Make sure we don't do FD_SET(fd, set) with fd >= FD_SETSIZE since

that could corrupt memory, and maybe could form the basis of an attack on pppd. The problem was pointed out by Jun-ichiro itojun Hagino.
author: Paul Mackerras <paulus@samba.org> 2002-12-06 12:06:45 +0000
committer: Paul Mackerras <paulus@samba.org> 2002-12-06 12:06:45 +0000
commit: fc8efe940e9364ffd8d05023f0d96747f854388b (patch)
tree: d3256afd7e9a2cf3e7d7f6376bf5c7c1c1926a73 /pppd/tty.c
parent: c94534ca7dc9122687d1bc4cef38d9a81ff44048 (diff)
download: ppp-fc8efe940e9364ffd8d05023f0d96747f854388b.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/pppd/tty.c b/pppd/tty.c
index 803d8ba..efc92ec 100644
--- a/pppd/tty.c
+++ b/pppd/tty.c
@@ -73,7 +73,7 @@
  * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-#define RCSID	"$Id: tty.c,v 1.8 2002/12/04 23:03:33 paulus Exp $"
+#define RCSID	"$Id: tty.c,v 1.9 2002/12/06 12:06:45 paulus Exp $"
 
 #include <stdio.h>
 #include <ctype.h>
@@ -993,6 +993,13 @@ charshunt(ifd, ofd, record_file)
 #endif
 
     /*
+     * Check that the fds won't overrun the fd_sets
+     */
+    if (ifd >= FD_SETSIZE || ofd >= FD_SETSIZE || pty_master >= FD_SETSIZE)
+	fatal("internal error: file descriptor too large (%d, %d, %d)",
+	      ifd, ofd, pty_master);
+
+    /*
      * Open the record file if required.
      */
     if (record_file != NULL) {
author	Paul Mackerras <paulus@samba.org>	2002-12-06 12:06:45 +0000
committer	Paul Mackerras <paulus@samba.org>	2002-12-06 12:06:45 +0000
commit	fc8efe940e9364ffd8d05023f0d96747f854388b (patch)
tree	d3256afd7e9a2cf3e7d7f6376bf5c7c1c1926a73 /pppd/tty.c
parent	c94534ca7dc9122687d1bc4cef38d9a81ff44048 (diff)
download	ppp-fc8efe940e9364ffd8d05023f0d96747f854388b.tar.gz