Fix select decoding with bogus (huge or negative) nfds.

We used to allocate and fetch bit arrays using a sanitized
length, but then iterate over them with "j < arg[0]" condition,
where arg[0] is not sanitized. This segfaults if arg[0] is huge
or negative. This change fixes this.

Add test/select.c to capture the case.

Signed-off-by: Dr. David Alan Gilbert <dave@treblig.org>
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>

3 files changed, 25 insertions, 1 deletions

diff --git a/test/.gitignore b/test/.gitignore
index 7eb39cf..c73b64a 100644
--- a/test/.gitignore
+++ b/test/.gitignore
@@ -10,4 +10,5 @@ wait_must_be_interruptible
 threaded_execve
 mtd
 ubi
+select
 sigreturn
diff --git a/test/Makefile b/test/Makefile
index 92142b1..cc7d47a 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -3,7 +3,7 @@ CFLAGS += -Wall
 PROGS = \
     vfork fork sig skodic clone leaderkill childthread \
     sigkill_rain wait_must_be_interruptible threaded_execve \
-    mtd ubi sigreturn
+    mtd ubi select sigreturn
 
 all: $(PROGS)
 
diff --git a/test/select.c b/test/select.c
new file mode 100644
index 0000000..523d75c
--- /dev/null
+++ b/test/select.c
@@ -0,0 +1,23 @@
+/* dave@treblig.org */
+#include <sys/select.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+char buffer[1024*1024*2];
+
+int main()
+{
+	fd_set rds;
+	FD_ZERO(&rds);
+	FD_SET(2, &rds);
+	/* Start with a nice simple select */
+	select(3, &rds, &rds, &rds, NULL);
+	/* Now the crash case that trinity found, -ve nfds
+	 * but with a pointer to a large chunk of valid memory
+	 */
+	select(-1, (fd_set *)buffer, NULL, NULL, NULL);
+	return 0;
+}