From: Willy Tarreau <w@1wt.eu>
Date: Mon, 31 Jan 2022 19:05:02 +0000 (+0100)
Subject: DEBUG: fd: make sure we never try to insert/delete an impossible FD number
X-Git-Tag: v2.6-dev1~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9aa324de2d9f69d74f5b30c33a78d3a38501342f;p=thirdparty%2Fhaproxy.git

DEBUG: fd: make sure we never try to insert/delete an impossible FD number

It's among the cases that would provoke memory corruption, let's add
some tests against negative FDs and those larger than the table. This
must never ever happen and would currently result in silent corruption
or a crash. Better have a noticeable one exhibiting the call chain if
that were to happen.
---

diff --git a/include/haproxy/fd.h b/include/haproxy/fd.h
index 40ef38f734..8bf30cd255 100644
--- a/include/haproxy/fd.h
+++ b/include/haproxy/fd.h
@@ -319,6 +319,11 @@ static inline void fd_insert(int fd, void *owner, void (*iocb)(int fd), unsigned
 {
 	extern void sock_conn_iocb(int);
 
+	/* This must never happen and would definitely indicate a bug, in
+	 * addition to overwriting some unexpected memory areas.
+	 */
+	BUG_ON(fd < 0 || fd >= global.maxsock);
+
 	fdtab[fd].owner = owner;
 	fdtab[fd].iocb = iocb;
 	fdtab[fd].state = 0;
diff --git a/src/fd.c b/src/fd.c
index 30fefc473e..c2dfcf1d6d 100644
--- a/src/fd.c
+++ b/src/fd.c
@@ -336,6 +336,11 @@ void _fd_delete_orphan(int fd)
  */
 void fd_delete(int fd)
 {
+	/* This must never happen and would definitely indicate a bug, in
+	 * addition to overwriting some unexpected memory areas.
+	 */
+	BUG_ON(fd < 0 || fd >= global.maxsock);
+
 	/* we must postpone removal of an FD that may currently be in use
 	 * by another thread. This can happen in the following two situations:
 	 *   - after a takeover, the owning thread closes the connection but