From d8d990c823f7ba6070622acf5ff2d08af7c1d7a9 Mon Sep 17 00:00:00 2001
From: Ken Raeburn <raeburn@mit.edu>
Date: Tue, 18 Mar 2008 18:55:26 +0000
Subject: [PATCH] MITKRB5-SA-2008-002

Fix MITKRB5-SA-2008-002: array overrun in libgssrpc.

Don't update the internally-tracked maximum file descriptor value if
the new one is FD_SETSIZE (or NOFILE) or above.  Reject TCP file
descriptors of FD_SETSIZE (NOFILE) or above.

ticket: new
target_version: 1.6.4
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20278 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/rpc/svc.c     |  6 ++++--
 src/lib/rpc/svc_tcp.c | 25 +++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/src/lib/rpc/svc.c b/src/lib/rpc/svc.c
index 93b4fd121..25b13f63b 100644
--- a/src/lib/rpc/svc.c
+++ b/src/lib/rpc/svc.c
@@ -109,15 +109,17 @@ xprt_register(SVCXPRT *xprt)
 	if (sock < FD_SETSIZE) {
 		xports[sock] = xprt;
 		FD_SET(sock, &svc_fdset);
+		if (sock > svc_maxfd)
+			svc_maxfd = sock;
 	}
 #else
 	if (sock < NOFILE) {
 		xports[sock] = xprt;
 		svc_fds |= (1 << sock);
+		if (sock > svc_maxfd)
+			svc_maxfd = sock;
 	}
 #endif /* def FD_SETSIZE */
-	if (sock > svc_maxfd)
-		svc_maxfd = sock;
 }
 
 /*
diff --git a/src/lib/rpc/svc_tcp.c b/src/lib/rpc/svc_tcp.c
index e48d50455..a81221f34 100644
--- a/src/lib/rpc/svc_tcp.c
+++ b/src/lib/rpc/svc_tcp.c
@@ -54,6 +54,14 @@ static char sccsid[] = "@(#)svc_tcp.c 1.21 87/08/11 Copyr 1984 Sun Micro";
 extern errno;
 */
 
+#ifndef FD_SETSIZE
+#ifdef NBBY
+#define NOFILE (sizeof(int) * NBBY)
+#else
+#define NOFILE (sizeof(int) * 8)
+#endif
+#endif
+
 /*
  * Ops vector for TCP/IP based rpc service handle
  */
@@ -215,6 +223,19 @@ makefd_xprt(
 	register SVCXPRT *xprt;
 	register struct tcp_conn *cd;
  
+#ifdef FD_SETSIZE
+	if (fd >= FD_SETSIZE) {
+		(void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n");
+		xprt = NULL;
+		goto done;
+	}
+#else
+	if (fd >= NOFILE) {
+		(void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n");
+		xprt = NULL;
+		goto done;
+	}
+#endif
 	xprt = (SVCXPRT *)mem_alloc(sizeof(SVCXPRT));
 	if (xprt == (SVCXPRT *)NULL) {
 		(void) fprintf(stderr, "svc_tcp: makefd_xprt: out of memory\n");
@@ -271,6 +292,10 @@ rendezvous_request(
 	 * make a new transporter (re-uses xprt)
 	 */
 	xprt = makefd_xprt(sock, r->sendsize, r->recvsize);
+	if (xprt == NULL) {
+		close(sock);
+		return (FALSE);
+	}
 	xprt->xp_raddr = addr;
 	xprt->xp_addrlen = len;
 	xprt->xp_laddr = laddr;
-- 
2.26.2