REDHAT-BUG-678328

First published: Thu Feb 17 2011(Updated: )

A flaw was found in the way Samba handles the file descriptor sets (fd_set) datastructure. The Samba codebase uses file descriptor sets in various places. The fd_set structure is a fixed size defined by the FD_SETSIZE variable. If a file descriptor with a value greater than or equal to FD_SETSIZE is added to a set, it can set a single bit on the stack to a '1'. In Red Hat Enterprise Linux, all samba processes except for smbd have a limit set which prevents a process from allocating more than 1024 file descriptors by default. 1024 is the value of FD_SETSIZE on Red Hat Enterprise Linux. smbd does not cap the maximum allowed file descriptors below 1024. This means that if a remote attacker has the ability to open files on a Samba server, they may be able to flip arbitrary stack bits to a '1'. It is not currently believed that this flaw can be used for arbitrary code execution, but the possibility should not be ruled out. Acknowledgements: Red Hat would like to thank the Samba team for reporting this issue. Upstream acknowledges Volker Lendecke of SerNet as the original reporter.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/type
• agent/references
• agent/first-publish-date
• agent/last-modified-date
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2011-0719
• agent/severity
• agent/event
• agent/description
• agent/trending
• agent/source
• agent/tags
• agent/softwarecombine
• agent/guess-ai
• agent/software-canonical-lookup
• agent/software-canonical-lookup-request
• vendor/samba
• canonical/samba
• vendor/red hat
• canonical/red hat enterprise linux