From: Evan Hunt Date: Wed, 23 Mar 2016 01:05:32 +0000 (-0700) Subject: [master] disallow out-of-range descriptors in isc_socket_fdwatchcreate() X-Git-Tag: v9.11.0a1~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=11a3f0a049f08f42461ec9851be0b92b82338948;p=thirdparty%2Fbind9.git [master] disallow out-of-range descriptors in isc_socket_fdwatchcreate() --- diff --git a/lib/isc/include/isc/socket.h b/lib/isc/include/isc/socket.h index 2d2285b7c86..0b36359840d 100644 --- a/lib/isc/include/isc/socket.h +++ b/lib/isc/include/isc/socket.h @@ -437,7 +437,8 @@ isc_socket_fdwatchcreate(isc_socketmgr_t *manager, * * Note: * - *\li 'fd' is the already-opened file descriptor. + *\li 'fd' is the already-opened file descriptor (must be less + * than maxsockets). *\li This function is not available on Windows. *\li The callback function is called "in-line" - this means the function * needs to return as fast as possible, as all other I/O will be suspended @@ -461,6 +462,7 @@ isc_socket_fdwatchcreate(isc_socketmgr_t *manager, *\li #ISC_R_NOMEMORY *\li #ISC_R_NORESOURCES *\li #ISC_R_UNEXPECTED + *\li #ISC_R_RANGE */ isc_result_t diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c index acdb73e234d..a76c2666f68 100644 --- a/lib/isc/unix/socket.c +++ b/lib/isc/unix/socket.c @@ -2246,7 +2246,7 @@ destroy(isc__socket_t **sockp) { INSIST(ISC_LIST_EMPTY(sock->accept_list)); INSIST(ISC_LIST_EMPTY(sock->recv_list)); INSIST(ISC_LIST_EMPTY(sock->send_list)); - REQUIRE(sock->fd == -1 || sock->fd < (int)manager->maxsocks); + INSIST(sock->fd >= -1 && sock->fd < (int)manager->maxsocks); if (sock->fd >= 0) { fd = sock->fd; @@ -3108,6 +3108,9 @@ isc__socket_fdwatchcreate(isc_socketmgr_t *manager0, int fd, int flags, REQUIRE(VALID_MANAGER(manager)); REQUIRE(socketp != NULL && *socketp == NULL); + if (fd < 0 || (unsigned int)fd >= manager->maxsocks) + return (ISC_R_RANGE); + result = allocate_socket(manager, isc_sockettype_fdwatch, &sock); if (result != ISC_R_SUCCESS) return (result);