Crash in curl_multi_fdset() #7718
Description
I did this
Used curl v7.78.0 with xmlrpc-c (which calls curl_multi_fdset()) in an application with more than 1023 open file descriptors.
I expected the following
No crash (but got memory corruption)
curl/libcurl version
curl 7.78.0 (x86_64-conda-linux-gnu) libcurl/7.78.0 OpenSSL/1.1.1k zlib/1.2.11 libssh2/1.9.0 nghttp2/1.43.0
Release-Date: 2021-07-21
Obtained curl from conda-forge:
# Name Version Build Channel
libcurl 7.78.0 h2574ce0_0 conda-forge
operating system
Linux 031b5845863a 3.10.0-1160.25.1.el7.x86_64 #1 SMP Wed Apr 28 21:49:45 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Problem
xmlrpc-c uses curl_multi_fdset() unconditionally (whether or not HAVE_FINE_POLL is set while building curl). #7241 disabled checking the file descriptor values against FD_SETSIZE when HAVE_FINE_POLL is defined. I guess this is fine for curl itself, because it probably doesn't call curl_multi_fdset() when using poll() instead of select(), but calling curl_multi_fdset() in an application with more than FD_SETSIZE file descriptors, might now result in memory corruption.
If this behavior is intended (i.e. curl_multi_fdset() is not safe to be called when HAVE_FINE_POLL is defined), this should at the very least be documented. Specifically this sentence from the curl_multi_fdset() man page is not correct anymore:
If one of the sockets used by libcurl happens to be larger than what can be set
in an fd_set, which on POSIX systems means that the file descriptor is larger
than FD_SETSIZE, then libcurl will try to not set it.