Fix: usage of FD_SET on fd_set > 1024 results in corruption

fd_set is (typically) defined as an 1024 bit long array.
Therefore, using FD_SET with an fd > 1024 will result in a buffer
overrun.

Reported-by: Coverity Scan
CID 1360535 (#1 of 1): Out-of-bounds write (OVERRUN)

Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>

diff --git a/tests/regression/kernel/select_poll_epoll.c b/tests/regression/kernel/select_poll_epoll.c
index 592fbcab8809223ffb2104572566eb423c22f1f9..f24e9e468ebcf97da0cdebdf12512d1c5704a5b4 100644 (file)
--- a/tests/regression/kernel/select_poll_epoll.c
+++ b/tests/regression/kernel/select_poll_epoll.c
@@ -442,7 +442,7 @@ void ppoll_fds_ulong_max(void)
  */
 void pselect_fd_too_big(void)
 {
-       fd_set rfds;
+       long rfds[2048 / (sizeof(long) * CHAR_BIT)];
        int ret;
        int fd2;
        char buf[BUF_SIZE];
@@ -457,8 +457,7 @@ void pselect_fd_too_big(void)
                return;
        }
        FD_ZERO(&rfds);
-       FD_SET(fd2, &rfds);
-
+       FD_SET(fd2, (fd_set *) &rfds);
        ret = syscall(SYS_pselect6, fd2 + 1, &rfds, NULL, NULL, NULL, NULL);
 
        if (ret == -1) {