summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: 8f47022)
raw | patch | inline | side by side (from parent 1: 8f47022)
author | Florian Forster <ff@octo.it> | |
Thu, 4 May 2017 11:57:22 +0000 (13:57 +0200) | ||
committer | Florian Forster <ff@octo.it> | |
Thu, 4 May 2017 12:06:13 +0000 (14:06 +0200) |
When passing a large file descriptor, on many systems large means >= 1024,
FD_SET()s behavior is undefined. Mostly, it will corrupt the stack
because an out-of-bounds bit is flipped.
FD_SET()s behavior is undefined. Mostly, it will corrupt the stack
because an out-of-bounds bit is flipped.
src/liboping.c | patch | blob | history |
diff --git a/src/liboping.c b/src/liboping.c
index f8c5bfbf6a6c251f5ac2f91ec4e20acd2d64949f..fc9ed65c63198f081a9e5ecb2b7dc2ab474177a9 100644 (file)
--- a/src/liboping.c
+++ b/src/liboping.c
if (!timerisset (ptr->timer))
continue;
+ assert (ptr->fd < FD_SETSIZE);
FD_SET (ptr->fd, &read_fds);
FD_SET (ptr->fd, &err_fds);
num_fds++;
ping_set_errno (obj, errno);
continue;
}
+ else if (ph->fd >= FD_SETSIZE)
+ {
+ dprintf("socket(2) returned file descriptor %d, which is above the file "
+ "descriptor limit for select(2) (FD_SETSIZE = %d)\n",
+ ph->fd, FD_SETSIZE);
+ close(ph->fd);
+ ph->fd = -1;
+ ping_set_errno(obj, EMFILE);
+ continue;
+ }
if (obj->srcaddr != NULL)
{