Vigil@nce: Samba, memory corruption via FD_SET
March 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can open several files on a Samba share, in order to
stop the service, and possibly to execute code.
Severity: 2/4
Creation date: 28/02/2011
IMPACTED PRODUCTS
– Debian Linux
– Mandriva Corporate
– Mandriva Enterprise Server
– Mandriva Linux
– Red Hat Enterprise Linux
– Samba
– Slackware Linux
DESCRIPTION OF THE VULNERABILITY
The select() system call monitors events (read/write) on a list of
file descriptors (a "fd_set").
A fd_set is an array containing FD_SETSIZE items. The FD_SET(fd,
&the_fd_set) macro indicates that the file descriptor number "fd"
has to be monitored in a fd_set. In order to do so, it sets a flag
at index fd of the fd_set array.
An application which uses FD_SET() has to check that the number of
the file descriptor is positive and inferior to FD_SETSIZE
(otherwise FD_SET sets the flag outside the array). However,
several Samba functions do not do this check. This error case
occurs when several files are opened (fd >= FD_SETSIZE) or if an
open operation failed (fd == -1).
An attacker can therefore open several files on a Samba share, in
order to stop the service, and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Samba-memory-corruption-via-FD-SET-10405