv;
 		fd_set r_fds;
 
+		if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) {
+			errno = EBADF;
+			winbind_close_sock();
+			return -1;
+		}
 		/* Catch pipe close on other end by checking if a read()
 		   call would not block by calling select(). */
 
diff --git a/source3/VERSION b/source3/VERSION
index 5978c99..78aeb38 100644
--- a/source3/VERSION
+++ b/source3/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=3
 SAMBA_VERSION_MINOR=4
-SAMBA_VERSION_RELEASE=11
+SAMBA_VERSION_RELEASE=13
 
 ########################################################
 # Bug fix releases use a letter for the patch revision #
diff --git a/source3/client/client.c b/source3/client/client.c
index b706591..1e5e8e1 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -4384,8 +4384,10 @@ static void readline_callback(void)
 
  again:
 
-	if (cli->fd == -1)
+	if (cli->fd < 0 || cli->fd >= FD_SETSIZE) {
+		errno = EBADF;
 		return;
+	}
 
 	FD_ZERO(&fds);
 	FD_SET(cli->fd,&fds);
diff --git a/source3/client/dnsbrowse.c b/source3/client/dnsbrowse.c
index 5e3a4de..a6b9360 100644
--- a/source3/client/dnsbrowse.c
+++ b/source3/client/dnsbrowse.c
@@ -81,6 +81,11 @@ static void do_smb_resolve(struct mdns_smbsrv_result *browsesrv)
 			TALLOC_FREE(fdset);
 		}
 
+		if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) {
+			errno = EBADF;
+			break;
+		}
+
 		fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask);
 		fdset = TALLOC_ZERO(ctx, fdsetsz);
 		FD_SET(mdnsfd, fdset);
@@ -181,6 +186,12 @@ int do_smb_browse(void)
 			TALLOC_FREE(fdset);
 		}
 
+		if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) {
+			errno = EBADF;
+			TALLOC_FREE(ctx);
+			return 1;
+		}
+
 		fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask);
 		fdset = TALLOC_ZERO(ctx, fdsetsz);
 		FD_SET(mdnsfd, fdset);
diff --git a/source3/lib/events.c b/source3/lib/events.c
index 90d86c6..3c83f81 100644
--- a/source3/lib/events.c
+++ b/source3/lib/events.c
@@ -55,6 +55,14 @@ bool event_add_to_select_args(struct tevent_context *ev,
 	bool ret = false;
 
 	for (fde = ev->fd_events; fde; fde = fde->next) {
+		if (fde->fd < 0 || fde->fd >= FD_SETSIZE) {
+			/* We ignore here, as it shouldn't be
+			   possible to add an invalid fde->fd
+			   but we don't want FD_SET to see an
+			   invalid fd. */
+			continue;
+		}
+
 		if (fde->flags & EVENT_FD_READ) {
 			FD_SET(fde->fd, read_fds);
 			ret = true;
diff --git a/source3/lib/packet.c b/source3/lib/packet.c
index ef28bf9..c14d1e5 100644
--- a/source3/lib/packet.c
+++ b/source3/lib/packet.c
@@ -106,6 +106,11 @@ NTSTATUS packet_fd_read_sync(struct packet_context *ctx)
 	int res;
 	fd_set r_fds;
 
+	if (ctx->fd < 0 || ctx->fd >= FD_SETSIZE) {
+		errno = EBADF;
+		return map_nt_error_from_unix(errno);
+	}
+
 	FD_ZERO(&r_fds);
 	FD_SET(ctx->fd, &r_fds);
 
diff --git a/source3/lib/readline.c b/source3/lib/readline.c
index 34867aa..70a82f2 100644
--- a/source3/lib/readline.c
+++ b/source3/lib/readline.c
@@ -91,6 +91,11 @@ static char *smb_readline_replacement(const char *prompt, void (*callback)(void)
 		timeout.tv_sec = 5;
 		timeout.tv_usec = 0;
 
+		if (fd < 0 || fd >= FD_SETSIZE) {
+			errno = EBADF;
+			break;
+		}
+
 		FD_ZERO(&fds);
 		FD_SET(fd,&fds);
 
diff --git a/source3/lib/select.c b/source3/lib/select.c
index b5443ff..2230b43 100644
--- a/source3/lib/select.c
+++ b/source3/lib/select.c
@@ -75,6 +75,17 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, s
 			return -1;
 		}
 
+		if (select_pipe[0] < 0 || select_pipe[0] >= FD_SETSIZE) {
+			DEBUG(0, ("sys_select: bad fd\n"));
+			if (readfds != NULL)
+				FD_ZERO(readfds);
+			if (writefds != NULL)
+				FD_ZERO(writefds);
+			if (errorfds != NULL)
+				FD_ZERO(errorfds);
+			errno = EBADF;
+			return -1;
+		}
 		/*
 		 * These next two lines seem to fix a bug with the Linux
 		 * 2.0.x kernel (and probably other UNIXes as well) where
@@ -101,6 +112,7 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, s
 		readfds2 = &readfds_buf;
 		FD_ZERO(readfds2);
 	}
+
 	FD_SET(select_pipe[0], readfds2);
 
 	errno = 0;
diff --git a/source3/lib/util_sock.c b/source3/lib/util_sock.c
index da79aca..238daf4 100644
--- a/source3/lib/util_sock.c
+++ b/source3/lib/util_sock.c
@@ -560,6 +560,11 @@ NTSTATUS read_fd_with_timeout(int fd, char *buf,
 	timeout.tv_usec = (long)(1000 * (time_out % 1000));
 
 	for (nread=0; nread < mincnt; ) {
+		if (fd < 0 || fd >= FD_SETSIZE) {
+			errno = EBADF;
+			return map_nt_error_from_unix(EBADF);
+		}
+
 		FD_ZERO(&fds);
 		FD_SET(fd,&fds);
 
@@ -1294,7 +1299,7 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs,
 
 	for (i=0; i<num_addrs; i++) {
 		sockets[i] = socket(addrs[i].ss_family, SOCK_STREAM, 0);
-		if (sockets[i] < 0)
+		if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE)
 			goto done;
 		set_blocking(sockets[i], false);
 	}
@@ -1343,8 +1348,10 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs,
 	FD_ZERO(&r_fds);
 
 	for (i=0; i<num_addrs; i++) {
-		if (sockets[i] == -1)
+		if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) {
+			/* This cannot happen - ignore if so. */
 			continue;
+		}
 		FD_SET(sockets[i], &wr_fds);
 		FD_SET(sockets[i], &r_fds);
 		if (sockets[i]>maxfd)
diff --git a/source3/lib/wbclient.c b/source3/lib/wbclient.c
index 3cf992c..9cb250d 100644
--- a/source3/lib/wbclient.c
+++ b/source3/lib/wbclient.c
@@ -120,7 +120,7 @@ static bool winbind_closed_fd(int fd)
 	struct timeval tv;
 	fd_set r_fds;
 
-	if (fd == -1) {
+	if (fd == -1 || fd >= FD_SETSIZE) {
 		return true;
 	}
 
@@ -222,6 +222,13 @@ static struct tevent_req *wb_connect_send(TALLOC_CTX *mem_ctx,
 		wbc_err = map_wbc_err_from_errno(errno);
 		goto post_status;
 	}
+	if (wb_ctx->fd >= FD_SETSIZE) {
+		close(wb_ctx->fd);
+		wb_ctx->fd = -1;
+		errno = EBADF;
+		wbc_err = map_wbc_err_from_errno(errno);
+		goto post_status;
+	}
 
 	subreq = async_connect_send(mem_ctx, ev, wb_ctx->fd,
 				    (struct sockaddr *)&sunaddr,
diff --git a/source3/libaddns/dnssock.c b/source3/libaddns/dnssock.c
index 7c8bd41..bf11fea 100644
--- a/source3/libaddns/dnssock.c
+++ b/source3/libaddns/dnssock.c
@@ -219,6 +219,11 @@ static DNS_ERROR read_all(int fd, uint8 *data, size_t len)
 		ssize_t ret;
 		int fd_ready;
 		
+		if (fd < 0 || fd >= FD_SETSIZE) {
+			/* read timeout */
+			return ERROR_DNS_SOCKET_ERROR;
+		}
+
 		FD_ZERO( &rfds );
 		FD_SET( fd, &rfds );
 
diff --git a/source3/libads/cldap.c b/source3/libads/cldap.c
index ae087d9..ac4e2cb 100644
--- a/source3/libads/cldap.c
+++ b/source3/libads/cldap.c
@@ -134,6 +134,11 @@ static int recv_cldap_netlogon(TALLOC_CTX *mem_ctx,
 		return -1;
 	}
 
+	if (sock < 0 || sock >= FD_SETSIZE) {
+		errno = EBADF;
+		return -1;
+	}
+
 	FD_ZERO(&r_fds);
 	FD_SET(sock, &r_fds);
 
diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c
index 1206d9d..8230c5a 100644
--- a/source3/libsmb/nmblib.c
+++ b/source3/libsmb/nmblib.c
@@ -1089,6 +1089,11 @@ struct packet_struct *receive_packet(int fd,enum packet_type type,int t)
 	struct timeval timeout;
 	int ret;
 
+	if (fd < 0 || fd >= FD_SETSIZE) {
+		errno = EBADF;
+		return NULL;
+	}
+
 	FD_ZERO(&fds);
 	FD_SET(fd,&fds);
 	timeout.tv_sec = t/1000;
diff --git a/source3/nmbd/nmbd_packets.c b/source3/nmbd/nmbd_packets.c
index f69845b..1c570ea 100644
--- a/source3/nmbd/nmbd_packets.c
+++ b/source3/nmbd/nmbd_packets.c
@@ -1683,7 +1683,7 @@ static bool create_listen_fdset(fd_set **ppset, int **psock_array, int *listen_n
 	for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec))
 		count++;
 
-	if((count*2) + 2 > FD_SETSIZE) {
+	if((count*2) + 2 >= FD_SETSIZE) {
 		DEBUG(0,("create_listen_fdset: Too many file descriptors needed (%d). We can \
 only use %d.\n", (count*2) + 2, FD_SETSIZE));
 		SAFE_FREE(pset);
@@ -1699,24 +1699,44 @@ only use %d.\n", (count*2) + 2, FD_SETSIZE));
 	FD_ZERO(pset);
 
 	/* Add in the broadcast socket on 137. */
+	if (ClientNMB < 0 || ClientNMB >= FD_SETSIZE) {
+		errno = EBADF;
+		SAFE_FREE(pset);
+		return True;
+	}
+
 	FD_SET(ClientNMB,pset);
 	sock_array[num++] = ClientNMB;
 	*maxfd = MAX( *maxfd, ClientNMB);
 
 	/* Add in the 137 sockets on all the interfaces. */
 	for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) {
+		if (subrec->nmb_sock < 0 || subrec->nmb_sock >= FD_SETSIZE) {
+			/* We have to ignore sockets outside FD_SETSIZE. */
+			continue;
+		}
 		FD_SET(subrec->nmb_sock,pset);
 		sock_array[num++] = subrec->nmb_sock;
 		*maxfd = MAX( *maxfd, subrec->nmb_sock);
 	}
 
 	/* Add in the broadcast socket on 138. */
+	if (ClientDGRAM < 0 || ClientDGRAM >= FD_SETSIZE) {
+		errno = EBADF;
+		SAFE_FREE(pset);
+		return True;
+	}
+
 	FD_SET(ClientDGRAM,pset);
 	sock_array[num++] = ClientDGRAM;
 	*maxfd = MAX( *maxfd, ClientDGRAM);
 
 	/* Add in the 138 sockets on all the interfaces. */
 	for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) {
+		if (subrec->dgram_sock < 0 || subrec->dgram_sock >= FD_SETSIZE) {


-- 
Samba Shared Repository


More information about the samba-cvs mailing list