diff options
| author | Gilles Chehade <gilles@cvs.openbsd.org> | 2015-10-02 00:26:46 +0000 |
|---|---|---|
| committer | Gilles Chehade <gilles@cvs.openbsd.org> | 2015-10-02 00:26:46 +0000 |
| commit | d3eb0332005ba9687d4756ae0c39ecd906793364 (patch) | |
| tree | 267328d4109808311e834a4f656848531d9ba428 | |
| parent | d7d87ad6d6313d5fc2f7cab325884f7ae12204af (diff) | |
do not allow connid to wrap and collide with another active connection id.
this allows a local user to trigger a fatal() and exit the daemon.
reported by Qualys Security
| -rw-r--r-- | usr.sbin/smtpd/control.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/usr.sbin/smtpd/control.c b/usr.sbin/smtpd/control.c index 834d126e016..68c2b992798 100644 --- a/usr.sbin/smtpd/control.c +++ b/usr.sbin/smtpd/control.c @@ -1,4 +1,4 @@ -/* $OpenBSD: control.c,v 1.104 2015/06/11 19:27:16 gilles Exp $ */ +/* $OpenBSD: control.c,v 1.105 2015/10/02 00:26:45 gilles Exp $ */ /* * Copyright (c) 2012 Gilles Chehade <gilles@poolp.org> @@ -71,7 +71,7 @@ static void control_broadcast_verbose(int, int); static struct stat_backend *stat_backend = NULL; extern const char *backend_stat; -static uint32_t connid = 0; +static uint64_t connid = 0; static struct tree ctl_conns; static struct tree ctl_count; static struct stat_digest digest; @@ -365,10 +365,14 @@ control_accept(int listenfd, short event, void *arg) } (*count)++; + do { + ++connid; + } while (tree_get(&ctl_conns, connid)); + c = xcalloc(1, sizeof(*c), "control_accept"); c->euid = euid; c->egid = egid; - c->id = ++connid; + c->id = connid; c->mproc.proc = PROC_CLIENT; c->mproc.handler = control_dispatch_ext; c->mproc.data = c; |