_tt_syslog(errstr, LOG_ERR, "%s: _tt_check_stale_isfd() == 0",
here );
} else {
- res.result = cached_isclose(*isfd);
- if (res.result != -1) {
- _tt_db_table[*isfd].db_path = 0;
- _tt_db_table[*isfd].opener_uid = (uid_t)-1;
- } else {
- _tt_syslog(errstr, LOG_ERR, "%s: isclose(): %d",
- here, iserrno);
- }
- res.iserrno = iserrno;
+ // JET - 06/12/2002
+ // VU#975403 - CERT TT vulnerability. By passing an invalid isfd
+ // a local or remote attacker can zero out 4 bytes at any location,
+ // thereby allowing other exploits (items 2 & 3 - delete or
+ // overwrite any file on the system.)
+ // Here, we will just check to make sure: 0 >= isfd < _TT_MAX_ISFD
+
+ if (*isfd < 0 || *isfd >= _TT_MAX_ISFD)
+ { // some trickery going on?
+ res.result = -1;
+ res.iserrno = ERPC;
+ _tt_syslog(errstr, LOG_ERR, "%s: _tt_isclose_1: Invalid file descriptor. This may be an attempted exploit.",
+ here );
+ }
+ else
+ {
+
+ res.result = cached_isclose(*isfd);
+ if (res.result != -1) {
+ _tt_db_table[*isfd].db_path = 0;
+ _tt_db_table[*isfd].opener_uid = (uid_t)-1;
+ } else {
+ _tt_syslog(errstr, LOG_ERR, "%s: isclose(): %d",
+ here, iserrno);
+ }
+ res.iserrno = iserrno;
+ }
}
return (&res);
}
_Tt_isam_results *
_tt_transaction_1(_Tt_transaction_args* args, SVCXPRT * /* transp */)
{
+ struct stat buf; // JET - VU#975403/VU#299816
+
static const char *here = "_tt_transaction_1()";
/* check for stale NetISAM file descriptor */
if (!_tt_check_stale_isfd(args->isfd)) {
projects / oweals / cde.git / commitdiff