Add hardening for select()

This is unlikely to be used, since fd_set is usually manipulated by macros, but it doesn't hurt to add a simple comparison.
author: jvoisin 2023-11-16 16:42:41 +0100
committer: jvoisin 2023-11-16 16:42:41 +0100
commit: 52ec4848225a0e9f577272015ced52c45923d4ba (patch)
tree: 2d0f2395dfd51d7b2810b7be3e549176b8a6c736
parent: cfdcaf72ca60db28ad8a7240a5a09e99151cab24 (diff)
4 files changed, 46 insertions, 0 deletions
diff --git a/include/sys/select.h b/include/sys/select.h
index 29819be..f1cefee 100644
--- a/include/sys/select.h
+++ b/include/sys/select.h
@@ -67,6 +67,18 @@ _STI int __fortify_FD_ISSET(int __f, fd_set * _FORTIFY_POS0 __s)
 #undef FD_ISSET
 #define FD_ISSET(fd, set) __fortify_FD_ISSET(fd, set)
+#ifndef __clang__
+#undef select
+_FORTIFY_FN(select) int select(int nfds, fd_set* readfds,
+                  fd_set* writefds,
+                  fd_set* exceptfds,
+                  struct timeval *timeout){
+        if (nfds > FD_SETSIZE + 1)
+                __builtin_trap();
+        return __orig_select(nfds, readfds, writefds, exceptfds, timeout);
+}
+#endif
 #ifdef __cplusplus
 }
 #endif
diff --git a/tests/Makefile b/tests/Makefile
index a93e0e9..4889dc7 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -78,6 +78,8 @@ RUNTIME_TARGETS= \
        test_recv_static             \
        test_recvfrom_dynamic        \
        test_recvfrom_static         \
+        test_select_dynamic          \
+        test_select_static           \
        test_send_dynamic            \
        test_send_static             \
        test_sendto_dynamic          \
diff --git a/tests/test_select_dynamic.c b/tests/test_select_dynamic.c
new file mode 100644
index 0000000..e67baf3
--- /dev/null
+++ b/tests/test_select_dynamic.c
@@ -0,0 +1,16 @@
+#include "common.h"
+#include <sys/select.h>
+int main(int argc, char** argv) {
+#if !defined(__clang__)
+  fd_set rfds;
+  CHK_FAIL_START
+  select(FD_SETSIZE + argc, &rfds, NULL, NULL, NULL);
+  CHK_FAIL_END
+  puts((const char*)&rfds);
+#endif
+  return ret;
+}
diff --git a/tests/test_select_static.c b/tests/test_select_static.c
new file mode 100644
index 0000000..c2abf7f
--- /dev/null
+++ b/tests/test_select_static.c
@@ -0,0 +1,16 @@
+#include "common.h"
+#include <sys/select.h>
+int main(int argc, char** argv) {
+#if !defined(__clang__)
+  fd_set rfds;
+  CHK_FAIL_START
+  select(1337, &rfds, NULL, NULL, NULL);
+  CHK_FAIL_END
+  puts((const char*)&rfds);
+#endif
+  return ret;
+}
author	jvoisin	2023-11-16 16:42:41 +0100
committer	jvoisin	2023-11-16 16:42:41 +0100
commit	52ec4848225a0e9f577272015ced52c45923d4ba (patch)
tree	2d0f2395dfd51d7b2810b7be3e549176b8a6c736
parent	cfdcaf72ca60db28ad8a7240a5a09e99151cab24 (diff)

diff --git a/include/sys/select.h b/include/sys/select.h index 29819be..f1cefee 100644 --- a/include/sys/select.h +++ b/include/sys/select.h
@@ -67,6 +67,18 @@ _STI int __fortify_FD_ISSET(int __f, fd_set * _FORTIFY_POS0 __s)
67	#undef FD_ISSET	67	#undef FD_ISSET
68	#define FD_ISSET(fd, set) __fortify_FD_ISSET(fd, set)	68	#define FD_ISSET(fd, set) __fortify_FD_ISSET(fd, set)
69		69
		70	#ifndef __clang__
		71	#undef select
		72	_FORTIFY_FN(select) int select(int nfds, fd_set* readfds,
		73	fd_set* writefds,
		74	fd_set* exceptfds,
		75	struct timeval *timeout){
		76	if (nfds > FD_SETSIZE + 1)
		77	__builtin_trap();
		78	return __orig_select(nfds, readfds, writefds, exceptfds, timeout);
		79	}
		80	#endif
		81
70	#ifdef __cplusplus	82	#ifdef __cplusplus
71	}	83	}
72	#endif	84	#endif


diff --git a/tests/Makefile b/tests/Makefile index a93e0e9..4889dc7 100644 --- a/tests/Makefile +++ b/tests/Makefile
@@ -78,6 +78,8 @@ RUNTIME_TARGETS= \
78	test_recv_static \	78	test_recv_static \
79	test_recvfrom_dynamic \	79	test_recvfrom_dynamic \
80	test_recvfrom_static \	80	test_recvfrom_static \
		81	test_select_dynamic \
		82	test_select_static \
81	test_send_dynamic \	83	test_send_dynamic \
82	test_send_static \	84	test_send_static \
83	test_sendto_dynamic \	85	test_sendto_dynamic \


diff --git a/tests/test_select_dynamic.c b/tests/test_select_dynamic.c new file mode 100644 index 0000000..e67baf3 --- /dev/null +++ b/tests/test_select_dynamic.c
@@ -0,0 +1,16 @@
		1	#include "common.h"
		2
		3	#include <sys/select.h>
		4
		5	int main(int argc, char** argv) {
		6	#if !defined(__clang__)
		7	fd_set rfds;
		8
		9	CHK_FAIL_START
		10	select(FD_SETSIZE + argc, &rfds, NULL, NULL, NULL);
		11	CHK_FAIL_END
		12
		13	puts((const char*)&rfds);
		14	#endif
		15	return ret;
		16	}


diff --git a/tests/test_select_static.c b/tests/test_select_static.c new file mode 100644 index 0000000..c2abf7f --- /dev/null +++ b/tests/test_select_static.c
@@ -0,0 +1,16 @@
		1	#include "common.h"
		2
		3	#include <sys/select.h>
		4
		5	int main(int argc, char** argv) {
		6	#if !defined(__clang__)
		7	fd_set rfds;
		8
		9	CHK_FAIL_START
		10	select(1337, &rfds, NULL, NULL, NULL);
		11	CHK_FAIL_END
		12
		13	puts((const char*)&rfds);
		14	#endif
		15	return ret;
		16	}