diff options
| author | bubulle <bubulle@alioth.debian.org> | 2011-03-01 19:13:47 +0000 |
|---|---|---|
| committer | bubulle <bubulle@alioth.debian.org> | 2011-03-01 19:13:47 +0000 |
| commit | bcffcc6b2b3dbc324b397fb8179af47bbee53bb7 (patch) | |
| tree | 1c4f335e28c1288397cf55a4f10cfbfb4eb2a9a4 | |
| parent | 0b865b88909f0b8aae368669f81dbb7c2f3e97c5 (diff) | |
| download | samba-debian/2%3.5.6_dfsg-3squeeze2.tar.gz | |
Release 2:3.5.6~dfsg-3squeeze2debian/2%3.5.6_dfsg-3squeeze2
git-svn-id: svn://svn.debian.org/svn/pkg-samba/branches/samba/squeeze@3681 fc4039ab-9d04-0410-8cac-899223bdd6b0
| -rw-r--r-- | debian/changelog | 7 | ||||
| -rw-r--r-- | debian/patches/security-CVE-2011-0719.patch | 457 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
3 files changed, 465 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 9b2e63b1d8..4ae560f177 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +samba (2:3.5.6~dfsg-3squeeze2) stable-security; urgency=high + + * Security update, fixing the following issue: + - CVE-2011-0719: denial of service by memory corruption + + -- Christian Perrier <bubulle@debian.org> Wed, 23 Feb 2011 20:14:40 +0100 + samba (2:3.5.6~dfsg-3squeeze1) stable-proposed-updates; urgency=low * Fix pam_winbind file descriptor leak with a patch diff --git a/debian/patches/security-CVE-2011-0719.patch b/debian/patches/security-CVE-2011-0719.patch new file mode 100644 index 0000000000..eeddf7b233 --- /dev/null +++ b/debian/patches/security-CVE-2011-0719.patch @@ -0,0 +1,457 @@ +Goal: Fix denial of service - memory corruption + +Fixes: Upstream security fix. CVE-2011-0719 + +Status wrt upstream: Fixed in 3.5.7 + +Author: Samba Team <security@samba.org> + +diff --git a/lib/tevent/tevent_select.c b/lib/tevent/tevent_select.c +index d974189..890e031 100644 +--- a/lib/tevent/tevent_select.c ++++ b/lib/tevent/tevent_select.c +@@ -111,6 +111,11 @@ static struct tevent_fd *select_event_add_fd(struct tevent_context *ev, TALLOC_C + struct select_event_context); + struct tevent_fd *fde; + ++ if (fd < 0 || fd >= FD_SETSIZE) { ++ errno = EBADF; ++ return NULL; ++ } ++ + fde = tevent_common_add_fd(ev, mem_ctx, fd, flags, + handler, private_data, + handler_name, location); +@@ -143,6 +148,11 @@ static int select_event_loop_select(struct select_event_context *select_ev, stru + + /* setup any fd events */ + for (fde = select_ev->ev->fd_events; fde; fde = fde->next) { ++ if (fde->fd < 0 || fde->fd >= FD_SETSIZE) { ++ errno = EBADF; ++ return -1; ++ } ++ + if (fde->flags & TEVENT_FD_READ) { + FD_SET(fde->fd, &r_fds); + } +diff --git a/lib/tevent/tevent_standard.c b/lib/tevent/tevent_standard.c +index c3f8b36..d4a00cc 100644 +--- a/lib/tevent/tevent_standard.c ++++ b/lib/tevent/tevent_standard.c +@@ -457,6 +457,11 @@ static int std_event_loop_select(struct std_event_context *std_ev, struct timeva + + /* setup any fd events */ + for (fde = std_ev->ev->fd_events; fde; fde = fde->next) { ++ if (fde->fd < 0 || fde->fd >= FD_SETSIZE) { ++ std_ev->exit_code = EBADF; ++ return -1; ++ } ++ + if (fde->flags & TEVENT_FD_READ) { + FD_SET(fde->fd, &r_fds); + } +diff --git a/nsswitch/libwbclient/wbc_async.c b/nsswitch/libwbclient/wbc_async.c +index 181d546..bb95b91 100644 +--- a/nsswitch/libwbclient/wbc_async.c ++++ b/nsswitch/libwbclient/wbc_async.c +@@ -509,7 +509,7 @@ static bool closed_fd(int fd) + fd_set r_fds; + int selret; + +- if (fd == -1) { ++ if (fd < 0 || fd >= FD_SETSIZE) { + return true; + } + +diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c +index b7fafc3..def41d5 100644 +--- a/nsswitch/wb_common.c ++++ b/nsswitch/wb_common.c +@@ -244,6 +244,10 @@ static int winbind_named_pipe_sock(const char *dir) + switch (errno) { + case EINPROGRESS: + FD_ZERO(&w_fds); ++ if (fd < 0 || fd >= FD_SETSIZE) { ++ errno = EBADF; ++ goto error_out; ++ } + FD_SET(fd, &w_fds); + tv.tv_sec = CONNECT_TIMEOUT - wait_time; + tv.tv_usec = 0; +@@ -391,6 +395,11 @@ int winbind_write_sock(void *buffer, int count, int recursing, int need_priv) + call would not block by calling select(). */ + + FD_ZERO(&r_fds); ++ if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) { ++ errno = EBADF; ++ winbind_close_sock(); ++ return -1; ++ } + FD_SET(winbindd_fd, &r_fds); + ZERO_STRUCT(tv); + +@@ -451,6 +460,11 @@ int winbind_read_sock(void *buffer, int count) + call would not block by calling select(). */ + + FD_ZERO(&r_fds); ++ if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) { ++ errno = EBADF; ++ winbind_close_sock(); ++ return -1; ++ } + FD_SET(winbindd_fd, &r_fds); + ZERO_STRUCT(tv); + /* Wait for 5 seconds for a reply. May need to parameterise this... */ +diff --git a/source3/client/client.c b/source3/client/client.c +index 6d39977..e1952b5 100644 +--- a/source3/client/client.c ++++ b/source3/client/client.c +@@ -4420,8 +4420,10 @@ static void readline_callback(void) + + again: + +- if (cli->fd == -1) ++ if (cli->fd < 0 || cli->fd >= FD_SETSIZE) { ++ errno = EBADF; + return; ++ } + + FD_ZERO(&fds); + FD_SET(cli->fd,&fds); +diff --git a/source3/client/dnsbrowse.c b/source3/client/dnsbrowse.c +index 5e3a4de..a6b9360 100644 +--- a/source3/client/dnsbrowse.c ++++ b/source3/client/dnsbrowse.c +@@ -81,6 +81,11 @@ static void do_smb_resolve(struct mdns_smbsrv_result *browsesrv) + TALLOC_FREE(fdset); + } + ++ if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) { ++ errno = EBADF; ++ break; ++ } ++ + fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask); + fdset = TALLOC_ZERO(ctx, fdsetsz); + FD_SET(mdnsfd, fdset); +@@ -181,6 +186,12 @@ int do_smb_browse(void) + TALLOC_FREE(fdset); + } + ++ if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) { ++ errno = EBADF; ++ TALLOC_FREE(ctx); ++ return 1; ++ } ++ + fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask); + fdset = TALLOC_ZERO(ctx, fdsetsz); + FD_SET(mdnsfd, fdset); +diff --git a/source3/lib/events.c b/source3/lib/events.c +index c529038..01ea017 100644 +--- a/source3/lib/events.c ++++ b/source3/lib/events.c +@@ -55,6 +55,14 @@ bool event_add_to_select_args(struct tevent_context *ev, + bool ret = false; + + for (fde = ev->fd_events; fde; fde = fde->next) { ++ if (fde->fd < 0 || fde->fd >= FD_SETSIZE) { ++ /* We ignore here, as it shouldn't be ++ possible to add an invalid fde->fd ++ but we don't want FD_SET to see an ++ invalid fd. */ ++ continue; ++ } ++ + if (fde->flags & EVENT_FD_READ) { + FD_SET(fde->fd, read_fds); + ret = true; +diff --git a/source3/lib/g_lock.c b/source3/lib/g_lock.c +index 1726047..356c104 100644 +--- a/source3/lib/g_lock.c ++++ b/source3/lib/g_lock.c +@@ -391,7 +391,9 @@ NTSTATUS g_lock_lock(struct g_lock_ctx *ctx, const char *name, + r_fds = &_r_fds; + FD_ZERO(r_fds); + max_fd = ctdbd_conn_get_fd(conn); +- FD_SET(max_fd, r_fds); ++ if (max_fd >= 0 && max_fd < FD_SETSIZE) { ++ FD_SET(max_fd, r_fds); ++ } + } + #endif + +diff --git a/source3/lib/packet.c b/source3/lib/packet.c +index c131b97..8d815c9 100644 +--- a/source3/lib/packet.c ++++ b/source3/lib/packet.c +@@ -107,6 +107,11 @@ NTSTATUS packet_fd_read_sync(struct packet_context *ctx, + int res; + fd_set r_fds; + ++ if (ctx->fd < 0 || ctx->fd >= FD_SETSIZE) { ++ errno = EBADF; ++ return map_nt_error_from_unix(errno); ++ } ++ + FD_ZERO(&r_fds); + FD_SET(ctx->fd, &r_fds); + +diff --git a/source3/lib/readline.c b/source3/lib/readline.c +index 34867aa..70a82f2 100644 +--- a/source3/lib/readline.c ++++ b/source3/lib/readline.c +@@ -91,6 +91,11 @@ static char *smb_readline_replacement(const char *prompt, void (*callback)(void) + timeout.tv_sec = 5; + timeout.tv_usec = 0; + ++ if (fd < 0 || fd >= FD_SETSIZE) { ++ errno = EBADF; ++ break; ++ } ++ + FD_ZERO(&fds); + FD_SET(fd,&fds); + +diff --git a/source3/lib/select.c b/source3/lib/select.c +index b5443ff..2230b43 100644 +--- a/source3/lib/select.c ++++ b/source3/lib/select.c +@@ -75,6 +75,17 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, s + return -1; + } + ++ if (select_pipe[0] < 0 || select_pipe[0] >= FD_SETSIZE) { ++ DEBUG(0, ("sys_select: bad fd\n")); ++ if (readfds != NULL) ++ FD_ZERO(readfds); ++ if (writefds != NULL) ++ FD_ZERO(writefds); ++ if (errorfds != NULL) ++ FD_ZERO(errorfds); ++ errno = EBADF; ++ return -1; ++ } + /* + * These next two lines seem to fix a bug with the Linux + * 2.0.x kernel (and probably other UNIXes as well) where +@@ -101,6 +112,7 @@ int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, s + readfds2 = &readfds_buf; + FD_ZERO(readfds2); + } ++ + FD_SET(select_pipe[0], readfds2); + + errno = 0; +diff --git a/source3/lib/util_sock.c b/source3/lib/util_sock.c +index 08cbced..7a573ad 100644 +--- a/source3/lib/util_sock.c ++++ b/source3/lib/util_sock.c +@@ -495,6 +495,11 @@ NTSTATUS read_fd_with_timeout(int fd, char *buf, + timeout.tv_usec = (long)(1000 * (time_out % 1000)); + + for (nread=0; nread < mincnt; ) { ++ if (fd < 0 || fd >= FD_SETSIZE) { ++ errno = EBADF; ++ return map_nt_error_from_unix(EBADF); ++ } ++ + FD_ZERO(&fds); + FD_SET(fd,&fds); + +@@ -1235,7 +1240,7 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs, + + for (i=0; i<num_addrs; i++) { + sockets[i] = socket(addrs[i].ss_family, SOCK_STREAM, 0); +- if (sockets[i] < 0) ++ if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) + goto done; + set_blocking(sockets[i], false); + } +@@ -1284,8 +1289,10 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs, + FD_ZERO(&r_fds); + + for (i=0; i<num_addrs; i++) { +- if (sockets[i] == -1) ++ if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) { ++ /* This cannot happen - ignore if so. */ + continue; ++ } + FD_SET(sockets[i], &wr_fds); + FD_SET(sockets[i], &r_fds); + if (sockets[i]>maxfd) +@@ -1305,8 +1312,10 @@ bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs, + + for (i=0; i<num_addrs; i++) { + +- if (sockets[i] == -1) ++ if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) { ++ /* This cannot happen - ignore if so. */ + continue; ++ } + + /* Stevens, Network Programming says that if there's a + * successful connect, the socket is only writable. Upon an +diff --git a/source3/libaddns/dnssock.c b/source3/libaddns/dnssock.c +index 7c8bd41..bf11fea 100644 +--- a/source3/libaddns/dnssock.c ++++ b/source3/libaddns/dnssock.c +@@ -219,6 +219,11 @@ static DNS_ERROR read_all(int fd, uint8 *data, size_t len) + ssize_t ret; + int fd_ready; + ++ if (fd < 0 || fd >= FD_SETSIZE) { ++ /* read timeout */ ++ return ERROR_DNS_SOCKET_ERROR; ++ } ++ + FD_ZERO( &rfds ); + FD_SET( fd, &rfds ); + +diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c +index 267a49f..c47f827 100644 +--- a/source3/libsmb/nmblib.c ++++ b/source3/libsmb/nmblib.c +@@ -1094,6 +1094,11 @@ struct packet_struct *receive_packet(int fd,enum packet_type type,int t) + struct timeval timeout; + int ret; + ++ if (fd < 0 || fd >= FD_SETSIZE) { ++ errno = EBADF; ++ return NULL; ++ } ++ + FD_ZERO(&fds); + FD_SET(fd,&fds); + timeout.tv_sec = t/1000; +diff --git a/source3/nmbd/nmbd_packets.c b/source3/nmbd/nmbd_packets.c +index a753b28..0eafb2c 100644 +--- a/source3/nmbd/nmbd_packets.c ++++ b/source3/nmbd/nmbd_packets.c +@@ -1696,7 +1696,7 @@ static bool create_listen_fdset(fd_set **ppset, int **psock_array, int *listen_n + /* each interface gets 4 sockets */ + count *= 4; + +- if(count > FD_SETSIZE) { ++ if(count >= FD_SETSIZE) { + DEBUG(0,("create_listen_fdset: Too many file descriptors needed (%d). We can \ + only use %d.\n", count, FD_SETSIZE)); + SAFE_FREE(pset); +@@ -1712,6 +1712,12 @@ only use %d.\n", count, FD_SETSIZE)); + FD_ZERO(pset); + + /* Add in the lp_socket_address() interface on 137. */ ++ if (ClientNMB < 0 || ClientNMB >= FD_SETSIZE) { ++ errno = EBADF; ++ SAFE_FREE(pset); ++ return True; ++ } ++ + FD_SET(ClientNMB,pset); + sock_array[num++] = ClientNMB; + *maxfd = MAX( *maxfd, ClientNMB); +@@ -1721,18 +1727,29 @@ only use %d.\n", count, FD_SETSIZE)); + + /* Add in the 137 sockets on all the interfaces. */ + for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) { ++ if (subrec->nmb_sock < 0 || subrec->nmb_sock >= FD_SETSIZE) { ++ /* We have to ignore sockets outside FD_SETSIZE. */ ++ continue; ++ } + FD_SET(subrec->nmb_sock,pset); + sock_array[num++] = subrec->nmb_sock; + *maxfd = MAX( *maxfd, subrec->nmb_sock); + +- sock_array[num++] = subrec->nmb_bcast; +- if (subrec->nmb_bcast != -1) { +- FD_SET(subrec->nmb_bcast,pset); +- *maxfd = MAX( *maxfd, subrec->nmb_bcast); ++ if (subrec->nmb_bcast < 0 || subrec->nmb_bcast >= FD_SETSIZE) { ++ /* We have to ignore sockets outside FD_SETSIZE. */ ++ continue; + } ++ sock_array[num++] = subrec->nmb_bcast; ++ FD_SET(subrec->nmb_bcast,pset); ++ *maxfd = MAX( *maxfd, subrec->nmb_bcast); + } + + /* Add in the lp_socket_address() interface on 138. */ ++ if (ClientDGRAM < 0 || ClientDGRAM >= FD_SETSIZE) { ++ errno = EBADF; ++ SAFE_FREE(pset); ++ return True; ++ } + FD_SET(ClientDGRAM,pset); + sock_array[num++] = ClientDGRAM; + *maxfd = MAX( *maxfd, ClientDGRAM); +@@ -1742,10 +1759,18 @@ only use %d.\n", count, FD_SETSIZE)); + + /* Add in the 138 sockets on all the interfaces. */ + for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) { ++ if (subrec->dgram_sock < 0 || subrec->dgram_sock >= FD_SETSIZE) { ++ /* We have to ignore sockets outside FD_SETSIZE. */ ++ continue; ++ } + FD_SET(subrec->dgram_sock,pset); + sock_array[num++] = subrec->dgram_sock; + *maxfd = MAX( *maxfd, subrec->dgram_sock); + ++ if (subrec->dgram_bcast < 0 || subrec->dgram_bcast >= FD_SETSIZE) { ++ /* We have to ignore sockets outside FD_SETSIZE. */ ++ continue; ++ } + sock_array[num++] = subrec->dgram_bcast; + if (subrec->dgram_bcast != -1) { + FD_SET(subrec->dgram_bcast,pset); +@@ -1876,7 +1901,7 @@ bool listen_for_packets(bool run_election) + + #ifndef SYNC_DNS + dns_fd = asyncdns_fd(); +- if (dns_fd != -1) { ++ if (dns_fd >= 0 && dns_fd < FD_SETSIZE) { + FD_SET(dns_fd, &r_fds); + maxfd = MAX( maxfd, dns_fd); + } +diff --git a/source3/utils/smbfilter.c b/source3/utils/smbfilter.c +index 65d8461..e7abf52 100644 +--- a/source3/utils/smbfilter.c ++++ b/source3/utils/smbfilter.c +@@ -193,8 +193,8 @@ static void filter_child(int c, struct sockaddr_storage *dest_ss) + int num; + + FD_ZERO(&fds); +- if (s != -1) FD_SET(s, &fds); +- if (c != -1) FD_SET(c, &fds); ++ if (s >= 0 && s < FD_SETSIZE) FD_SET(s, &fds); ++ if (c >= 0 && c < FD_SETSIZE) FD_SET(c, &fds); + + num = sys_select_intr(MAX(s+1, c+1),&fds,NULL,NULL,NULL); + if (num <= 0) continue; +@@ -267,6 +267,9 @@ static void start_filter(char *desthost) + socklen_t in_addrlen = sizeof(ss); + + FD_ZERO(&fds); ++ if (s < 0 || s >= FD_SETSIZE) { ++ break; ++ } + FD_SET(s, &fds); + + num = sys_select_intr(s+1,&fds,NULL,NULL,NULL); +diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c +index 44e8552..117d55d 100644 +--- a/source3/winbindd/winbindd_dual.c ++++ b/source3/winbindd/winbindd_dual.c +@@ -1460,6 +1460,13 @@ static bool fork_domain_child(struct winbindd_child *child) + + FD_ZERO(&r_fds); + FD_ZERO(&w_fds); ++ ++ if (state.sock < 0 || state.sock >= FD_SETSIZE) { ++ TALLOC_FREE(frame); ++ perror("EBADF"); ++ _exit(1); ++ } ++ + FD_SET(state.sock, &r_fds); + maxfd = state.sock; + diff --git a/debian/patches/series b/debian/patches/series index e217acf54e..8de8f6bfaf 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -13,3 +13,4 @@ no-unnecessary-cups.patch autoconf.patch bug_605728_upstream_7791.patch bug_574468_upstream_7265.patch +security-CVE-2011-0719.patch |