[lwip-devel] [bug #43361] select() crashes with stale FDs

[Joel Cunningham]

URL:
  <http://savannah.nongnu.org/bugs/?43361>

                 Summary: select() crashes with stale FDs
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: jcunningham
            Submitted on: Sun 05 Oct 2014 09:01:14 PM GMT
                Category: sockets/netconn
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: 
            lwIP version: 1.4.1

    _______________________________________________________

Details:

If an application calls select() with FDs set that do not correspond to valid
open sockets, a data abort will occur.

There are two spots where calls to tryget_socket() returns a NULL and it is
dereferenced: when increasing and decreasing the sock->select_waiting value. 
Other uses of tryget_socket() handle the NULL gracefully.

Just handling the NULL wouldn't technically be correct behavior of select
according to the Open Group specification:


Under the following conditions, select() fails and sets errno to:

[EBADF]
    One or more of the file descriptor sets specified a file descriptor that
is not a valid open file descriptor. 


http://pubs.opengroup.org/onlinepubs/007908799/xsh/select.html

We could add a single spin through the set FDs and check the validity of the
sockets.  Or as the sockets are processed via tryget_socket(), if a failure is
encountered, set errno and cleanup.

My project uses LwIP 1.4.1, but the NULL don't appear to be handled on head of
master branch either








    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?43361>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/