]> granicus.if.org Git - libtirpc/commitdiff
projects / libtirpc / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3fa2e19)
[PATCH] port fix for CVE-2008-0947
authorJeff Layton <jlayton@redhat.com>
Mon, 20 Apr 2009 16:22:22 +0000 (12:22 -0400)
committerSteve Dickson <steved@redhat.com>
Mon, 20 Apr 2009 16:22:22 +0000 (12:22 -0400)
Adds bounds checking of fd passed into makefd_xprt against FD_SETSIZE.

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-002.txt

This was reported against MIT krb5 code, but it looks like libtirpc
has a similar problem.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
src/svc_vc.c patch | blob | history

diff --git a/src/svc_vc.c b/src/svc_vc.c
index 44d3497bb75b8d3a99f772e0f6a88e188c00ac8a..7a1f5c38a2a9e98cfdd2f1a992aca72eba93568a 100644 (file)
--- a/src/svc_vc.c
+++ b/src/svc_vc.c
@@ -261,6 +261,12 @@ makefd_xprt(fd, sendsize, recvsize)
  
        assert(fd != -1);
 
+        if (fd >= FD_SETSIZE) {
+                warnx("svc_vc: makefd_xprt: fd too high\n");
+                xprt = NULL;
+                goto done;
+        }
+
        xprt = mem_alloc(sizeof(SVCXPRT));
        if (xprt == NULL) {
                warnx("svc_vc: makefd_xprt: out of memory");
Unnamed repository; edit this file 'description' to name the repository.