From 33d816aff99020b57b54961df60ca0e843a1178f Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Wed, 24 Feb 2021 19:49:44 +0100
Subject: [PATCH] Fix stack buffer overflow in net functions with large file
 descriptor

Fix a stack buffer overflow with mbedtls_net_recv_timeout() when given a
file descriptor that is beyond FD_SETSIZE. The bug was due to not checking
that the file descriptor is within the range of an fd_set object.

Fix #4169

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 ChangeLog.d/net_poll-fd_setsize.txt | 3 +++
 library/net_sockets.c               | 7 +++++++
 2 files changed, 10 insertions(+)
 create mode 100644 ChangeLog.d/net_poll-fd_setsize.txt

diff --git a/ChangeLog.d/net_poll-fd_setsize.txt b/ChangeLog.d/net_poll-fd_setsize.txt
new file mode 100644
index 000000000..23b11bb59
--- /dev/null
+++ b/ChangeLog.d/net_poll-fd_setsize.txt
@@ -0,0 +1,3 @@
+Security
+   * Fix a stack buffer overflow with mbedtls_net_recv_timeout() when given a
+     file descriptor that is beyond FD_SETSIZE. Reported by FigBug in #4169.
diff --git a/library/net_sockets.c b/library/net_sockets.c
index 2876f8fdd..e19d84a29 100644
--- a/library/net_sockets.c
+++ b/library/net_sockets.c
@@ -535,6 +535,13 @@ int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len,
     if( fd < 0 )
         return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
 
+    /* A limitation of select() is that it only works with file descriptors
+     * up to FD_SETSIZE. This is a limitation of the fd_set type. Error out
+     * early, because attempting to call FD_SET on a large file descriptor
+     * is a buffer overflow on typical platforms. */
+    if( fd >= FD_SETSIZE )
+        return( MBEDTLS_ERR_NET_RECV_FAILED );
+
     FD_ZERO( &read_fds );
     FD_SET( fd, &read_fds );