Dmitry V. Levin | e837b14 | 2015-02-04 02:09:52 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Based on test by Dr. David Alan Gilbert <dave@treblig.org> |
| 3 | */ |
| 4 | #include <assert.h> |
| 5 | #include <unistd.h> |
| 6 | #include <sys/select.h> |
| 7 | |
| 8 | static fd_set set[0x1000000 / sizeof(fd_set)]; |
| 9 | |
| 10 | int main() |
| 11 | { |
| 12 | int fds[2]; |
| 13 | struct timeval timeout = { .tv_sec = 0, .tv_usec = 100 }; |
| 14 | |
| 15 | (void) close(0); |
| 16 | (void) close(1); |
| 17 | assert(pipe(fds) == 0); |
| 18 | |
| 19 | /* |
| 20 | * Start with a nice simple select. |
| 21 | */ |
| 22 | FD_ZERO(set); |
| 23 | FD_SET(0, set); |
| 24 | FD_SET(1, set); |
| 25 | assert(select(2, set, set, set, NULL) == 1); |
| 26 | |
| 27 | /* |
| 28 | * Now the crash case that trinity found, negative nfds |
| 29 | * but with a pointer to a large chunk of valid memory. |
| 30 | */ |
| 31 | FD_ZERO(set); |
| 32 | FD_SET(1,set); |
| 33 | assert(select(-1, NULL, set, NULL, NULL) == -1); |
| 34 | |
| 35 | /* |
| 36 | * Another variant, with nfds exceeding FD_SETSIZE limit. |
| 37 | */ |
| 38 | FD_ZERO(set); |
| 39 | FD_SET(0,set); |
| 40 | assert(select(FD_SETSIZE + 1, set, set + 1, NULL, &timeout) == 0); |
| 41 | |
| 42 | return 0; |
| 43 | } |