Re: pkg/50995: sigsegv in recv()

[Patrick Welche <prlw1%cam.ac.uk@localhost>]

On Thu, Mar 31, 2016 at 05:00:01AM +0000, David Holland wrote:
> The following reply was made to PR pkg/50995; it has been noted by GNATS.
> 
> From: David Holland <dholland-pbugs%netbsd.org@localhost>
> To: gnats-bugs%NetBSD.org@localhost
> Cc: 
> Subject: Re: pkg/50995: sigsegv in recv()
> Date: Thu, 31 Mar 2016 04:56:35 +0000
> 
>  On Wed, Mar 30, 2016 at 04:15:00PM +0000, Patrick Welche wrote:
>   >  > (gdb) print this
>   >  > $7 = (BaseSocket * const) 0x7f7f00000001
>   >  > 
>   >  > isn't == 0x7f7fffffd320, I don't know...
>   >  > 
>   >  > > | #0  BaseSocket::readFromSocket (this=0x7f7f00000001, 
>   >  > > |     this@entry=0x7f7fffffd320, buff=buff@entry=0x7f7fffffd25e "", 
>   >  
>   >  Note that @entry *this is the expected 0x7f7fffffd320, and all that
>   >  happens of note is a call to select() and the recv() mentioned above.
>  
>  Wild speculation: is the number-of-fds argument to select larger than
>  FD_SETSIZE?

Good point! The fd handling in general in dansguardian is a mess...

Looking at the coredump:

fd.sck = 256

        fd_set fdSet;
        FD_ZERO(&fdSet);  // clear the set
        FD_SET(sck, &fdSet);  // add fd to the set
        timeval t;  // timeval struct
        t.tv_sec = 0;
        t.tv_usec = 0;  

        if (selectEINTR(sck + 1, &fdSet, NULL, NULL, &t) < 1) {
                return false;
        }

so the number-of-fds argument is 257

src/sys/sys/fd_set.h:

/*
 * Select uses bit fields of file descriptors.  These macros manipulate
 * such bit fields.  Note: FD_SETSIZE may be defined by the user.
 */

#ifndef FD_SETSIZE
#define FD_SETSIZE      256
#endif

so you have a hole in one! (I don't see FD_SETSIZE defined by the user...)

(How can this trash the stack?)