|
From: Nicholas N. <nj...@ca...> - 2003-11-02 21:22:31
|
CVS commit by nethercote: Apply patch from Steve Grubb: It turns out that select is an open ended function that can take thousands of fds to select on if you are careful. fd_set as defined allocates 128 bytes of space, but you can allocate it dynamically. The bug goes like this...the programmer looks at maxfd and determines how many bytes it takes to allocate for the fd_set. Suppose 5 was the maximum fd. Going through the howmany macro yields 4 bytes. The sizeof fd_set is 128 bytes. If you do a rdfds_copy = *rfds, then valgrind overruns the rfds variable causing invalid reads. You can see real live code that does this around line 1260 of sshd.c from openssh. I discussed this problem with Damien Miller of the OpenSSH project since it was their code I was auditing. I then read the source to the linux kernel to make sure that it has no dependencies on the size of the structure passed in as the fd sets. It is very careful to look at n and then limit itself to the bytes indicated by n of the select call. The attached patch fixes this problem. I tested the Openssh daemon against this and the bug at select is now resolved. I did not look to see if poll is wrapped by valgrind. But it should be scalable too. (Nb: I haven't touched poll(), I don't understand it well enough to know if it needs fixing, let alone how to do so.) M +62 -20 vg_intercept.c 1.18.2.1 |