hardening: add safe FD_SET() wrapper openvpn_fd_set()

On many platforms (not Windows, for once), FD_SET() can write outside the given fd_set if an fd >= FD_SETSIZE is given. To make sure we don't do that, add an ASSERT() to error out with a clear error message when this does happen. This patch was inspired by remarks about FD_SET() from Sebastian Krahmer of the SuSE Security Team. Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1456996968-29472-1-git-send-email-steffan.karger@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/11285 Signed-off-by: Gert Doering <gert@greenie.muc.de>
author: Steffan Karger 2016-03-03 10:22:48 +0100
committer: Gert Doering 2016-03-06 11:14:44 +0100
commit: e0b3fd49e2b5bba8cb57419a13cb75b56ac91b94 (patch)
tree: 433b8d535f82776696a564972d3030f041d88a08 /src/openvpn/proxy.c
parent: 13de0103ea361e2be24ab8b16f5be269c6ab7496 (diff)
download: openvpn-e0b3fd49e2b5bba8cb57419a13cb75b56ac91b94.zip
openvpn-e0b3fd49e2b5bba8cb57419a13cb75b56ac91b94.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index 2568e19..8ff6458 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -92,7 +92,7 @@ recv_line (socket_descriptor_t sd,
 	}
 
       FD_ZERO (&reads);
-      FD_SET (sd, &reads);
+      openvpn_fd_set (sd, &reads);
       tv.tv_sec = timeout_sec;
       tv.tv_usec = 0;
author	Steffan Karger	2016-03-03 10:22:48 +0100
committer	Gert Doering	2016-03-06 11:14:44 +0100
commit	e0b3fd49e2b5bba8cb57419a13cb75b56ac91b94 (patch)
tree	433b8d535f82776696a564972d3030f041d88a08 /src/openvpn/proxy.c
parent	13de0103ea361e2be24ab8b16f5be269c6ab7496 (diff)
download	openvpn-e0b3fd49e2b5bba8cb57419a13cb75b56ac91b94.zip openvpn-e0b3fd49e2b5bba8cb57419a13cb75b56ac91b94.tar.gz