Fix denial of service - memory corruption.

[samba.git] / lib / tevent / tevent_select.c

diff --git a/lib/tevent/tevent_select.c b/lib/tevent/tevent_select.c
index b666b4fba4ac2cf02713debac13f22e376d58ca7..890e0311c6033be92cb8b36ba573587965b3901e 100644 (file)
--- a/lib/tevent/tevent_select.c
+++ b/lib/tevent/tevent_select.c
@@ -111,6 +111,11 @@ static struct tevent_fd *select_event_add_fd(struct tevent_context *ev, TALLOC_C
                                                           struct select_event_context);
        struct tevent_fd *fde;
 
+       if (fd < 0 || fd >= FD_SETSIZE) {
+               errno = EBADF;
+               return NULL;
+       }
+
        fde = tevent_common_add_fd(ev, mem_ctx, fd, flags,
                                   handler, private_data,
                                   handler_name, location);
@@ -143,6 +148,11 @@ static int select_event_loop_select(struct select_event_context *select_ev, stru
 
        /* setup any fd events */
        for (fde = select_ev->ev->fd_events; fde; fde = fde->next) {
+               if (fde->fd < 0 || fde->fd >= FD_SETSIZE) {
+                       errno = EBADF;
+                       return -1;
+               }
+
                if (fde->flags & TEVENT_FD_READ) {
                        FD_SET(fde->fd, &r_fds);
                }
@@ -210,8 +220,13 @@ static int select_event_loop_once(struct tevent_context *ev, const char *locatio
                                                           struct select_event_context);
        struct timeval tval;
 
-       if (select_ev->ev->signal_events &&
-           tevent_common_check_signal(select_ev->ev)) {
+       if (ev->signal_events &&
+           tevent_common_check_signal(ev)) {
+               return 0;
+       }
+
+       if (ev->immediate_events &&
+           tevent_common_loop_immediate(ev)) {
                return 0;
        }
 
@@ -223,34 +238,17 @@ static int select_event_loop_once(struct tevent_context *ev, const char *locatio
        return select_event_loop_select(select_ev, &tval);
 }
 
-/*
-  return on failure or (with 0) if all fd events are removed
-*/
-static int select_event_loop_wait(struct tevent_context *ev, const char *location)
-{
-       struct select_event_context *select_ev = talloc_get_type(ev->additional_data,
-                                                          struct select_event_context);
-       select_ev->exit_code = 0;
-
-       while (ev->fd_events && select_ev->exit_code == 0) {
-               if (select_event_loop_once(ev, location) != 0) {
-                       break;
-               }
-       }
-
-       return select_ev->exit_code;
-}
-
 static const struct tevent_ops select_event_ops = {
-       .context_init   = select_event_context_init,
-       .add_fd         = select_event_add_fd,
-       .set_fd_close_fn= tevent_common_fd_set_close_fn,
-       .get_fd_flags   = tevent_common_fd_get_flags,
-       .set_fd_flags   = tevent_common_fd_set_flags,
-       .add_timer      = tevent_common_add_timer,
-       .add_signal     = tevent_common_add_signal,
-       .loop_once      = select_event_loop_once,
-       .loop_wait      = select_event_loop_wait,
+       .context_init           = select_event_context_init,
+       .add_fd                 = select_event_add_fd,
+       .set_fd_close_fn        = tevent_common_fd_set_close_fn,
+       .get_fd_flags           = tevent_common_fd_get_flags,
+       .set_fd_flags           = tevent_common_fd_set_flags,
+       .add_timer              = tevent_common_add_timer,
+       .schedule_immediate     = tevent_common_schedule_immediate,
+       .add_signal             = tevent_common_add_signal,
+       .loop_once              = select_event_loop_once,
+       .loop_wait              = tevent_common_loop_wait,
 };
 
 bool tevent_select_init(void)