From 9aa324de2d9f69d74f5b30c33a78d3a38501342f Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Mon, 31 Jan 2022 20:05:02 +0100 Subject: [PATCH] DEBUG: fd: make sure we never try to insert/delete an impossible FD number It's among the cases that would provoke memory corruption, let's add some tests against negative FDs and those larger than the table. This must never ever happen and would currently result in silent corruption or a crash. Better have a noticeable one exhibiting the call chain if that were to happen. --- include/haproxy/fd.h | 5 +++++ src/fd.c | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/include/haproxy/fd.h b/include/haproxy/fd.h index 40ef38f73..8bf30cd25 100644 --- a/include/haproxy/fd.h +++ b/include/haproxy/fd.h @@ -319,6 +319,11 @@ static inline void fd_insert(int fd, void *owner, void (*iocb)(int fd), unsigned { extern void sock_conn_iocb(int); + /* This must never happen and would definitely indicate a bug, in + * addition to overwriting some unexpected memory areas. + */ + BUG_ON(fd < 0 || fd >= global.maxsock); + fdtab[fd].owner = owner; fdtab[fd].iocb = iocb; fdtab[fd].state = 0; diff --git a/src/fd.c b/src/fd.c index 30fefc473..c2dfcf1d6 100644 --- a/src/fd.c +++ b/src/fd.c @@ -336,6 +336,11 @@ void _fd_delete_orphan(int fd) */ void fd_delete(int fd) { + /* This must never happen and would definitely indicate a bug, in + * addition to overwriting some unexpected memory areas. + */ + BUG_ON(fd < 0 || fd >= global.maxsock); + /* we must postpone removal of an FD that may currently be in use * by another thread. This can happen in the following two situations: * - after a takeover, the owning thread closes the connection but