[Libreoffice-bugs] [Bug 133372] New: osl_connectSocketTo crashes with > 1024 file descriptors

bugzilla-daemon at bugs.documentfoundation.org bugzilla-daemon at bugs.documentfoundation.org
Mon May 25 12:58:44 UTC 2020 

https://bugs.documentfoundation.org/show_bug.cgi?id=133372

            Bug ID: 133372
           Summary: osl_connectSocketTo crashes with > 1024 file
                    descriptors
           Product: LibreOffice
           Version: Inherited From OOo
          Hardware: All
                OS: Linux (All)
            Status: UNCONFIRMED
          Severity: normal
          Priority: medium
         Component: sdk
          Assignee: libreoffice-bugs at lists.freedesktop.org
          Reporter: straub at sb-software.de

osl_connectSocketTo() uses the select(...) call together with the fd_set data
structures to wait for a connection to be established.

The fd_set data structure contains a fixed-size array that uses the the
__FD_SETSIZE macro. This macro is typically set to 1024.

By calling ulimit -n 4096, a user can typically increase the number of usable
file descriptors beyond 1024 up to the hard limit as set by the system
administrator.

But since fd_set supports up to 1024 file descriptors (unless someone changed
the __FD_SETSIZE macro), the osl_connectToSocket() method will corrupt the
stack if a socket uses a file descriptor >= 1024.

In my scenario, the method crashed with stack corruption when creating a new
IPC bridge:
/lib64/libc.so.6(gsignal+0x37)[0x7ffff685e1f7]
/lib64/libc.so.6(abort+0x148)[0x7ffff685f8e8]
/lib64/libc.so.6(+0x74f47)[0x7ffff689df47]
/lib64/libc.so.6(__fortify_fail+0x37)[0x7ffff6938d87]
/lib64/libc.so.6(__fortify_fail+0x0)[0x7ffff6938d50]
libuno_sal.so.3(osl_connectSocketTo+0xa38)[0x7ffff5a93098]
libiolo.so(+0x1b004)[0x7fffe7eea004]
libuuresolverlo.so(+0x37ee)[0x7fffe81237ee]

Stack overflow suggests to use poll instead of select:
https://stackoverflow.com/questions/7976388/increasing-limit-of-fd-setsize-and-select

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20200525/82da3a6d/attachment.htm>

More information about the Libreoffice-bugs mailing list