You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
The loop inside OS_FdSet_ConvertIn_Impl and OS_FdSet_ConvertOut_Impl is limited by sizeof(OS_FdSet), which itself is sized to accommodate OS_MAX_NUM_OPEN_FILES as a bit mask.
The problem is that the size is (necessarily) padded up to a multiple of 8 bits. If OS_MAX_NUM_OPEN_FILES was not a multiple of 8, and some of these "padding" bits are set as 1, these functions will attempt to read entries beyond the end of OS_impl_filehandle_table.
To Reproduce
In normal use cases where the correct API is used (e.g. OS_SelectFdAdd()) it is not possible to set these extra bits - as the OS_SelectFdAdd() checks if the filehandle is valid before setting the bit.
But in coverage tests, the structure is memset() to all ones (0xFF) which causes undefined behavior as it will end up reading beyond the end of the array.
Expected behavior
Must not read beyond the end of the array even if extra bits are set.
System observed on:
Ubuntu 20.04
Additional context
Observed as failure in #917. This issue was not introduced by those merges, it just so happens that it changed the preconditions such this became exposed.
Reporter Info
Joseph Hickey, Vantage Systems, Inc.
The text was updated successfully, but these errors were encountered:
Describe the bug
The loop inside OS_FdSet_ConvertIn_Impl and OS_FdSet_ConvertOut_Impl is limited by
sizeof(OS_FdSet)
, which itself is sized to accommodate OS_MAX_NUM_OPEN_FILES as a bit mask.The problem is that the size is (necessarily) padded up to a multiple of 8 bits. If OS_MAX_NUM_OPEN_FILES was not a multiple of 8, and some of these "padding" bits are set as 1, these functions will attempt to read entries beyond the end of
OS_impl_filehandle_table
.To Reproduce
In normal use cases where the correct API is used (e.g.
OS_SelectFdAdd()
) it is not possible to set these extra bits - as the OS_SelectFdAdd() checks if the filehandle is valid before setting the bit.But in coverage tests, the structure is
memset()
to all ones (0xFF) which causes undefined behavior as it will end up reading beyond the end of the array.Expected behavior
Must not read beyond the end of the array even if extra bits are set.
System observed on:
Ubuntu 20.04
Additional context
Observed as failure in #917. This issue was not introduced by those merges, it just so happens that it changed the preconditions such this became exposed.
Reporter Info
Joseph Hickey, Vantage Systems, Inc.
The text was updated successfully, but these errors were encountered: