From cd7a984e9fabdaccd1c4d1e61360bc89b2b10bcb Mon Sep 17 00:00:00 2001
From: Jonas 'Sortie' Termansen <sortie@maxsi.org>
Date: Sun, 9 Apr 2017 22:11:04 +0200
Subject: [PATCH] Fix select(2) buffer overflow if the fd_set is smaller than
 normal.

OpenSSH is allocating a fd_set of exactly the needed size, which leads to
buffer overflows in select(2) when it tries to zero out the fd_set assuming
it is the normal size.
---
 libc/sys/select/select.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/libc/sys/select/select.c b/libc/sys/select/select.c
index 3b64b115..1fc019b5 100644
--- a/libc/sys/select/select.c
+++ b/libc/sys/select/select.c
@@ -65,12 +65,13 @@ int select(int nfds, fd_set* restrict readfds, fd_set* restrict writefds,
 	int num_occur = ppoll(fds, fds_count, timeout_tsp, NULL);
 	if ( num_occur < 0 )
 		return -1;
+	size_t fd_bytes = ((size_t) nfds + 7) / 8;
 	if ( readfds )
-		memset(readfds, 0, sizeof(*readfds));
+		memset(readfds, 0, fd_bytes);
 	if ( writefds )
-		memset(writefds, 0, sizeof(*writefds));
+		memset(writefds, 0, fd_bytes);
 	if ( exceptfds )
-		memset(exceptfds, 0, sizeof(*exceptfds));
+		memset(exceptfds, 0, fd_bytes);
 	int ret = 0;
 	for ( nfds_t i = 0; i < fds_count; i++ )
 	{