From 3eb19cfd8a7c03920aeecae6692048429288af88 Mon Sep 17 00:00:00 2001
From: Stefano Brivio <sbrivio@redhat.com>
Date: Tue, 15 Mar 2022 23:17:44 +0100
Subject: tcp, udp, util: Enforce 24-bit limit on socket numbers

This should never happen, but there are no formal guarantees: ensure
socket numbers are below SOCKET_MAX.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 tcp.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'tcp.c')

diff --git a/tcp.c b/tcp.c
index 1eeb627..fcd9a04 100644
--- a/tcp.c
+++ b/tcp.c
@@ -1971,6 +1971,11 @@ static int tcp_conn_new_sock(struct ctx *c, sa_family_t af)
 	if (s < 0)
 		s = socket(af, SOCK_STREAM | SOCK_NONBLOCK, IPPROTO_TCP);
 
+	if (s > SOCKET_MAX) {
+		close(s);
+		return -EIO;
+	}
+
 	if (s < 0)
 		return -errno;
 
@@ -2982,6 +2987,12 @@ static int tcp_sock_refill(void *arg)
 			break;
 		}
 		*p4 = socket(AF_INET, SOCK_STREAM | SOCK_NONBLOCK, IPPROTO_TCP);
+		if (*p4 > SOCKET_MAX) {
+			close(*p4);
+			*p4 = -1;
+			return -EIO;
+		}
+
 		tcp_sock_set_bufsize(a->c, *p4);
 	}
 
@@ -2991,6 +3002,12 @@ static int tcp_sock_refill(void *arg)
 		}
 		*p6 = socket(AF_INET6, SOCK_STREAM | SOCK_NONBLOCK,
 			     IPPROTO_TCP);
+		if (*p6 > SOCKET_MAX) {
+			close(*p6);
+			*p6 = -1;
+			return -EIO;
+		}
+
 		tcp_sock_set_bufsize(a->c, *p6);
 	}
 
-- 
cgit v1.2.3