From cc938f1ce0f1eafc435e0dd1d9fe45aaedc526e1 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Thu, 4 May 2023 16:45:36 +0200 Subject: [PATCH] shared: refuse fd == INT_MAX Since we do `FD_TO_PTR(fd)` that expands to `INT_TO_PTR(fd) + 1` which triggers an integer overflow. Resolves: #27522 --- src/shared/fdset.c | 14 ++++++++++++++ ...nimized-fuzz-manager-serialize-6018678331408384 | 3 +++ 2 files changed, 17 insertions(+) create mode 100644 test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-6018678331408384 diff --git a/src/shared/fdset.c b/src/shared/fdset.c index d816a3e4efb..2138ffcdb92 100644 --- a/src/shared/fdset.c +++ b/src/shared/fdset.c @@ -77,6 +77,10 @@ int fdset_put(FDSet *s, int fd) { assert(s); assert(fd >= 0); + /* Avoid integer overflow in FD_TO_PTR() */ + if (fd == INT_MAX) + return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Refusing invalid fd: %d", fd); + return set_put(MAKE_SET(s), FD_TO_PTR(fd)); } @@ -115,6 +119,12 @@ bool fdset_contains(FDSet *s, int fd) { assert(s); assert(fd >= 0); + /* Avoid integer overflow in FD_TO_PTR() */ + if (fd == INT_MAX) { + log_debug("Refusing invalid fd: %d", fd); + return false; + } + return !!set_get(MAKE_SET(s), FD_TO_PTR(fd)); } @@ -122,6 +132,10 @@ int fdset_remove(FDSet *s, int fd) { assert(s); assert(fd >= 0); + /* Avoid integer overflow in FD_TO_PTR() */ + if (fd == INT_MAX) + return log_debug_errno(SYNTHETIC_ERRNO(ENOENT), "Refusing invalid fd: %d", fd); + return set_remove(MAKE_SET(s), FD_TO_PTR(fd)) ? fd : -ENOENT; } diff --git a/test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-6018678331408384 b/test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-6018678331408384 new file mode 100644 index 00000000000..d0dca3329c6 --- /dev/null +++ b/test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-6018678331408384 @@ -0,0 +1,3 @@ + +l.socket +socket=2147483647 5 \ No newline at end of file -- 2.47.3