shared: refuse fd == INT_MAX

Since we do `FD_TO_PTR(fd)` that expands to `INT_TO_PTR(fd) + 1` which
triggers an integer overflow.

Resolves: #27522

1 files changed, 14 insertions, 0 deletions

diff --git a/src/shared/fdset.c b/src/shared/fdset.c
index d816a3e4ef..2138ffcdb9 100644
--- a/src/shared/fdset.c
+++ b/src/shared/fdset.c
@@ -77,6 +77,10 @@ int fdset_put(FDSet *s, int fd) {
         assert(s);
         assert(fd >= 0);
 
+        /* Avoid integer overflow in FD_TO_PTR() */
+        if (fd == INT_MAX)
+                return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Refusing invalid fd: %d", fd);
+
         return set_put(MAKE_SET(s), FD_TO_PTR(fd));
 }
 
@@ -115,6 +119,12 @@ bool fdset_contains(FDSet *s, int fd) {
         assert(s);
         assert(fd >= 0);
 
+        /* Avoid integer overflow in FD_TO_PTR() */
+        if (fd == INT_MAX) {
+                log_debug("Refusing invalid fd: %d", fd);
+                return false;
+        }
+
         return !!set_get(MAKE_SET(s), FD_TO_PTR(fd));
 }
 
@@ -122,6 +132,10 @@ int fdset_remove(FDSet *s, int fd) {
         assert(s);
         assert(fd >= 0);
 
+        /* Avoid integer overflow in FD_TO_PTR() */
+        if (fd == INT_MAX)
+                return log_debug_errno(SYNTHETIC_ERRNO(ENOENT), "Refusing invalid fd: %d", fd);
+
         return set_remove(MAKE_SET(s), FD_TO_PTR(fd)) ? fd : -ENOENT;
 }