From: Jeff Layton <jlayton@redhat.com>
Date: Mon, 20 Apr 2009 16:22:22 +0000 (-0400)
Subject: [PATCH] port fix for CVE-2008-0947
X-Git-Tag: libtirpc-0.1.12-rc1~1
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=54ad86c29bcd40dbb6b9f1f9e611778add4227ea;p=libtirpc

[PATCH] port fix for CVE-2008-0947

Adds bounds checking of fd passed into makefd_xprt against FD_SETSIZE.

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-002.txt

This was reported against MIT krb5 code, but it looks like libtirpc
has a similar problem.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
---

diff --git a/src/svc_vc.c b/src/svc_vc.c
index 44d3497..7a1f5c3 100644
--- a/src/svc_vc.c
+++ b/src/svc_vc.c
@@ -261,6 +261,12 @@ makefd_xprt(fd, sendsize, recvsize)
  
 	assert(fd != -1);
 
+        if (fd >= FD_SETSIZE) {
+                warnx("svc_vc: makefd_xprt: fd too high\n");
+                xprt = NULL;
+                goto done;
+        }
+
 	xprt = mem_alloc(sizeof(SVCXPRT));
 	if (xprt == NULL) {
 		warnx("svc_vc: makefd_xprt: out of memory");