From: Frantisek Sumsal Date: Thu, 4 May 2023 14:45:36 +0000 (+0200) Subject: shared: refuse fd == INT_MAX X-Git-Tag: v254-rc1~550^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cc938f1ce0f1eafc435e0dd1d9fe45aaedc526e1;p=thirdparty%2Fsystemd.git shared: refuse fd == INT_MAX Since we do `FD_TO_PTR(fd)` that expands to `INT_TO_PTR(fd) + 1` which triggers an integer overflow. Resolves: #27522 --- diff --git a/src/shared/fdset.c b/src/shared/fdset.c index d816a3e4efb..2138ffcdb92 100644 --- a/src/shared/fdset.c +++ b/src/shared/fdset.c @@ -77,6 +77,10 @@ int fdset_put(FDSet *s, int fd) { assert(s); assert(fd >= 0); + /* Avoid integer overflow in FD_TO_PTR() */ + if (fd == INT_MAX) + return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Refusing invalid fd: %d", fd); + return set_put(MAKE_SET(s), FD_TO_PTR(fd)); } @@ -115,6 +119,12 @@ bool fdset_contains(FDSet *s, int fd) { assert(s); assert(fd >= 0); + /* Avoid integer overflow in FD_TO_PTR() */ + if (fd == INT_MAX) { + log_debug("Refusing invalid fd: %d", fd); + return false; + } + return !!set_get(MAKE_SET(s), FD_TO_PTR(fd)); } @@ -122,6 +132,10 @@ int fdset_remove(FDSet *s, int fd) { assert(s); assert(fd >= 0); + /* Avoid integer overflow in FD_TO_PTR() */ + if (fd == INT_MAX) + return log_debug_errno(SYNTHETIC_ERRNO(ENOENT), "Refusing invalid fd: %d", fd); + return set_remove(MAKE_SET(s), FD_TO_PTR(fd)) ? fd : -ENOENT; } diff --git a/test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-6018678331408384 b/test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-6018678331408384 new file mode 100644 index 00000000000..d0dca3329c6 --- /dev/null +++ b/test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-6018678331408384 @@ -0,0 +1,3 @@ + +l.socket +socket=2147483647 5 \ No newline at end of file