shared: refuse fd == INT_MAX

Since we do `FD_TO_PTR(fd)` that expands to `INT_TO_PTR(fd) + 1` which
triggers an integer overflow.

Resolves: #27522

diff --git a/src/shared/fdset.c b/src/shared/fdset.c
index d816a3e4efb9640dcbfeec8be3244a054466f95b..2138ffcdb92e86ed441e24e62396d170801bd377 100644 (file)
--- a/src/shared/fdset.c
+++ b/src/shared/fdset.c
@@ -77,6 +77,10 @@ int fdset_put(FDSet *s, int fd) {
         assert(s);
         assert(fd >= 0);
 
+        /* Avoid integer overflow in FD_TO_PTR() */
+        if (fd == INT_MAX)
+                return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Refusing invalid fd: %d", fd);
+
         return set_put(MAKE_SET(s), FD_TO_PTR(fd));
 }
 
@@ -115,6 +119,12 @@ bool fdset_contains(FDSet *s, int fd) {
         assert(s);
         assert(fd >= 0);
 
+        /* Avoid integer overflow in FD_TO_PTR() */
+        if (fd == INT_MAX) {
+                log_debug("Refusing invalid fd: %d", fd);
+                return false;
+        }
+
         return !!set_get(MAKE_SET(s), FD_TO_PTR(fd));
 }
 
@@ -122,6 +132,10 @@ int fdset_remove(FDSet *s, int fd) {
         assert(s);
         assert(fd >= 0);
 
+        /* Avoid integer overflow in FD_TO_PTR() */
+        if (fd == INT_MAX)
+                return log_debug_errno(SYNTHETIC_ERRNO(ENOENT), "Refusing invalid fd: %d", fd);
+
         return set_remove(MAKE_SET(s), FD_TO_PTR(fd)) ? fd : -ENOENT;
 }
 

diff --git a/test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-6018678331408384 b/test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-6018678331408384
new file mode 100644 (file)
index 0000000..d0dca33
--- /dev/null
+++ b/test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-6018678331408384
@@ -0,0 +1,3 @@
+
+l.socket
+socket=2147483647 5
\ No newline at end of file