fd_set coversions in select impl can read beyond the end of OS_impl_filehandle_table #919
Comments
jphickey
added a commit
to jphickey/osal
that referenced
this issue
Mar 22, 2021
Add an extra limit check for the index, as it is possible due to padding that this goes beyond the end of the array.
astrogeco
added a commit
that referenced
this issue
Mar 22, 2021
Fix #919, check index inside fdset conversions
jphickey
pushed a commit
to jphickey/osal
that referenced
this issue
Aug 10, 2022
Fix nasa#888, Add typedef for function return status codes
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
The loop inside OS_FdSet_ConvertIn_Impl and OS_FdSet_ConvertOut_Impl is limited by
sizeof(OS_FdSet), which itself is sized to accommodate OS_MAX_NUM_OPEN_FILES as a bit mask.The problem is that the size is (necessarily) padded up to a multiple of 8 bits. If OS_MAX_NUM_OPEN_FILES was not a multiple of 8, and some of these "padding" bits are set as 1, these functions will attempt to read entries beyond the end of
OS_impl_filehandle_table.To Reproduce
In normal use cases where the correct API is used (e.g.
OS_SelectFdAdd()) it is not possible to set these extra bits - as the OS_SelectFdAdd() checks if the filehandle is valid before setting the bit.But in coverage tests, the structure is
memset()to all ones (0xFF) which causes undefined behavior as it will end up reading beyond the end of the array.Expected behavior
Must not read beyond the end of the array even if extra bits are set.
System observed on:
Ubuntu 20.04
Additional context
Observed as failure in #917. This issue was not introduced by those merges, it just so happens that it changed the preconditions such this became exposed.
Reporter Info
Joseph Hickey, Vantage Systems, Inc.
The text was updated successfully, but these errors were encountered: