Fix lwpSleepFd()'s guard against unusable fd

0 <= fd < FD_SETSIZE must hold, or else undefined behavior in FD_SET()
and buffer overrun in LwpFdwait[fd].  Check of upper bound off by one,
check of lower bound missing.

diff --git a/src/lib/lwp/sel.c b/src/lib/lwp/sel.c
index 0d0e3224821d2cf6c577a91e39672069674dafa7..5920f41a5f1dc7337f693ed8f8e6eb0ff53e66cc 100644 (file)
--- a/src/lib/lwp/sel.c
+++ b/src/lib/lwp/sel.c
@@ -29,7 +29,7 @@
  *
  *  Known contributors to this file:
  *     Dave Pare, 1994
- *     Markus Armbruster, 2007
+ *     Markus Armbruster, 2007-2011
  *     Ron Koenderink, 2009
  */
 
@@ -81,7 +81,7 @@ lwpSleepFd(int fd, int mask, struct timeval *timeout)
 {
     lwpStatus(LwpCurrent, "sleeping on fd %d for %d", fd, mask);
 
-    if (CANT_HAPPEN(fd > FD_SETSIZE)) {
+    if (CANT_HAPPEN(fd < 0 || fd >= FD_SETSIZE)) {
        errno = EBADF;
        return -1;
     }