From ae96d1f641e6339fa39e60bd61ced00a189e2808 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 22 Mar 2016 18:12:02 -0700 Subject: [PATCH] [v9_10] disallow out-of-range descriptors in isc_socket_fdwatchcreate() --- lib/isc/include/isc/socket.h | 4 +++- lib/isc/unix/socket.c | 5 ++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/lib/isc/include/isc/socket.h b/lib/isc/include/isc/socket.h index 2d2285b7c8..0b36359840 100644 --- a/lib/isc/include/isc/socket.h +++ b/lib/isc/include/isc/socket.h @@ -437,7 +437,8 @@ isc_socket_fdwatchcreate(isc_socketmgr_t *manager, * * Note: * - *\li 'fd' is the already-opened file descriptor. + *\li 'fd' is the already-opened file descriptor (must be less + * than maxsockets). *\li This function is not available on Windows. *\li The callback function is called "in-line" - this means the function * needs to return as fast as possible, as all other I/O will be suspended @@ -461,6 +462,7 @@ isc_socket_fdwatchcreate(isc_socketmgr_t *manager, *\li #ISC_R_NOMEMORY *\li #ISC_R_NORESOURCES *\li #ISC_R_UNEXPECTED + *\li #ISC_R_RANGE */ isc_result_t diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c index e8e05a8ca4..3ee5b54665 100644 --- a/lib/isc/unix/socket.c +++ b/lib/isc/unix/socket.c @@ -2245,7 +2245,7 @@ destroy(isc__socket_t **sockp) { INSIST(ISC_LIST_EMPTY(sock->recv_list)); INSIST(ISC_LIST_EMPTY(sock->send_list)); INSIST(sock->connect_ev == NULL); - REQUIRE(sock->fd == -1 || sock->fd < (int)manager->maxsocks); + INSIST(sock->fd >= -1 && sock->fd < (int)manager->maxsocks); if (sock->fd >= 0) { fd = sock->fd; @@ -3106,6 +3106,9 @@ isc__socket_fdwatchcreate(isc_socketmgr_t *manager0, int fd, int flags, REQUIRE(VALID_MANAGER(manager)); REQUIRE(socketp != NULL && *socketp == NULL); + if (fd < 0 || (unsigned int)fd >= manager->maxsocks) + return (ISC_R_RANGE); + result = allocate_socket(manager, isc_sockettype_fdwatch, &sock); if (result != ISC_R_SUCCESS) return (result);