diff options
author | Jeremy Allison <jra@samba.org> | 2011-06-30 11:01:40 -0700 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2011-06-30 21:15:25 +0200 |
commit | 1053a24a87f341fcd5578db56bc8b3962e63bb98 (patch) | |
tree | d03f95eab069c2a130d4709d48c5c8586876dea1 | |
parent | 4804013210ba620a6d20fd813017ac383cc3b946 (diff) | |
download | samba-1053a24a87f341fcd5578db56bc8b3962e63bb98.tar.gz samba-1053a24a87f341fcd5578db56bc8b3962e63bb98.tar.bz2 samba-1053a24a87f341fcd5578db56bc8b3962e63bb98.zip |
Part of fix for bug 8276 - FD_SET out of bounds access crash.
Ensure we never add fd's set to -1 to the pollfd set.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Thu Jun 30 21:15:25 CEST 2011 on sn-devel-104
-rw-r--r-- | source3/nmbd/nmbd_packets.c | 27 |
1 files changed, 18 insertions, 9 deletions
diff --git a/source3/nmbd/nmbd_packets.c b/source3/nmbd/nmbd_packets.c index a89f49c8fc..0324c9dd42 100644 --- a/source3/nmbd/nmbd_packets.c +++ b/source3/nmbd/nmbd_packets.c @@ -1698,7 +1698,12 @@ static bool create_listen_pollfds(struct pollfd **pfds, for (subrec = FIRST_SUBNET; subrec != NULL; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) { - count += 2; /* nmb_sock and dgram_sock */ + if (subrec->nmb_sock != -1) { + count += 1; + } + if (subrec->dgram_sock != -1) { + count += 1; + } if (subrec->nmb_bcast != -1) { count += 1; } @@ -1736,10 +1741,12 @@ static bool create_listen_pollfds(struct pollfd **pfds, for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) { - fds[num].fd = subrec->nmb_sock; - attrs[num].type = NMB_PACKET; - attrs[num].broadcast = false; - num += 1; + if (subrec->nmb_sock != -1) { + fds[num].fd = subrec->nmb_sock; + attrs[num].type = NMB_PACKET; + attrs[num].broadcast = false; + num += 1; + } if (subrec->nmb_bcast != -1) { fds[num].fd = subrec->nmb_bcast; @@ -1748,10 +1755,12 @@ static bool create_listen_pollfds(struct pollfd **pfds, num += 1; } - fds[num].fd = subrec->dgram_sock; - attrs[num].type = DGRAM_PACKET; - attrs[num].broadcast = false; - num += 1; + if (subrec->dgram_sock != -1) { + fds[num].fd = subrec->dgram_sock; + attrs[num].type = DGRAM_PACKET; + attrs[num].broadcast = false; + num += 1; + } if (subrec->dgram_bcast != -1) { fds[num].fd = subrec->dgram_bcast; |