From 1053a24a87f341fcd5578db56bc8b3962e63bb98 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 30 Jun 2011 11:01:40 -0700 Subject: Part of fix for bug 8276 - FD_SET out of bounds access crash. Ensure we never add fd's set to -1 to the pollfd set. Autobuild-User: Jeremy Allison Autobuild-Date: Thu Jun 30 21:15:25 CEST 2011 on sn-devel-104 --- source3/nmbd/nmbd_packets.c | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) (limited to 'source3') diff --git a/source3/nmbd/nmbd_packets.c b/source3/nmbd/nmbd_packets.c index a89f49c8fc..0324c9dd42 100644 --- a/source3/nmbd/nmbd_packets.c +++ b/source3/nmbd/nmbd_packets.c @@ -1698,7 +1698,12 @@ static bool create_listen_pollfds(struct pollfd **pfds, for (subrec = FIRST_SUBNET; subrec != NULL; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) { - count += 2; /* nmb_sock and dgram_sock */ + if (subrec->nmb_sock != -1) { + count += 1; + } + if (subrec->dgram_sock != -1) { + count += 1; + } if (subrec->nmb_bcast != -1) { count += 1; } @@ -1736,10 +1741,12 @@ static bool create_listen_pollfds(struct pollfd **pfds, for (subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec)) { - fds[num].fd = subrec->nmb_sock; - attrs[num].type = NMB_PACKET; - attrs[num].broadcast = false; - num += 1; + if (subrec->nmb_sock != -1) { + fds[num].fd = subrec->nmb_sock; + attrs[num].type = NMB_PACKET; + attrs[num].broadcast = false; + num += 1; + } if (subrec->nmb_bcast != -1) { fds[num].fd = subrec->nmb_bcast; @@ -1748,10 +1755,12 @@ static bool create_listen_pollfds(struct pollfd **pfds, num += 1; } - fds[num].fd = subrec->dgram_sock; - attrs[num].type = DGRAM_PACKET; - attrs[num].broadcast = false; - num += 1; + if (subrec->dgram_sock != -1) { + fds[num].fd = subrec->dgram_sock; + attrs[num].type = DGRAM_PACKET; + attrs[num].broadcast = false; + num += 1; + } if (subrec->dgram_bcast != -1) { fds[num].fd = subrec->dgram_bcast; -- cgit