From 070fffdfb3f0b8f7a0af04f1481c517832e333e9 Mon Sep 17 00:00:00 2001 From: =?utf8?q?J=C3=A9r=C3=A9mie=20Galarneau?= Date: Wed, 3 Aug 2016 12:36:34 -0400 Subject: [PATCH] Fix: usage of FD_SET on fd_set > 1024 results in corruption MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit fd_set is (typically) defined as an 1024 bit long array. Therefore, using FD_SET with an fd > 1024 will result in a buffer overrun. Reported-by: Coverity Scan CID 1360535 (#1 of 1): Out-of-bounds write (OVERRUN) Signed-off-by: Jérémie Galarneau --- tests/regression/kernel/select_poll_epoll.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/regression/kernel/select_poll_epoll.c b/tests/regression/kernel/select_poll_epoll.c index 592fbcab8..f24e9e468 100644 --- a/tests/regression/kernel/select_poll_epoll.c +++ b/tests/regression/kernel/select_poll_epoll.c @@ -442,7 +442,7 @@ void ppoll_fds_ulong_max(void) */ void pselect_fd_too_big(void) { - fd_set rfds; + long rfds[2048 / (sizeof(long) * CHAR_BIT)]; int ret; int fd2; char buf[BUF_SIZE]; @@ -457,8 +457,7 @@ void pselect_fd_too_big(void) return; } FD_ZERO(&rfds); - FD_SET(fd2, &rfds); - + FD_SET(fd2, (fd_set *) &rfds); ret = syscall(SYS_pselect6, fd2 + 1, &rfds, NULL, NULL, NULL, NULL); if (ret == -1) { -- 2.34.1