osl_connectSocketTo() uses the select(...) call together with the fd_set data structures to wait for a connection to be established. The fd_set data structure contains a fixed-size array that uses the the __FD_SETSIZE macro. This macro is typically set to 1024. By calling ulimit -n 4096, a user can typically increase the number of usable file descriptors beyond 1024 up to the hard limit as set by the system administrator. But since fd_set supports up to 1024 file descriptors (unless someone changed the __FD_SETSIZE macro), the osl_connectToSocket() method will corrupt the stack if a socket uses a file descriptor >= 1024. In my scenario, the method crashed with stack corruption when creating a new IPC bridge: /lib64/libc.so.6(gsignal+0x37)[0x7ffff685e1f7] /lib64/libc.so.6(abort+0x148)[0x7ffff685f8e8] /lib64/libc.so.6(+0x74f47)[0x7ffff689df47] /lib64/libc.so.6(__fortify_fail+0x37)[0x7ffff6938d87] /lib64/libc.so.6(__fortify_fail+0x0)[0x7ffff6938d50] libuno_sal.so.3(osl_connectSocketTo+0xa38)[0x7ffff5a93098] libiolo.so(+0x1b004)[0x7fffe7eea004] libuuresolverlo.so(+0x37ee)[0x7fffe81237ee] Stack overflow suggests to use poll instead of select: https://stackoverflow.com/questions/7976388/increasing-limit-of-fd-setsize-and-select
Indeed, SUSv4 states that the behavior of FD_SET "is undefined if the fd argument is less than 0 or greater than or equal to FD_SETSIZE". (It also states that select shall return EINVAL if its "nfds argument is less than 0 or greater than FD_SETSIZE", but by then we've already run into undefined behavior.) A patch switching to poll is welcome. :)
Dear straub, To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year. There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present. If you have time, please do the following: Test to see if the bug is still present with the latest version of LibreOffice from https://www.libreoffice.org/download/ If the bug is present, please leave a comment that includes the information from Help - About LibreOffice. If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a comment that includes the information from Help - About LibreOffice. Please DO NOT Update the version field Reply via email (please reply directly on the bug tracker) Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not appropriate in this case) If you want to do more to help you can test to see if your issue is a REGRESSION. To do so: 1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3) from https://downloadarchive.documentfoundation.org/libreoffice/old/ 2. Test your bug 3. Leave a comment with your results. 4a. If the bug was present with 3.3 - set version to 'inherited from OOo'; 4b. If the bug was not present in 3.3 - add 'regression' to keyword Feel free to come ask questions or to say hello in our QA chat: https://web.libera.chat/?settings=#libreoffice-qa Thank you for helping us make LibreOffice even better for everyone! Warm Regards, QA Team MassPing-UntouchedBug
Still present in HEAD