1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
/* dave@treblig.org */
#include <sys/select.h>
#include <sys/time.h>
#include <sys/types.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
char buffer[1024*1024*2];
int main()
{
fd_set rds;
struct timeval timeout;
FD_ZERO(&rds);
FD_SET(2, &rds);
/* Start with a nice simple select */
select(3, &rds, &rds, &rds, NULL);
/* Now the crash case that trinity found, negative nfds
* but with a pointer to a large chunk of valid memory.
*/
FD_ZERO((fd_set*)buffer);
FD_SET(2,(fd_set*)buffer);
select(-1, (fd_set *)buffer, NULL, NULL, NULL);
/* Another variant, with nfds exceeding allowed limit. */
timeout.tv_sec = 0;
timeout.tv_usec = 100;
select(FD_SETSIZE + 1, (fd_set *)buffer, NULL, NULL, &timeout);
return 0;
}
|