Fix stack buffer overflow in net functions with large file descriptor Fix a stack buffer overflow with mbedtls_net_recv_timeout() when given a file descriptor that is beyond FD_SETSIZE. The bug was due to not checking that the file descriptor is within the range of an fd_set object. Fix #4169 Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

commit: 33d816aff99020b57b54961df60ca0e843a1178f [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Wed Feb 24 19:49:44 2021 +0100
committer: Gilles Peskine <Gilles.Peskine@arm.com> Wed Mar 03 12:23:27 2021 +0100
tree: 71d476336ec7afce70752657fc00a66c91bc074d
parent: 9c1ae18c9c96cdd68f02eebde533437442ad019e [diff] [blame]
diff --git a/library/net_sockets.c b/library/net_sockets.c
index 2876f8f..e19d84a 100644
--- a/library/net_sockets.c
+++ b/library/net_sockets.c

@@ -535,6 +535,13 @@
     if( fd < 0 )
         return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
 
+    /* A limitation of select() is that it only works with file descriptors
+     * up to FD_SETSIZE. This is a limitation of the fd_set type. Error out
+     * early, because attempting to call FD_SET on a large file descriptor
+     * is a buffer overflow on typical platforms. */
+    if( fd >= FD_SETSIZE )
+        return( MBEDTLS_ERR_NET_RECV_FAILED );
+
     FD_ZERO( &read_fds );
     FD_SET( fd, &read_fds );
commit	33d816aff99020b57b54961df60ca0e843a1178f	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Wed Feb 24 19:49:44 2021 +0100
committer	Gilles Peskine <Gilles.Peskine@arm.com>	Wed Mar 03 12:23:27 2021 +0100
tree	71d476336ec7afce70752657fc00a66c91bc074d
parent	9c1ae18c9c96cdd68f02eebde533437442ad019e [diff] [blame]