Changeset 578

Timestamp:

Jun 25, 2011, 7:14:41 PM (14 years ago)

Author:

Herwig Bauernfeind

Message:

Update Samba 3.3 to 3.3.15 (security update)

Location:

branches/samba-3.3.x

Files:

• WHATSNEW.txt (modified) (2 diffs)
• packaging/RHEL-CTDB/samba.spec (modified) (1 diff)
• packaging/RHEL/makerpms.sh (modified) (1 diff)
• packaging/RHEL/samba.spec (modified) (1 diff)
• source/VERSION (modified) (1 diff)
• source/client/client.c (modified) (1 diff)
• source/client/dnsbrowse.c (modified) (2 diffs)
• source/lib/events.c (modified) (2 diffs)
• source/lib/packet.c (modified) (1 diff)
• source/lib/readline.c (modified) (1 diff)
• source/lib/select.c (modified) (2 diffs)
• source/lib/util_sock.c (modified) (3 diffs)
• source/libaddns/dnssock.c (modified) (1 diff)
• source/libsmb/nmblib.c (modified) (1 diff)
• source/nmbd/nmbd_packets.c (modified) (6 diffs)
• source/nsswitch/wb_common.c (modified) (3 diffs)
• source/printing/printing.c (modified) (1 diff)
• source/smbd/dnsregister.c (modified) (2 diffs)
• source/smbd/oplock.c (modified) (1 diff)
• source/smbd/oplock_irix.c (modified) (1 diff)
• source/smbd/process.c (modified) (1 diff)
• source/smbd/server.c (modified) (5 diffs)
• source/utils/smbfilter.c (modified) (2 diffs)
• source/winbindd/winbindd.c (modified) (3 diffs)
• source/winbindd/winbindd_dual.c (modified) (2 diffs)

branches/samba-3.3.x/WHATSNEW.txt

@@ +1 @@
+                   ==============================
+                   Release Notes for Samba 3.3.15
+                         February 28, 2011
+                   ==============================
+
+
+This is a security release in order to address CVE-2011-0719.
+
+
+o  CVE-2011-0719:
+   All current released versions of Samba are vulnerable to
+   a denial of service caused by memory corruption. Range
+   checks on file descriptors being used in the FD_SET macro
+   were not present allowing stack corruption. This can cause
+   the Samba code to crash or to loop attempting to select
+   on a bad file descriptor set.
+
+
+Changes since 3.3.14
+--------------------
+
+
+o   Jeremy Allison <jra@samba.org>
+    * BUG 7949: Fix DoS in Winbind and smbd with many file descriptors open.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 3.3 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
                    ==============================
                    Release Notes for Samba 3.3.14
@@ -51 +100 @@
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    ==============================

branches/samba-3.3.x/packaging/RHEL-CTDB/samba.spec

@@ -6 +6 @@
 Packager: Samba Team <samba@samba.org>
 Name:         samba
-Version:      3.3.14
+Version:      3.3.15
 Release:      ctdb.1
 Epoch:        0

branches/samba-3.3.x/packaging/RHEL/makerpms.sh

@@ -21 +21 @@
 USERID=`id -u`
 GRPID=`id -g`
-VERSION='3.3.14'
+VERSION='3.3.15'
 REVISION=''
 SPECFILE="samba.spec"

branches/samba-3.3.x/packaging/RHEL/samba.spec

@@ -6 +6 @@
 Packager: Samba Team <samba@samba.org>
 Name:         samba
-Version:      3.3.14
+Version:      3.3.15
 Release:      1
 Epoch:        0

branches/samba-3.3.x/source/VERSION

@@ -26 +26 @@
 SAMBA_VERSION_MAJOR=3
 SAMBA_VERSION_MINOR=3
-SAMBA_VERSION_RELEASE=14
+SAMBA_VERSION_RELEASE=15
 
 ########################################################

branches/samba-3.3.x/source/client/client.c

@@ -4380 +4380 @@
  again:
 
-        if (cli->fd == -1)
+        if (cli->fd < 0 || cli->fd >= FD_SETSIZE) {
+                errno = EBADF;
                 return;
+        }
 
         FD_ZERO(&fds);

branches/samba-3.3.x/source/client/dnsbrowse.c

@@ -80 +80 @@
                 if (fdset != NULL) {
                         TALLOC_FREE(fdset);
+                }
+
+                if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) {
+                        errno = EBADF;
+                        break;
                 }
 
@@ -184 +189 @@
                 fdsetsz = howmany(mdnsfd + 1, NFDBITS) * sizeof(fd_mask);
                 fdset = TALLOC_ZERO(ctx, fdsetsz);
+
+                if (mdnsfd < 0 || mdnsfd >= FD_SETSIZE) {
+                        errno = EBADF;
+                        TALLOC_FREE(ctx);
+                        return 1;
+                }
+
                 FD_SET(mdnsfd, fdset);
 

branches/samba-3.3.x/source/lib/events.c

@@ -141 +141 @@
         struct fd_event *fde;
 
+        if (fd < 0 || fd >= FD_SETSIZE) {
+                errno = EBADF;
+                return NULL;
+        }
+
         if (!(fde = TALLOC_P(mem_ctx, struct fd_event))) {
                 return NULL;
@@ -191 +196 @@
 
         for (fde = event_ctx->fd_events; fde; fde = fde->next) {
+                if (fde->fd < 0 || fde->fd >= FD_SETSIZE) {
+                        /* We ignore here, as it shouldn't be
+                           possible to add an invalid fde->fd
+                           but we don't want FD_SET to see an
+                           invalid fd. */
+                        continue;
+                }
+
                 if (fde->flags & EVENT_FD_READ) {
                         FD_SET(fde->fd, read_fds);

branches/samba-3.3.x/source/lib/packet.c

@@ -107 +107 @@
         fd_set r_fds;
 
+        if (ctx->fd < 0 || ctx->fd >= FD_SETSIZE) {
+                errno = EBADF;
+                return map_nt_error_from_unix(errno);
+        }
+
         FD_ZERO(&r_fds);
         FD_SET(ctx->fd, &r_fds);

branches/samba-3.3.x/source/lib/readline.c

@@ -92 +92 @@
                 timeout.tv_usec = 0;
 
+                if (fd < 0 || fd >= FD_SETSIZE) {
+                        errno = EBADF;
+                        break;
+                }
+
                 FD_ZERO(&fds);
                 FD_SET(fd,&fds);

branches/samba-3.3.x/source/lib/select.c

@@ -66 +66 @@
                         smb_panic("Could not create select pipe");
 
+                if (select_pipe[0] < 0 || select_pipe[0] >= FD_SETSIZE) {
+                        errno = EBADF;
+                        return -1;
+                }
+
                 /*
                  * These next two lines seem to fix a bug with the Linux
@@ -92 +97 @@
                 FD_ZERO(readfds2);
         }
+
         FD_SET(select_pipe[0], readfds2);
 

branches/samba-3.3.x/source/lib/util_sock.c

@@ -961 +961 @@
 
         for (nread=0; nread < mincnt; ) {
+                if (fd < 0 || fd >= FD_SETSIZE) {
+                        errno = EBADF;
+                        return map_nt_error_from_unix(EBADF);
+                }
+
                 FD_ZERO(&fds);
                 FD_SET(fd,&fds);
@@ -1493 +1498 @@
         for (i=0; i<num_addrs; i++) {
                 sockets[i] = socket(addrs[i].ss_family, SOCK_STREAM, 0);
-                if (sockets[i] < 0)
+                if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE)
                         goto done;
                 set_blocking(sockets[i], false);
@@ -1542 +1547 @@
 
         for (i=0; i<num_addrs; i++) {
-                if (sockets[i] == -1)
+                if (sockets[i] < 0 || sockets[i] >= FD_SETSIZE) {
+                        /* This cannot happen - ignore if so. */
                         continue;
+                }
                 FD_SET(sockets[i], &wr_fds);
                 FD_SET(sockets[i], &r_fds);

branches/samba-3.3.x/source/libaddns/dnssock.c

@@ -219 +219 @@
                 ssize_t ret;
                 int fd_ready;
-                
+
+                if (fd < 0 || fd >= FD_SETSIZE) {
+                        return ERROR_DNS_SOCKET_ERROR;
+                }
+
                 FD_ZERO( &rfds );
                 FD_SET( fd, &rfds );

branches/samba-3.3.x/source/libsmb/nmblib.c

@@ -1098 +1098 @@
         int ret;
 
+        if (fd < 0 || fd >= FD_SETSIZE) {
+                errno = EBADF;
+                return NULL;
+        }
+
         FD_ZERO(&fds);
         FD_SET(fd,&fds);

branches/samba-3.3.x/source/nmbd/nmbd_packets.c

@@ -1684 +1684 @@
                 count++;
 
-        if((count*2) + 2 > FD_SETSIZE) {
+        if((count*2) + 2 >= FD_SETSIZE) {
                 DEBUG(0,("create_listen_fdset: Too many file descriptors needed (%d). We can \
 only use %d.\n", (count*2) + 2, FD_SETSIZE));
@@ -1700 +1700 @@
 
         /* Add in the broadcast socket on 137. */
+        if (ClientNMB < 0 || ClientNMB >= FD_SETSIZE) {
+                errno = EBADF;
+                SAFE_FREE(pset);
+                return True;
+        }
+
         FD_SET(ClientNMB,pset);
         sock_array[num++] = ClientNMB;
@@ -1706 +1712 @@
         /* Add in the 137 sockets on all the interfaces. */
         for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) {
+                if (subrec->nmb_sock < 0 || subrec->nmb_sock >= FD_SETSIZE) {
+                        /* We have to ignore sockets outside FD_SETSIZE. */
+                        continue;
+                }
                 FD_SET(subrec->nmb_sock,pset);
                 sock_array[num++] = subrec->nmb_sock;
@@ -1712 +1722 @@
 
         /* Add in the broadcast socket on 138. */
+        if (ClientDGRAM < 0 || ClientDGRAM >= FD_SETSIZE) {
+                errno = EBADF;
+                SAFE_FREE(pset);
+                return True;
+        }
+
         FD_SET(ClientDGRAM,pset);
         sock_array[num++] = ClientDGRAM;
@@ -1718 +1734 @@
         /* Add in the 138 sockets on all the interfaces. */
         for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) {
+                if (subrec->dgram_sock < 0 || subrec->dgram_sock >= FD_SETSIZE) {
+                        /* We have to ignore sockets outside FD_SETSIZE. */
+                        continue;
+                }
                 FD_SET(subrec->dgram_sock,pset);
                 sock_array[num++] = subrec->dgram_sock;
@@ -1768 +1788 @@
 #ifndef SYNC_DNS
         dns_fd = asyncdns_fd();
-        if (dns_fd != -1) {
+        if (dns_fd >= 0 && dns_fd < FD_SETSIZE) {
                 FD_SET(dns_fd, &r_fds);
                 maxfd = MAX( maxfd, dns_fd);

branches/samba-3.3.x/source/nsswitch/wb_common.c

@@ -241 +241 @@
                 switch (errno) {
                         case EINPROGRESS:
+
+                                if (fd < 0 || fd >= FD_SETSIZE) {
+                                        errno = EBADF;
+                                        goto error_out;
+                                }
+
                                 FD_ZERO(&w_fds);
                                 FD_SET(fd, &w_fds);
@@ -384 +390 @@
                 struct timeval tv;
                 fd_set r_fds;
-                
+
+                if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) {
+                        errno = EBADF;
+                        winbind_close_sock();
+                        return -1;
+                }
+
                 /* Catch pipe close on other end by checking if a read()
                    call would not block by calling select(). */
@@ -444 +456 @@
                 struct timeval tv;
                 fd_set r_fds;
-                
+
+                if (winbindd_fd < 0 || winbindd_fd >= FD_SETSIZE) {
+                        errno = EBADF;
+                        winbind_close_sock();
+                        return -1;
+                }
+
                 /* Catch pipe close on other end by checking if a read()
                    call would not block by calling select(). */

branches/samba-3.3.x/source/printing/printing.c

@@ -1413 +1413 @@
         }
 
+        if (pause_pipe[1] < 0 || pause_pipe[1] >= FD_SETSIZE) {
+                DEBUG(5,("start_background_queue: pipe fd out of range.\n"));
+                exit(1);
+        }
+
         background_lpq_updater_pid = sys_fork();
 

branches/samba-3.3.x/source/smbd/dnsregister.c

@@ -126 +126 @@
         if (dns_state->srv_ref != NULL) {
                 mdnsd_conn_fd = DNSServiceRefSockFD(dns_state->srv_ref);
+                if (mdnsd_conn_fd < 0 || mdnsd_conn_fd >= FD_SETSIZE) {
+                        return;
+                }
                 FD_SET(mdnsd_conn_fd, listen_set);
                 return;
@@ -157 +160 @@
 
         mdnsd_conn_fd = DNSServiceRefSockFD(dns_state->srv_ref);
+        if (mdnsd_conn_fd < 0 || mdnsd_conn_fd >= FD_SETSIZE) {
+                return;
+        }
         FD_SET(mdnsd_conn_fd, listen_set);
         *maxfd = MAX(*maxfd, mdnsd_conn_fd);

branches/samba-3.3.x/source/smbd/oplock.c

@@ -242 +242 @@
 {
         if (koplocks) {
-                return koplocks->notification_fd;
+                int fd = koplocks->notification_fd;
+                if (fd < 0 || fd >= FD_SETSIZE) {
+                        return -1;
+                }
         }
 

branches/samba-3.3.x/source/smbd/oplock_irix.c

@@ -285 +285 @@
         }
 
+        if (pfd[0] < 0 || pfd[0] >= FD_SETSIZE) {
+                DEBUG(0,("setup_kernel_oplock_pipe: fd out of range.\n"));
+                return False;
+        }
+
         oplock_pipe_read = pfd[0];
         oplock_pipe_write = pfd[1];

branches/samba-3.3.x/source/smbd/process.c

@@ -699 +699 @@
 static int select_on_fd(int fd, int maxfd, fd_set *fds)
 {
-        if (fd != -1) {
+        if (fd != -1 && fd < FD_SETSIZE) {
                 FD_SET(fd, fds);
                 maxfd = MAX(maxfd, fd);

branches/samba-3.3.x/source/smbd/server.c

@@ -210 +210 @@
         /* We will abort gracefully when the client or remote system 
            goes away */
-        smbd_set_server_fd(dup(0));
+        int fd = dup(0);
+
+        if (fd < 0 || fd >= FD_SETSIZE) {
+                return false;
+        }
+
+        smbd_set_server_fd(fd);
         
         /* close our standard file descriptors */
@@ -437 +443 @@
                                                         ifss,
                                                         true);
-                                if(s == -1) {
+                                if(s < 0 || s >= FD_SETSIZE) {
+                                        close(s);
                                         continue;
                                 }
@@ -517 +524 @@
                                                 &ss,
                                                 true);
-                                if (s == -1) {
+                                if (s < 0 || s >= FD_SETSIZE) {
                                         continue;
                                 }
@@ -710 +717 @@
                         socklen_t in_addrlen = sizeof(addr);
                         pid_t child = 0;
+                        int fd;
 
                         s = -1;
@@ -722 +730 @@
                         }
 
-                        smbd_set_server_fd(accept(s,&addr,&in_addrlen));
-
-                        if (smbd_server_fd() == -1 && errno == EINTR)
+                        fd = accept(s,&addr,&in_addrlen);
+                        if (fd == -1 && errno == EINTR)
                                 continue;
-
-                        if (smbd_server_fd() == -1) {
+                        if (fd == -1) {
                                 DEBUG(2,("open_sockets_smbd: accept: %s\n",
                                          strerror(errno)));
                                 continue;
                         }
+                        if (fd < 0 || fd >= FD_SETSIZE) {
+                                DEBUG(2,("open_sockets_smbd: bad fd %d\n",
+                                        fd ));
+                                continue;
+                        }
+
+                        smbd_set_server_fd(fd);
 
                         /* Ensure child is set to blocking mode */

branches/samba-3.3.x/source/utils/smbfilter.c

@@ -163 +163 @@
                 
                 FD_ZERO(&fds);
-                if (s != -1) FD_SET(s, &fds);
-                if (c != -1) FD_SET(c, &fds);
+                if (s >= 0 && s < FD_SETSIZE) FD_SET(s, &fds);
+                if (c >= 0 && c < FD_SETSIZE) FD_SET(c, &fds);
 
                 num = sys_select_intr(MAX(s+1, c+1),&fds,NULL,NULL,NULL);
@@ -236 +236 @@
                 socklen_t in_addrlen = sizeof(ss);
                 
+                if (s < 0 || s >= FD_SETSIZE) {
+                        break;
+                }
+
                 FD_ZERO(&fds);
                 FD_SET(s, &fds);

branches/samba-3.3.x/source/winbindd/winbindd.c

@@ -837 +837 @@
         listen_priv_sock = open_winbindd_priv_socket();
 
-        if (listen_sock == -1 || listen_priv_sock == -1) {
+        if (listen_sock < 0 || listen_sock >= FD_SETSIZE ||
+                        listen_priv_sock < 0 || listen_priv_sock >= FD_SETSIZE) {
                 perror("open_winbind_socket");
                 exit(1);
@@ -862 +863 @@
         FD_ZERO(&r_fds);
         FD_ZERO(&w_fds);
+
+        /* We check the range for listen_sock and
+           listen_priv_sock above. */
         FD_SET(listen_sock, &r_fds);
         FD_SET(listen_priv_sock, &r_fds);
@@ -891 +895 @@
 
         for (ev = fd_events; ev; ev = ev->next) {
+                if (ev->fd < 0 || ev->fd >= FD_SETSIZE) {
+                        /* Ignore here - event_add_to_select_args
+                           should make this impossible. */
+                        continue;
+                }
+
                 if (ev->flags & EVENT_FD_READ) {
                         FD_SET(ev->fd, &r_fds);

branches/samba-3.3.x/source/winbindd/winbindd_dual.c

@@ -1251 +1251 @@
         }
 
+        if (fdpair[0] < 0 || fdpair[0] >= FD_SETSIZE) {
+                DEBUG(0, ("fork_domain_child: bad fd range (%d)\n", fdpair[0]));
+                errno = EBADF;
+                return False;
+        }
+
         ZERO_STRUCT(state);
         state.pid = sys_getpid();
@@ -1406 +1412 @@
 
                 FD_ZERO(&read_fds);
+                /* We check state.sock against FD_SETSIZE above. */
                 FD_SET(state.sock, &read_fds);