nortti
/
sortix-mirror
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix select(2) buffer overflow if the fd_set is smaller than normal. 

OpenSSH is allocating a fd_set of exactly the needed size, which leads to
buffer overflows in select(2) when it tries to zero out the fd_set assuming
it is the normal size.
This commit is contained in:
Jonas 'Sortie' Termansen 2017-04-09 22:11:04 +02:00
parent d45417651f
commit cd7a984e9f
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
libc/sys/select/select.c
View File

@ -65,12 +65,13 @@ int select(int nfds, fd_set* restrict readfds, fd_set* restrict writefds,
int num_occur = ppoll(fds, fds_count, timeout_tsp, NULL);
if ( num_occur < 0 )
return -1;
size_t fd_bytes = ((size_t) nfds + 7) / 8;
if ( readfds )
memset(readfds, 0, sizeof(*readfds));
memset(readfds, 0, fd_bytes);
if ( writefds )
memset(writefds, 0, sizeof(*writefds));
memset(writefds, 0, fd_bytes);
if ( exceptfds )
memset(exceptfds, 0, sizeof(*exceptfds));
memset(exceptfds, 0, fd_bytes);
int ret = 0;
for ( nfds_t i = 0; i < fds_count; i++ )
{