You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
src/oatpp/network/tcp/server/ConnectionProvider.cpp uses select() and fd_set to monitor the listening socket. However, fd_set in its default glibc implementation at least is restricted to fds < 1024. In case the socket fd turns out to be >=1024, using fd_set + select() causes the fd_set buffer overrun. At the very least via FD_SET setting 1 outside the array. And select() zeroing that out in case the fd isn't ready. In a case we caught that 0 deleted a part of the address on stack causing further corruption.
This can happen if a product has a dynamic HTTP server starting during runtime, with some files being open. Or if it opens a bunch of files at the beginning, hence pushing the socket fd to be large. One obvious solution is to just use poll(). Which is what "man select" suggests as well:
POSIX allows an implementation to define an upper limit, advertised via the constant FD_SETSIZE, on the range of file descriptors that can be specified in a file descriptor set. The Linux kernel imposes no fixed limit, but the glibc implementation makes fd_set a fixed-size type, with FD_SETSIZE defined as 1024, and the FD_*() macros operating according to that limit. To monitor file descriptors greater than 1023, use poll(2) or epoll(7) instead.
The text was updated successfully, but these errors were encountered:
src/oatpp/network/tcp/server/ConnectionProvider.cpp uses select() and fd_set to monitor the listening socket. However, fd_set in its default glibc implementation at least is restricted to fds < 1024. In case the socket fd turns out to be >=1024, using fd_set + select() causes the fd_set buffer overrun. At the very least via FD_SET setting 1 outside the array. And select() zeroing that out in case the fd isn't ready. In a case we caught that 0 deleted a part of the address on stack causing further corruption.
This can happen if a product has a dynamic HTTP server starting during runtime, with some files being open. Or if it opens a bunch of files at the beginning, hence pushing the socket fd to be large. One obvious solution is to just use poll(). Which is what "man select" suggests as well:
POSIX allows an implementation to define an upper limit, advertised via the constant FD_SETSIZE, on the range of file descriptors that can be specified in a file descriptor set. The Linux kernel imposes no fixed limit, but the glibc implementation makes fd_set a fixed-size type, with FD_SETSIZE defined as 1024, and the FD_*() macros operating according to that limit. To monitor file descriptors greater than 1023, use poll(2) or epoll(7) instead.
The text was updated successfully, but these errors were encountered: