diff options
author | Paul Mackerras <paulus@samba.org> | 2002-12-06 12:06:45 +0000 |
---|---|---|
committer | Paul Mackerras <paulus@samba.org> | 2002-12-06 12:06:45 +0000 |
commit | fc8efe940e9364ffd8d05023f0d96747f854388b (patch) | |
tree | d3256afd7e9a2cf3e7d7f6376bf5c7c1c1926a73 /pppd/tty.c | |
parent | c94534ca7dc9122687d1bc4cef38d9a81ff44048 (diff) | |
download | ppp-fc8efe940e9364ffd8d05023f0d96747f854388b.tar.gz |
Make sure we don't do FD_SET(fd, set) with fd >= FD_SETSIZE since
that could corrupt memory, and maybe could form the basis of an
attack on pppd. The problem was pointed out by Jun-ichiro itojun
Hagino.
Diffstat (limited to 'pppd/tty.c')
-rw-r--r-- | pppd/tty.c | 9 |
1 files changed, 8 insertions, 1 deletions
@@ -73,7 +73,7 @@ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#define RCSID "$Id: tty.c,v 1.8 2002/12/04 23:03:33 paulus Exp $" +#define RCSID "$Id: tty.c,v 1.9 2002/12/06 12:06:45 paulus Exp $" #include <stdio.h> #include <ctype.h> @@ -993,6 +993,13 @@ charshunt(ifd, ofd, record_file) #endif /* + * Check that the fds won't overrun the fd_sets + */ + if (ifd >= FD_SETSIZE || ofd >= FD_SETSIZE || pty_master >= FD_SETSIZE) + fatal("internal error: file descriptor too large (%d, %d, %d)", + ifd, ofd, pty_master); + + /* * Open the record file if required. */ if (record_file != NULL) { |