From 9d776422ce289f6ffc713e0294a5f5f9d52fa8d7 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Wed, 19 Mar 2008 18:38:34 +0000 Subject: [PATCH] pull up r20278 from trunk r20278@cathode-dark-space: raeburn | 2008-03-18 14:55:26 -0400 ticket: new subject: MITKRB5-SA-2008-002 target_version: 1.6.4 tags: pullup Fix MITKRB5-SA-2008-002: array overrun in libgssrpc. Don't update the internally-tracked maximum file descriptor value if the new one is FD_SETSIZE (or NOFILE) or above. Reject TCP file descriptors of FD_SETSIZE (NOFILE) or above. ticket: 5918 version_fixed: 1.6.4 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@20282 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/rpc/svc.c | 6 ++++-- src/lib/rpc/svc_tcp.c | 25 +++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/src/lib/rpc/svc.c b/src/lib/rpc/svc.c index 93b4fd121..25b13f63b 100644 --- a/src/lib/rpc/svc.c +++ b/src/lib/rpc/svc.c @@ -109,15 +109,17 @@ xprt_register(SVCXPRT *xprt) if (sock < FD_SETSIZE) { xports[sock] = xprt; FD_SET(sock, &svc_fdset); + if (sock > svc_maxfd) + svc_maxfd = sock; } #else if (sock < NOFILE) { xports[sock] = xprt; svc_fds |= (1 << sock); + if (sock > svc_maxfd) + svc_maxfd = sock; } #endif /* def FD_SETSIZE */ - if (sock > svc_maxfd) - svc_maxfd = sock; } /* diff --git a/src/lib/rpc/svc_tcp.c b/src/lib/rpc/svc_tcp.c index d49cf3672..3a336d08e 100644 --- a/src/lib/rpc/svc_tcp.c +++ b/src/lib/rpc/svc_tcp.c @@ -53,6 +53,14 @@ static char sccsid[] = "@(#)svc_tcp.c 1.21 87/08/11 Copyr 1984 Sun Micro"; extern errno; */ +#ifndef FD_SETSIZE +#ifdef NBBY +#define NOFILE (sizeof(int) * NBBY) +#else +#define NOFILE (sizeof(int) * 8) +#endif +#endif + /* * Ops vector for TCP/IP based rpc service handle */ @@ -213,6 +221,19 @@ makefd_xprt( register SVCXPRT *xprt; register struct tcp_conn *cd; +#ifdef FD_SETSIZE + if (fd >= FD_SETSIZE) { + (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); + xprt = NULL; + goto done; + } +#else + if (fd >= NOFILE) { + (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); + xprt = NULL; + goto done; + } +#endif xprt = (SVCXPRT *)mem_alloc(sizeof(SVCXPRT)); if (xprt == (SVCXPRT *)NULL) { (void) fprintf(stderr, "svc_tcp: makefd_xprt: out of memory\n"); @@ -268,6 +289,10 @@ rendezvous_request( * make a new transporter (re-uses xprt) */ xprt = makefd_xprt(sock, r->sendsize, r->recvsize); + if (xprt == NULL) { + close(sock); + return (FALSE); + } xprt->xp_raddr = addr; xprt->xp_addrlen = len; xprt->xp_laddr = laddr; -- 2.26.2