Fix select(2) buffer overflow if the fd_set is smaller than normal.
OpenSSH is allocating a fd_set of exactly the needed size, which leads to buffer overflows in select(2) when it tries to zero out the fd_set assuming it is the normal size.
This commit is contained in:
parent
d45417651f
commit
cd7a984e9f
|
@ -65,12 +65,13 @@ int select(int nfds, fd_set* restrict readfds, fd_set* restrict writefds,
|
||||||
int num_occur = ppoll(fds, fds_count, timeout_tsp, NULL);
|
int num_occur = ppoll(fds, fds_count, timeout_tsp, NULL);
|
||||||
if ( num_occur < 0 )
|
if ( num_occur < 0 )
|
||||||
return -1;
|
return -1;
|
||||||
|
size_t fd_bytes = ((size_t) nfds + 7) / 8;
|
||||||
if ( readfds )
|
if ( readfds )
|
||||||
memset(readfds, 0, sizeof(*readfds));
|
memset(readfds, 0, fd_bytes);
|
||||||
if ( writefds )
|
if ( writefds )
|
||||||
memset(writefds, 0, sizeof(*writefds));
|
memset(writefds, 0, fd_bytes);
|
||||||
if ( exceptfds )
|
if ( exceptfds )
|
||||||
memset(exceptfds, 0, sizeof(*exceptfds));
|
memset(exceptfds, 0, fd_bytes);
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
for ( nfds_t i = 0; i < fds_count; i++ )
|
for ( nfds_t i = 0; i < fds_count; i++ )
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in New Issue