shared: refuse fd == INT_MAX

Since we do `FD_TO_PTR(fd)` that expands to `INT_TO_PTR(fd) + 1` which triggers an integer overflow. Resolves: #27522
2024-07-22 10:44:58 +00:00 · 2023-05-04 16:45:36 +02:00 · 2023-05-04 16:45:36 +02:00 · cc938f1ce0
parent 77be02ad3c
commit cc938f1ce0
2 changed files with 17 additions and 0 deletions
--- a/src/shared/fdset.c
+++ b/src/shared/fdset.c
@ -77,6 +77,10 @@ int fdset_put(FDSet *s, int fd) {
        assert(s);
        assert(fd >= 0);

+        /* Avoid integer overflow in FD_TO_PTR() */
+        if (fd == INT_MAX)
+                return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Refusing invalid fd: %d", fd);
+
        return set_put(MAKE_SET(s), FD_TO_PTR(fd));
 }

@ -115,6 +119,12 @@ bool fdset_contains(FDSet *s, int fd) {
        assert(s);
        assert(fd >= 0);

+        /* Avoid integer overflow in FD_TO_PTR() */
+        if (fd == INT_MAX) {
+                log_debug("Refusing invalid fd: %d", fd);
+                return false;
+        }
+
        return !!set_get(MAKE_SET(s), FD_TO_PTR(fd));
 }

@ -122,6 +132,10 @@ int fdset_remove(FDSet *s, int fd) {
        assert(s);
        assert(fd >= 0);

+        /* Avoid integer overflow in FD_TO_PTR() */
+        if (fd == INT_MAX)
+                return log_debug_errno(SYNTHETIC_ERRNO(ENOENT), "Refusing invalid fd: %d", fd);
+
        return set_remove(MAKE_SET(s), FD_TO_PTR(fd)) ? fd : -ENOENT;
 }

--- a/test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-6018678331408384
+++ b/test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-6018678331408384
@ -0,0 +1,3 @@
+
+l.socket
+socket=2147483647 5