Changeset 593

Timestamp:

Jul 1, 2011, 10:18:23 AM (14 years ago)

Author:

Herwig Bauernfeind

Message:

Samba 3.5: Update trunk to 3.5.7

Location:

trunk/server

Files:

• WHATSNEW.txt (modified) (2 diffs)
• lib/tevent/tevent_select.c (modified) (2 diffs)
• lib/tevent/tevent_standard.c (modified) (1 diff)
• nsswitch/libwbclient/wbc_async.c (modified) (1 diff)
• nsswitch/wb_common.c (modified) (3 diffs)
• packaging/RHEL-CTDB/samba.spec (modified) (1 diff)
• packaging/RHEL/makerpms.sh (modified) (1 diff)
• packaging/RHEL/samba.spec (modified) (1 diff)
• source3/VERSION (modified) (1 diff)
• source3/build.options (modified) (1 diff)
• source3/client/client.c (modified) (1 diff)
• source3/client/dnsbrowse.c (modified) (2 diffs)
• source3/lib/events.c (modified) (1 diff)
• source3/lib/g_lock.c (modified) (1 diff)
• source3/lib/packet.c (modified) (1 diff)
• source3/lib/readline.c (modified) (1 diff)
• source3/lib/select.c (modified) (2 diffs)
• source3/lib/util_sock.c (modified) (4 diffs)
• source3/libaddns/dnssock.c (modified) (1 diff)
• source3/libsmb/nmblib.c (modified) (1 diff)
• source3/nmbd/nmbd_packets.c (modified) (5 diffs)
• source3/utils/smbfilter.c (modified) (2 diffs)
• source3/winbindd/winbindd_dual.c (modified) (1 diff)

trunk/server/WHATSNEW.txt ¶

@@ +1 @@
+                   =============================
+                   Release Notes for Samba 3.5.7
+                          February 28, 2011
+                   =============================
+
+
+This is a security release in order to address CVE-2011-0719.
+
+
+o  CVE-2011-0719:
+   All current released versions of Samba are vulnerable to
+   a denial of service caused by memory corruption. Range
+   checks on file descriptors being used in the FD_SET macro
+   were not present allowing stack corruption. This can cause
+   the Samba code to crash or to loop attempting to select
+   on a bad file descriptor set.
+
+
+Changes since 3.5.6:
+--------------------
+
+
+o   Jeremy Allison <jra@samba.org>
+    * BUG 7949: Fix DoS in Winbind and smbd with many file descriptors open.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 3.5 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
                    =============================
                    Release Notes for Samba 3.5.6
@@ -95 +144 @@
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    =============================

trunk/server/lib/tevent/tevent_select.c ¶

@@ -112 +112 @@
         struct tevent_fd *fde;
 
+        if (fd < 0 || fd >= FD_SETSIZE) {
+                errno = EBADF;
+                return NULL;
+        }
+
         fde = tevent_common_add_fd(ev, mem_ctx, fd, flags,
                                    handler, private_data,
@@ -144 +149 @@
         /* setup any fd events */
         for (fde = select_ev->ev->fd_events; fde; fde = fde->next) {
+                if (fde->fd < 0 || fde->fd >= FD_SETSIZE) {
+                        errno = EBADF;
+                        return -1;
+                }
+
                 if (fde->flags & TEVENT_FD_READ) {
                         FD_SET(fde->fd, &r_fds);

trunk/server/lib/tevent/tevent_standard.c ¶

@@ -458 +458 @@
         /* setup any fd events */
         for (fde = std_ev->ev->fd_events; fde; fde = fde->next) {
+                if (fde->fd < 0 || fde->fd >= FD_SETSIZE) {
+                        std_ev->exit_code = EBADF;
+                        return -1;
+                }
+
                 if (fde->flags & TEVENT_FD_READ) {
                         FD_SET(fde->fd, &r_fds);

trunk/server/nsswitch/libwbclient/wbc_async.c ¶

@@ -510 +510 @@
         int selret;
 
-        if (fd == -1) {
+        if (fd < 0 || fd >= FD_SETSIZE) {
                 return true;
         }

trunk/server/nsswitch/wb_common.c ¶

@@ -245 +245 @@
                         case EINPROGRESS:
                                 FD_ZERO(&w_fds);
+                                if (fd < 0 || fd >= FD_SETSIZE) {
+                                        errno = EBADF;
+                                        goto error_out;
+                                }
                                 FD_SET(fd, &w_fds);
                                 tv.tv_sec = CONNECT_TIMEOUT - wait_time;
@@ -392 +396 @@
 
                 FD_ZERO(&r_fds);
+                if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) {
+                        errno = EBADF;
+                        winbind_close_sock();
+                        return -1;
+                }
                 FD_SET(winbindd_fd, &r_fds);
                 ZERO_STRUCT(tv);
@@ -452 +461 @@
 
                 FD_ZERO(&r_fds);
+                if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) {
+                        errno = EBADF;
+                        winbind_close_sock();
+                        return -1;
+                }
                 FD_SET(winbindd_fd, &r_fds);
                 ZERO_STRUCT(tv);

trunk/server/packaging/RHEL-CTDB/samba.spec ¶

@@ -6 +6 @@
 Packager: Samba Team <samba@samba.org>
 Name:         samba
-Version:      3.5.6
+Version:      3.5.7
 Release:      1GITHASH
 Epoch:        0

trunk/server/packaging/RHEL/makerpms.sh ¶

@@ -21 +21 @@
 USERID=`id -u`
 GRPID=`id -g`
-VERSION='3.5.6'
+VERSION='3.5.7'
 REVISION=''
 SPECFILE="samba.spec"

trunk/server/packaging/RHEL/samba.spec ¶

@@ -6 +6 @@
 Packager: Samba Team <samba@samba.org>
 Name:         samba
-Version:      3.5.6
+Version:      3.5.7
 Release:      1
 Epoch:        0

trunk/server/source3/VERSION ¶

@@ -26 +26 @@
 SAMBA_VERSION_MAJOR=3
 SAMBA_VERSION_MINOR=5
-SAMBA_VERSION_RELEASE=6
+SAMBA_VERSION_RELEASE=7
 
 ########################################################

trunk/server/source3/build.options ¶

@@ -1 +1 @@
 MAKE=""
 LIBC="064X"
-BRAND="YES"
+BRAND="NO"

trunk/server/source3/client/client.c ¶

@@ -4421 +4421 @@
  again:
 
-        if (cli->fd == -1)
+        if (cli->fd < 0 || cli->fd >= FD_SETSIZE) {
+                errno = EBADF;
                 return;
+        }
 
         FD_ZERO(&fds);

trunk/server/source3/client/dnsbrowse.c ¶

@@ -80 +80 @@
                 if (fdset != NULL) {
                         TALLOC_FREE(fdset);
+                }
+
+                if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) {
+                        errno = EBADF;
+                        break;
                 }
 
@@ -182 +187 @@
                 }
 
+                if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) {
+                        errno = EBADF;
+                        TALLOC_FREE(ctx);
+                        return 1;
+                }
+
                 fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask);
                 fdset = TALLOC_ZERO(ctx, fdsetsz);

trunk/server/source3/lib/events.c ¶

@@ -56 +56 @@
 
         for (fde = ev->fd_events; fde; fde = fde->next) {
+                if (fde->fd < 0 || fde->fd >= FD_SETSIZE) {
+                        /* We ignore here, as it shouldn't be
+                           possible to add an invalid fde->fd
+                           but we don't want FD_SET to see an
+                           invalid fd. */
+                        continue;
+                }
+
                 if (fde->flags & EVENT_FD_READ) {
                         FD_SET(fde->fd, read_fds);

trunk/server/source3/lib/g_lock.c ¶

@@ -392 +392 @@
                         FD_ZERO(r_fds);
                         max_fd = ctdbd_conn_get_fd(conn);
-                        FD_SET(max_fd, r_fds);
+                        if (max_fd >= 0 && max_fd < FD_SETSIZE) {
+                                FD_SET(max_fd, r_fds);
+                        }
                 }
 #endif

trunk/server/source3/lib/packet.c ¶

@@ -108 +108 @@
         fd_set r_fds;
 
+        if (ctx->fd < 0 || ctx->fd >= FD_SETSIZE) {
+                errno = EBADF;
+                return map_nt_error_from_unix(errno);
+        }
+
         FD_ZERO(&r_fds);
         FD_SET(ctx->fd, &r_fds);

trunk/server/source3/lib/readline.c ¶

@@ -92 +92 @@
                 timeout.tv_usec = 0;
 
+                if (fd < 0 || fd >= FD_SETSIZE) {
+                        errno = EBADF;
+                        break;
+                }
+
                 FD_ZERO(&fds);
                 FD_SET(fd,&fds);

trunk/server/source3/lib/select.c ¶

@@ -80 +80 @@
                 }
 
+                if (select_pipe[0] < 0 || select_pipe[0] >= FD_SETSIZE) {
+                        DEBUG(0, ("sys_select: bad fd\n"));
+                        if (readfds != NULL)
+                                FD_ZERO(readfds);
+                        if (writefds != NULL)
+                                FD_ZERO(writefds);
+                        if (errorfds != NULL)
+                                FD_ZERO(errorfds);
+                        errno = EBADF;
+                        return -1;
+                }
                 /*
                  * These next two lines seem to fix a bug with the Linux
@@ -106 +117 @@
                 FD_ZERO(readfds2);
         }
+
         FD_SET(select_pipe[0], readfds2);
 

trunk/server/source3/lib/util_sock.c ¶

@@ -496 +496 @@
 
         for (nread=0; nread < mincnt; ) {
+                if (fd < 0 || fd >= FD_SETSIZE) {
+                        errno = EBADF;
+                        return map_nt_error_from_unix(EBADF);
+                }
+
                 FD_ZERO(&fds);
                 FD_SET(fd,&fds);
@@ -1236 +1241 @@
         for (i=0; i<num_addrs; i++) {
                 sockets[i] = socket(addrs[i].ss_family, SOCK_STREAM, 0);
-                if (sockets[i] < 0)
+                if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE)
                         goto done;
                 set_blocking(sockets[i], false);
@@ -1285 +1290 @@
 
         for (i=0; i<num_addrs; i++) {
-                if (sockets[i] == -1)
+                if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) {
+                        /* This cannot happen - ignore if so. */
                         continue;
+                }
                 FD_SET(sockets[i], &wr_fds);
                 FD_SET(sockets[i], &r_fds);
@@ -1306 +1313 @@
         for (i=0; i<num_addrs; i++) {
 
-                if (sockets[i] == -1)
+                if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) {
+                        /* This cannot happen - ignore if so. */
                         continue;
+                }
 
                 /* Stevens, Network Programming says that if there's a

trunk/server/source3/libaddns/dnssock.c ¶

@@ -220 +220 @@
                 int fd_ready;
                 
+                if (fd < 0 || fd >= FD_SETSIZE) {
+                        /* read timeout */
+                        return ERROR_DNS_SOCKET_ERROR;
+                }
+
                 FD_ZERO( &rfds );
                 FD_SET( fd, &rfds );

trunk/server/source3/libsmb/nmblib.c ¶

@@ -1095 +1095 @@
         int ret;
 
+        if (fd < 0 || fd >= FD_SETSIZE) {
+                errno = EBADF;
+                return NULL;
+        }
+
         FD_ZERO(&fds);
         FD_SET(fd,&fds);

trunk/server/source3/nmbd/nmbd_packets.c ¶

@@ -1697 +1697 @@
         count *= 4;
 
-        if(count > FD_SETSIZE) {
+        if(count >= FD_SETSIZE) {
                 DEBUG(0,("create_listen_fdset: Too many file descriptors needed (%d). We can \
 only use %d.\n", count, FD_SETSIZE));
@@ -1713 +1713 @@
 
         /* Add in the lp_socket_address() interface on 137. */
+        if (ClientNMB < 0 || ClientNMB >= FD_SETSIZE) {
+                errno = EBADF;
+                SAFE_FREE(pset);
+                return True;
+        }
+
         FD_SET(ClientNMB,pset);
         sock_array[num++] = ClientNMB;
@@ -1722 +1728 @@
         /* Add in the 137 sockets on all the interfaces. */
         for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) {
+                if (subrec->nmb_sock < 0 || subrec->nmb_sock >= FD_SETSIZE) {
+                        /* We have to ignore sockets outside FD_SETSIZE. */
+                        continue;
+                }
                 FD_SET(subrec->nmb_sock,pset);
                 sock_array[num++] = subrec->nmb_sock;
                 *maxfd = MAX( *maxfd, subrec->nmb_sock);
 
+                if (subrec->nmb_bcast < 0 || subrec->nmb_bcast >= FD_SETSIZE) {
+                        /* We have to ignore sockets outside FD_SETSIZE. */
+                        continue;
+                }
                 sock_array[num++] = subrec->nmb_bcast;
-                if (subrec->nmb_bcast != -1) {
-                        FD_SET(subrec->nmb_bcast,pset);
-                        *maxfd = MAX( *maxfd, subrec->nmb_bcast);
-                }
+                FD_SET(subrec->nmb_bcast,pset);
+                *maxfd = MAX( *maxfd, subrec->nmb_bcast);
         }
 
         /* Add in the lp_socket_address() interface on 138. */
+        if (ClientDGRAM < 0 || ClientDGRAM >= FD_SETSIZE) {
+                errno = EBADF;
+                SAFE_FREE(pset);
+                return True;
+        }
         FD_SET(ClientDGRAM,pset);
         sock_array[num++] = ClientDGRAM;
@@ -1743 +1760 @@
         /* Add in the 138 sockets on all the interfaces. */
         for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) {
+                if (subrec->dgram_sock < 0 || subrec->dgram_sock >= FD_SETSIZE) {
+                        /* We have to ignore sockets outside FD_SETSIZE. */
+                        continue;
+                }
                 FD_SET(subrec->dgram_sock,pset);
                 sock_array[num++] = subrec->dgram_sock;
                 *maxfd = MAX( *maxfd, subrec->dgram_sock);
 
+                if (subrec->dgram_bcast < 0 || subrec->dgram_bcast >= FD_SETSIZE) {
+                        /* We have to ignore sockets outside FD_SETSIZE. */
+                        continue;
+                }
                 sock_array[num++] = subrec->dgram_bcast;
                 if (subrec->dgram_bcast != -1) {
@@ -1877 +1902 @@
 #ifndef SYNC_DNS
         dns_fd = asyncdns_fd();
-        if (dns_fd != -1) {
+        if (dns_fd >= 0 && dns_fd < FD_SETSIZE) {
                 FD_SET(dns_fd, &r_fds);
                 maxfd = MAX( maxfd, dns_fd);

trunk/server/source3/utils/smbfilter.c ¶

@@ -194 +194 @@
                 
                 FD_ZERO(&fds);
-                if (s != -1) FD_SET(s, &fds);
-                if (c != -1) FD_SET(c, &fds);
+                if (s >= 0 && s < FD_SETSIZE) FD_SET(s, &fds);
+                if (c >= 0 && c < FD_SETSIZE) FD_SET(c, &fds);
 
                 num = sys_select_intr(MAX(s+1, c+1),&fds,NULL,NULL,NULL);
@@ -268 +268 @@
                 
                 FD_ZERO(&fds);
+                if (s < 0 || s >= FD_SETSIZE) {
+                        break;
+                }
                 FD_SET(s, &fds);
 

trunk/server/source3/winbindd/winbindd_dual.c ¶

@@ -1461 +1461 @@
                 FD_ZERO(&r_fds);
                 FD_ZERO(&w_fds);
+
+                if (state.sock < 0 || state.sock >= FD_SETSIZE) {
+                        TALLOC_FREE(frame);
+                        perror("EBADF");
+                        _exit(1);
+                }
+
                 FD_SET(state.sock, &r_fds);
                 maxfd = state.sock;