>Number: 2247 >Category: general >Synopsis: FD_SET should not be called without bounds checking >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon May 18 18:30:01 PDT 1998 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2.6 >Environment: BSDI 3.1 >Description: so, FD_SET sets a bit in a statically sized array. at least under BSDI, its behavior is documented to be undefined if the bit being set is outside what's allowed by FD_SETSIZE. although of course one may increase FD_SETSIZE, this doesn't really solve the problem. the right thing is to check all calls to FD_SET, so that apache doesn't indiscriminately twiddle bits on the stack. the symptoms of this problem can include failing to answer on some Listen directives, and SEGVs.
it is really a separate subject, but, under OSes like BSDI that support more or less arbitrary FD_SETSIZEes, it would win big if apache used something like FD_REALLOC, rather than forcing you to compile in (and hence hardcode) the FD_SETSIZE you want. >How-To-Repeat: try lots of listen statements under BSDI (~200 and some). >Fix: i would send a patch, but i don't know how to do error exits cleanly from some of the places where FD_SET is called, such as the lingering close handler. conceptually the fix is simple: just compare every call to FD_SET with FD_SETSIZE on OSes that don't support arbitrary setsizes, and allocate a sufficiently large set on those that do. >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]
