From: Jérémie Galarneau <jeremie.galarneau@efficios.com>
Date: Wed, 3 Aug 2016 16:36:34 +0000 (-0400)
Subject: Fix: usage of FD_SET on fd_set > 1024 results in corruption
X-Git-Tag: v2.9.0-rc1~72
X-Git-Url: https://git.lttng.org/?p=lttng-tools.git;a=commitdiff_plain;h=070fffdfb3f0b8f7a0af04f1481c517832e333e9

Fix: usage of FD_SET on fd_set > 1024 results in corruption

fd_set is (typically) defined as an 1024 bit long array.
Therefore, using FD_SET with an fd > 1024 will result in a buffer
overrun.

Reported-by: Coverity Scan
CID 1360535 (#1 of 1): Out-of-bounds write (OVERRUN)

Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
---

diff --git a/tests/regression/kernel/select_poll_epoll.c b/tests/regression/kernel/select_poll_epoll.c
index 592fbcab8..f24e9e468 100644
--- a/tests/regression/kernel/select_poll_epoll.c
+++ b/tests/regression/kernel/select_poll_epoll.c
@@ -442,7 +442,7 @@ void ppoll_fds_ulong_max(void)
  */
 void pselect_fd_too_big(void)
 {
-	fd_set rfds;
+	long rfds[2048 / (sizeof(long) * CHAR_BIT)];
 	int ret;
 	int fd2;
 	char buf[BUF_SIZE];
@@ -457,8 +457,7 @@ void pselect_fd_too_big(void)
 		return;
 	}
 	FD_ZERO(&rfds);
-	FD_SET(fd2, &rfds);
-
+	FD_SET(fd2, (fd_set *) &rfds);
 	ret = syscall(SYS_pselect6, fd2 + 1, &rfds, NULL, NULL, NULL, NULL);
 
 	if (ret == -1) {