[Pkg-samba-maint] r3681 - in branches/samba/squeeze/debian: . patches
bubulle at alioth.debian.org
bubulle at alioth.debian.org
Tue Mar 1 19:13:51 UTC 2011
Author: bubulle
Date: 2011-03-01 19:13:47 +0000 (Tue, 01 Mar 2011)
New Revision: 3681
Added:
branches/samba/squeeze/debian/patches/security-CVE-2011-0719.patch
Modified:
branches/samba/squeeze/debian/changelog
branches/samba/squeeze/debian/patches/series
Log:
Release 2:3.5.6~dfsg-3squeeze2
Modified: branches/samba/squeeze/debian/changelog
===================================================================
--- branches/samba/squeeze/debian/changelog 2011-03-01 15:11:01 UTC (rev 3680)
+++ branches/samba/squeeze/debian/changelog 2011-03-01 19:13:47 UTC (rev 3681)
@@ -1,3 +1,10 @@
+samba (2:3.5.6~dfsg-3squeeze2) stable-security; urgency=high
+
+ * Security update, fixing the following issue:
+ - CVE-2011-0719: denial of service by memory corruption
+
+ -- Christian Perrier <bubulle at debian.org> Wed, 23 Feb 2011 20:14:40 +0100
+
samba (2:3.5.6~dfsg-3squeeze1) stable-proposed-updates; urgency=low
* Fix pam_winbind file descriptor leak with a patch
Added: branches/samba/squeeze/debian/patches/security-CVE-2011-0719.patch
===================================================================
--- branches/samba/squeeze/debian/patches/security-CVE-2011-0719.patch (rev 0)
+++ branches/samba/squeeze/debian/patches/security-CVE-2011-0719.patch 2011-03-01 19:13:47 UTC (rev 3681)
@@ -0,0 +1,457 @@
+Goal: Fix denial of service - memory corruption
+
+Fixes: Upstream security fix. CVE-2011-0719
+
+Status wrt upstream: Fixed in 3.5.7
+
+Author: Samba Team <security at samba.org>
+
+diff --git a/lib/tevent/tevent_select.c b/lib/tevent/tevent_select.c
+index d974189..890e031 100644
+--- a/lib/tevent/tevent_select.c
++++ b/lib/tevent/tevent_select.c
+@@ -111,6 +111,11 @@ static struct tevent_fd *select_event_add_fd(struct tevent_context *ev, TALLOC_C
+ struct select_event_context);
+ struct tevent_fd *fde;
+
++ if (fd < 0 || fd >= FD_SETSIZE) {
++ errno = EBADF;
++ return NULL;
++ }
++
+ fde = tevent_common_add_fd(ev, mem_ctx, fd, flags,
+ handler, private_data,
+ handler_name, location);
+@@ -143,6 +148,11 @@ static int select_event_loop_select(struct select_event_context *select_ev, stru
+
+ /* setup any fd events */
+ for (fde = select_ev->ev->fd_events; fde; fde = fde->next) {
++ if (fde->fd < 0 || fde->fd >= FD_SETSIZE) {
++ errno = EBADF;
++ return -1;
++ }
++
+ if (fde->flags & TEVENT_FD_READ) {
+ FD_SET(fde->fd, &r_fds);
+ }
+diff --git a/lib/tevent/tevent_standard.c b/lib/tevent/tevent_standard.c
+index c3f8b36..d4a00cc 100644
+--- a/lib/tevent/tevent_standard.c
++++ b/lib/tevent/tevent_standard.c
+@@ -457,6 +457,11 @@ static int std_event_loop_select(struct std_event_context *std_ev, struct timeva
+
+ /* setup any fd events */
+ for (fde = std_ev->ev->fd_events; fde; fde = fde->next) {
++ if (fde->fd < 0 || fde->fd >= FD_SETSIZE) {
++ std_ev->exit_code = EBADF;
++ return -1;
++ }
++
+ if (fde->flags & TEVENT_FD_READ) {
+ FD_SET(fde->fd, &r_fds);
+ }
+diff --git a/nsswitch/libwbclient/wbc_async.c b/nsswitch/libwbclient/wbc_async.c
+index 181d546..bb95b91 100644
+--- a/nsswitch/libwbclient/wbc_async.c
++++ b/nsswitch/libwbclient/wbc_async.c
+@@ -509,7 +509,7 @@ static bool closed_fd(int fd)
+ fd_set r_fds;
+ int selret;
+
+- if (fd == -1) {
++ if (fd < 0 || fd >= FD_SETSIZE) {
+ return true;
+ }
+
+diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
+index b7fafc3..def41d5 100644
+--- a/nsswitch/wb_common.c
++++ b/nsswitch/wb_common.c
+@@ -244,6 +244,10 @@ static int winbind_named_pipe_sock(const char *dir)
+ switch (errno) {
+ case EINPROGRESS:
+ FD_ZERO(&w_fds);
++ if (fd < 0 || fd >= FD_SETSIZE) {
++ errno = EBADF;
++ goto error_out;
++ }
+ FD_SET(fd, &w_fds);
+ tv.tv_sec = CONNECT_TIMEOUT - wait_time;
+ tv.tv_usec = 0;
+@@ -391,6 +395,11 @@ int winbind_write_sock(void *buffer, int count, int recursing, int need_priv)
+ call would not block by calling select(). */
+
+ FD_ZERO(&r_fds);
++ if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) {
++ errno = EBADF;
++ winbind_close_sock();
++ return -1;
++ }
+ FD_SET(winbindd_fd, &r_fds);
+ ZERO_STRUCT(tv);
+
+@@ -451,6 +460,11 @@ int winbind_read_sock(void *buffer, int count)
+ call would not block by calling select(). */
+
+ FD_ZERO(&r_fds);
++ if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) {
++ errno = EBADF;
++ winbind_close_sock();
++ return -1;
++ }
+ FD_SET(winbindd_fd, &r_fds);
+ ZERO_STRUCT(tv);
+ /* Wait for 5 seconds for a reply. May need to parameterise this... */
+diff --git a/source3/client/client.c b/source3/client/client.c
+index 6d39977..e1952b5 100644
+--- a/source3/client/client.c
++++ b/source3/client/client.c
+@@ -4420,8 +4420,10 @@ static void readline_callback(void)
+
+ again:
+
+- if (cli->fd == -1)
++ if (cli->fd < 0 || cli->fd >= FD_SETSIZE) {
++ errno = EBADF;
+ return;
++ }
+
+ FD_ZERO(&fds);
+ FD_SET(cli->fd,&fds);
+diff --git a/source3/client/dnsbrowse.c b/source3/client/dnsbrowse.c
+index 5e3a4de..a6b9360 100644
+--- a/source3/client/dnsbrowse.c
++++ b/source3/client/dnsbrowse.c
+@@ -81,6 +81,11 @@ static void do_smb_resolve(struct mdns_smbsrv_result *browsesrv)
+ TALLOC_FREE(fdset);
+ }
+
++ if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) {
++ errno = EBADF;
++ break;
++ }
++
+ fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask);
+ fdset = TALLOC_ZERO(ctx, fdsetsz);
+ FD_SET(mdnsfd, fdset);
+@@ -181,6 +186,12 @@ int do_smb_browse(void)
+ TALLOC_FREE(fdset);
+ }
+
++ if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) {
++ errno = EBADF;
++ TALLOC_FREE(ctx);
++ return 1;
++ }
++
+ fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask);
+ fdset = TALLOC_ZERO(ctx, fdsetsz);
+ FD_SET(mdnsfd, fdset);
+diff --git a/source3/lib/events.c b/source3/lib/events.c
+index c529038..01ea017 100644
+--- a/source3/lib/events.c
++++ b/source3/lib/events.c
+@@ -55,6 +55,14 @@ bool event_add_to_select_args(struct tevent_context *ev,
+ bool ret = false;
+
+ for (fde = ev->fd_events; fde; fde = fde->next) {
++ if (fde->fd < 0 || fde->fd >= FD_SETSIZE) {
++ /* We ignore here, as it shouldn't be
++ possible to add an invalid fde->fd
++ but we don't want FD_SET to see an
++ invalid fd. */
++ continue;
++ }
++
+ if (fde->flags & EVENT_FD_READ) {
+ FD_SET(fde->fd, read_fds);
+ ret = true;
+diff --git a/source3/lib/g_lock.c b/source3/lib/g_lock.c
+index 1726047..356c104 100644
+--- a/source3/lib/g_lock.c
++++ b/source3/lib/g_lock.c
+@@ -391,7 +391,9 @@ NTSTATUS g_lock_lock(struct g_lock_ctx *ctx, const char *name,
+ r_fds = &_r_fds;
+ FD_ZERO(r_fds);
+ max_fd = ctdbd_conn_get_fd(conn);
+- FD_SET(max_fd, r_fds);
++ if (max_fd >= 0 && max_fd < FD_SETSIZE) {
++ FD_SET(max_fd, r_fds);
++ }
+ }
+ #endif
+
+diff --git a/source3/lib/packet.c b/source3/lib/packet.c
+index c131b97..8d815c9 100644
+--- a/source3/lib/packet.c
++++ b/source3/lib/packet.c
+@@ -107,6 +107,11 @@ NTSTATUS packet_fd_read_sync(struct packet_context *ctx,
+ int res;
+ fd_set r_fds;
+
++ if (ctx->fd < 0 || ctx->fd >= FD_SETSIZE) {
++ errno = EBADF;
++ return map_nt_error_from_unix(errno);
++ }
++
+ FD_ZERO(&r_fds);
+ FD_SET(ctx->fd, &r_fds);
+
+diff --git a/source3/lib/readline.c b/source3/lib/readline.c
+index 34867aa..70a82f2 100644
+--- a/source3/lib/readline.c
++++ b/source3/lib/readline.c
+@@ -91,6 +91,11 @@ static char *smb_readline_replacement(const char *prompt, void (*callback)(void)
+ timeout.tv_sec = 5;
+ timeout.tv_usec = 0;
+
++ if (fd < 0 || fd >= FD_SETSIZE) {
++ errno = EBADF;
++ break;
++ }
++
+ FD_ZERO(&fds);
+ FD_SET(fd,&fds);
+
+diff --git a/source3/lib/select.c b/source3/lib/select.c
+index b5443ff..2230b43 100644
+--- a/source3/lib/select.c
++++ b/source3/lib/select.c
+@@ -75,6 +75,17 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, s
+ return -1;
+ }
+
++ if (select_pipe[0] < 0 || select_pipe[0] >= FD_SETSIZE) {
++ DEBUG(0, ("sys_select: bad fd\n"));
++ if (readfds != NULL)
++ FD_ZERO(readfds);
++ if (writefds != NULL)
++ FD_ZERO(writefds);
++ if (errorfds != NULL)
++ FD_ZERO(errorfds);
++ errno = EBADF;
++ return -1;
++ }
+ /*
+ * These next two lines seem to fix a bug with the Linux
+ * 2.0.x kernel (and probably other UNIXes as well) where
+@@ -101,6 +112,7 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, s
+ readfds2 = &readfds_buf;
+ FD_ZERO(readfds2);
+ }
++
+ FD_SET(select_pipe[0], readfds2);
+
+ errno = 0;
+diff --git a/source3/lib/util_sock.c b/source3/lib/util_sock.c
+index 08cbced..7a573ad 100644
+--- a/source3/lib/util_sock.c
++++ b/source3/lib/util_sock.c
+@@ -495,6 +495,11 @@ NTSTATUS read_fd_with_timeout(int fd, char *buf,
+ timeout.tv_usec = (long)(1000 * (time_out % 1000));
+
+ for (nread=0; nread < mincnt; ) {
++ if (fd < 0 || fd >= FD_SETSIZE) {
++ errno = EBADF;
++ return map_nt_error_from_unix(EBADF);
++ }
++
+ FD_ZERO(&fds);
+ FD_SET(fd,&fds);
+
+@@ -1235,7 +1240,7 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs,
+
+ for (i=0; i<num_addrs; i++) {
+ sockets[i] = socket(addrs[i].ss_family, SOCK_STREAM, 0);
+- if (sockets[i] < 0)
++ if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE)
+ goto done;
+ set_blocking(sockets[i], false);
+ }
+@@ -1284,8 +1289,10 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs,
+ FD_ZERO(&r_fds);
+
+ for (i=0; i<num_addrs; i++) {
+- if (sockets[i] == -1)
++ if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) {
++ /* This cannot happen - ignore if so. */
+ continue;
++ }
+ FD_SET(sockets[i], &wr_fds);
+ FD_SET(sockets[i], &r_fds);
+ if (sockets[i]>maxfd)
+@@ -1305,8 +1312,10 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs,
+
+ for (i=0; i<num_addrs; i++) {
+
+- if (sockets[i] == -1)
++ if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) {
++ /* This cannot happen - ignore if so. */
+ continue;
++ }
+
+ /* Stevens, Network Programming says that if there's a
+ * successful connect, the socket is only writable. Upon an
+diff --git a/source3/libaddns/dnssock.c b/source3/libaddns/dnssock.c
+index 7c8bd41..bf11fea 100644
+--- a/source3/libaddns/dnssock.c
++++ b/source3/libaddns/dnssock.c
+@@ -219,6 +219,11 @@ static DNS_ERROR read_all(int fd, uint8 *data, size_t len)
+ ssize_t ret;
+ int fd_ready;
+
++ if (fd < 0 || fd >= FD_SETSIZE) {
++ /* read timeout */
++ return ERROR_DNS_SOCKET_ERROR;
++ }
++
+ FD_ZERO( &rfds );
+ FD_SET( fd, &rfds );
+
+diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c
+index 267a49f..c47f827 100644
+--- a/source3/libsmb/nmblib.c
++++ b/source3/libsmb/nmblib.c
+@@ -1094,6 +1094,11 @@ struct packet_struct *receive_packet(int fd,enum packet_type type,int t)
+ struct timeval timeout;
+ int ret;
+
++ if (fd < 0 || fd >= FD_SETSIZE) {
++ errno = EBADF;
++ return NULL;
++ }
++
+ FD_ZERO(&fds);
+ FD_SET(fd,&fds);
+ timeout.tv_sec = t/1000;
+diff --git a/source3/nmbd/nmbd_packets.c b/source3/nmbd/nmbd_packets.c
+index a753b28..0eafb2c 100644
+--- a/source3/nmbd/nmbd_packets.c
++++ b/source3/nmbd/nmbd_packets.c
+@@ -1696,7 +1696,7 @@ static bool create_listen_fdset(fd_set **ppset, int **psock_array, int *listen_n
+ /* each interface gets 4 sockets */
+ count *= 4;
+
+- if(count > FD_SETSIZE) {
++ if(count >= FD_SETSIZE) {
+ DEBUG(0,("create_listen_fdset: Too many file descriptors needed (%d). We can \
+ only use %d.\n", count, FD_SETSIZE));
+ SAFE_FREE(pset);
+@@ -1712,6 +1712,12 @@ only use %d.\n", count, FD_SETSIZE));
+ FD_ZERO(pset);
+
+ /* Add in the lp_socket_address() interface on 137. */
++ if (ClientNMB < 0 || ClientNMB >= FD_SETSIZE) {
++ errno = EBADF;
++ SAFE_FREE(pset);
++ return True;
++ }
++
+ FD_SET(ClientNMB,pset);
+ sock_array[num++] = ClientNMB;
+ *maxfd = MAX( *maxfd, ClientNMB);
+@@ -1721,18 +1727,29 @@ only use %d.\n", count, FD_SETSIZE));
+
+ /* Add in the 137 sockets on all the interfaces. */
+ for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) {
++ if (subrec->nmb_sock < 0 || subrec->nmb_sock >= FD_SETSIZE) {
++ /* We have to ignore sockets outside FD_SETSIZE. */
++ continue;
++ }
+ FD_SET(subrec->nmb_sock,pset);
+ sock_array[num++] = subrec->nmb_sock;
+ *maxfd = MAX( *maxfd, subrec->nmb_sock);
+
+- sock_array[num++] = subrec->nmb_bcast;
+- if (subrec->nmb_bcast != -1) {
+- FD_SET(subrec->nmb_bcast,pset);
+- *maxfd = MAX( *maxfd, subrec->nmb_bcast);
++ if (subrec->nmb_bcast < 0 || subrec->nmb_bcast >= FD_SETSIZE) {
++ /* We have to ignore sockets outside FD_SETSIZE. */
++ continue;
+ }
++ sock_array[num++] = subrec->nmb_bcast;
++ FD_SET(subrec->nmb_bcast,pset);
++ *maxfd = MAX( *maxfd, subrec->nmb_bcast);
+ }
+
+ /* Add in the lp_socket_address() interface on 138. */
++ if (ClientDGRAM < 0 || ClientDGRAM >= FD_SETSIZE) {
++ errno = EBADF;
++ SAFE_FREE(pset);
++ return True;
++ }
+ FD_SET(ClientDGRAM,pset);
+ sock_array[num++] = ClientDGRAM;
+ *maxfd = MAX( *maxfd, ClientDGRAM);
+@@ -1742,10 +1759,18 @@ only use %d.\n", count, FD_SETSIZE));
+
+ /* Add in the 138 sockets on all the interfaces. */
+ for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) {
++ if (subrec->dgram_sock < 0 || subrec->dgram_sock >= FD_SETSIZE) {
++ /* We have to ignore sockets outside FD_SETSIZE. */
++ continue;
++ }
+ FD_SET(subrec->dgram_sock,pset);
+ sock_array[num++] = subrec->dgram_sock;
+ *maxfd = MAX( *maxfd, subrec->dgram_sock);
+
++ if (subrec->dgram_bcast < 0 || subrec->dgram_bcast >= FD_SETSIZE) {
++ /* We have to ignore sockets outside FD_SETSIZE. */
++ continue;
++ }
+ sock_array[num++] = subrec->dgram_bcast;
+ if (subrec->dgram_bcast != -1) {
+ FD_SET(subrec->dgram_bcast,pset);
+@@ -1876,7 +1901,7 @@ bool listen_for_packets(bool run_election)
+
+ #ifndef SYNC_DNS
+ dns_fd = asyncdns_fd();
+- if (dns_fd != -1) {
++ if (dns_fd >= 0 && dns_fd < FD_SETSIZE) {
+ FD_SET(dns_fd, &r_fds);
+ maxfd = MAX( maxfd, dns_fd);
+ }
+diff --git a/source3/utils/smbfilter.c b/source3/utils/smbfilter.c
+index 65d8461..e7abf52 100644
+--- a/source3/utils/smbfilter.c
++++ b/source3/utils/smbfilter.c
+@@ -193,8 +193,8 @@ static void filter_child(int c, struct sockaddr_storage *dest_ss)
+ int num;
+
+ FD_ZERO(&fds);
+- if (s != -1) FD_SET(s, &fds);
+- if (c != -1) FD_SET(c, &fds);
++ if (s >= 0 && s < FD_SETSIZE) FD_SET(s, &fds);
++ if (c >= 0 && c < FD_SETSIZE) FD_SET(c, &fds);
+
+ num = sys_select_intr(MAX(s+1, c+1),&fds,NULL,NULL,NULL);
+ if (num <= 0) continue;
+@@ -267,6 +267,9 @@ static void start_filter(char *desthost)
+ socklen_t in_addrlen = sizeof(ss);
+
+ FD_ZERO(&fds);
++ if (s < 0 || s >= FD_SETSIZE) {
++ break;
++ }
+ FD_SET(s, &fds);
+
+ num = sys_select_intr(s+1,&fds,NULL,NULL,NULL);
+diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
+index 44e8552..117d55d 100644
+--- a/source3/winbindd/winbindd_dual.c
++++ b/source3/winbindd/winbindd_dual.c
+@@ -1460,6 +1460,13 @@ static bool fork_domain_child(struct winbindd_child *child)
+
+ FD_ZERO(&r_fds);
+ FD_ZERO(&w_fds);
++
++ if (state.sock < 0 || state.sock >= FD_SETSIZE) {
++ TALLOC_FREE(frame);
++ perror("EBADF");
++ _exit(1);
++ }
++
+ FD_SET(state.sock, &r_fds);
+ maxfd = state.sock;
+
Modified: branches/samba/squeeze/debian/patches/series
===================================================================
--- branches/samba/squeeze/debian/patches/series 2011-03-01 15:11:01 UTC (rev 3680)
+++ branches/samba/squeeze/debian/patches/series 2011-03-01 19:13:47 UTC (rev 3681)
@@ -13,3 +13,4 @@
autoconf.patch
bug_605728_upstream_7791.patch
bug_574468_upstream_7265.patch
+security-CVE-2011-0719.patch
More information about the Pkg-samba-maint
mailing list